the political consideration of constructing network attack response framework

Posted by santillano at 2020-03-21

Like all kinds of attacks, cyber attacks cannot be separated from international relations, national strategies and geopolitics. All kinds of affairs related to cyberspace have become an important part of high-level political games. Countries have constantly taken various strategic and tactical means to fight for the dominant power of cyberspace in order to achieve their political goals and seek geopolitical advantages, especially the network issues related to the core of national diplomacy and security policy. With the increase of the number of offensive cyber attacks, policy makers must actively respond to cyber attacks. Starting from different levels of cyber politics, a cyber attack response framework suitable for dealing with the escalating cyber events should be constructed.

1、 The political motive of cyber attack

In addition to the spontaneous network attacks of network hackers and a few organized network economic crimes, the vast majority of organized network attacks have clear political motives, which are the extension or representation of international political games, national intelligence activities, military actions and terrorism in cyberspace, and also the inevitable result of the confrontation between political groups.

1. Behind the cyber attack is the game of international political power

Cyber attack is not only a technical act existing in cyberspace, but also implies political interests. The ultimate goal of cyber attack is to achieve some political goals. Moreover, some of these political goals are clear, some are not clear, and some directly affect international relations. During the conflict between Russia and Georgia in 2008, hacker organizations used malicious software to attack the website of Georgian government, and later targeted Ukrainian government organizations, mainly for secret information theft and continuous attacks.

In 2015, Ukraine's power grid system was attacked by hackers, making it the first network attack ever to cause a power outage. According to John hultquist, head of cyber espionage intelligence at iSIGHT partners, the US information security company, the attack came from Russian hackers and the malware used was called the black force, which can be traced back to 2007 Energy), which is mainly used to establish Botnet, carry out DDoS attacks on targeted targets, and then turn to attack political targets.

The Qatari break-up in June 2017 was triggered by the hacking of social media and news websites of the Qatari government and the posting of fake news about the Qatari head of state's support for terrorist organizations. Despite Qatar's explanation, it was this incident that led to the rapid exchange of bad relations between Qatar and other Middle East countries. Many countries announced to sever diplomatic relations with Qatar, resulting in the most serious diplomatic crisis in the Middle East in recent years. Until the end of the year, Qatar's cut-off has not been settled. Based on all kinds of data, we can find that there are countless cyber attacks caused by the confrontation of international political forces.

2. Cyber attacks are closely related to intelligence and military activities

Cyber attacks are regarded as intelligence activities in some aspects, while the traditional view is that espionage should be regarded as some kind of game that does not trigger state response. In 2010, Natanz, Iran's nuclear facility, was attacked by Stuxnet virus, which is generally believed to be the result of the cooperation between the US and Israeli intelligence agencies. At the same time, the incident also revealed the great danger of cyber weapons. In this sense, the incident involves not only intelligence agencies, but also cyber weapons that may trigger military operations.

According to the Washington Post, during the 2017 French general election, Putin strongly supported the former leader of the national front, Marina Le Pen, and met with her in the Kremlin. On the eve of the vote, Marcon's campaign team suffered a large-scale cyber attack, a large number of internal documents of the campaign were released, and the leaked information also included forged letters. Reuters reported that the investigation results of the US internet intelligence company showed that the perpetrators of the attack were related to the Russian intelligence agency Gru.

Due to the popularity of encryption and its application, the effectiveness of signal intelligence is questioned. Therefore, network attack is regarded as a more effective way of information collection in the network era. However, considering the asymmetry of cyber attacks, this way of obtaining information will actually accelerate the arms race at the strategic level. According to media reports, in 2011, the Obama administration launched a fierce debate on whether to launch a cyber attack on Libya to destroy the government's air defense system. Speaking at the Asian security conference, U.S. Defense Secretary Robert Gates made it clear for the first time that when confirming the cyber attacks from other countries, he would "regard them as acts of war and fight back". It can be said that the boundary between cyber attack and modern military war has become increasingly blurred.

3. Cyber attacks may escalate to cyber terrorism

There are many similarities between cyber attack and cyber terrorism. If the main body of cyber attack is terrorist organization, cyber attack itself will be terrorist, and even cyber attack will be upgraded to cyber terrorist attack. The attack on Charlie weekly in 2015 and the attack on Sony Pictures by hackers are accompanied by the shadow of terrorism.

In January 2015, Charlie weekly updated its comics on social media to ridicule bagrady, the head of the Islamic state; an hour later, terrorists committed a tragedy. In the four days since the attack on Charlie weekly, about 20000 sites in France have been hacked. The act is believed to be the response of terrorists to the march in the Republic. The contents of the websites that have been attacked by Internet have been replaced by the contents that publicize terrorism and religious extremist forces, and even contain the death threat of launching new terrorist attacks.

In 2015, Sony Pictures was attacked by hackers for shooting "assassinating Kim Jong Il". In a written letter to U.S. lawmakers, Sony described the attack as a "premeditated and extremely professional cyber crime" and for the first time used the term "cyber terrorist" to prove that the incident was committed by members of the hacker group anonymous. US media reported that US response measures include re listing North Korea on the list of "terror supporting countries", adding new economic sanctions to North Korea, carrying out "information operations" against North Korean people, launching countermeasures consultation with Britain, Japan, South Korea and other countries, and asking China and other countries to provide assistance, covering diplomatic, economic, intelligence, military and other means.

2、 Political factors that must be considered in response to cyber attacks

Any organized attack on cyberspace may hide its hidden political purpose. Jarno LiMn é ll, a professor of network security at the University of Alto, Finland, published an article entitled "appropriate response to cyber attacks Cyberattacks) proposes that policy makers need to consider five variables when deciding to respond to cyber attacks: who did it, what impact it had, what means it could be used, what policy guidelines were and the urgency of response. It also proposes a political response framework to respond to cyber attacks. Many political factors must be taken into account in the decision-making of network attack response of various countries. Therefore, we propose that five political factors must be taken into account in network attack response, including the analysis of the attribution of network attack, the assessment of the consequences of network attack, the formulation of network attack response policy, the selection of response time and the selection of response time.

1. Attribution analysis of network attack

"Who is our enemy and who is our friend is the primary issue of the revolution", and also the primary issue of network attack and response. Because of the openness of cyberspace and the concealment of network attack behavior, network attack subjects can cover up their action traces through servers around the world, which can be traced back to the source of network attack, not necessarily the initiator of the attack. Therefore, political considerations become the most basic premise of attribution analysis of cyber attacks, mainly including:

First, the political motivation and main beneficiaries of cyber attacks should be judged comprehensively from the perspective of global politics and national interests, who is most likely to launch organized cyber attacks and who is the main beneficiary of the attacks.

Second, the attribution analysis of cyber attacks needs the support of multi-dimensional strategy and intelligence resources, including the support of national laws, international treaties, geopolitics, policy strategies and other strategic aspects, as well as the evidence collection, human intelligence, signal intelligence, historical intelligence and other side evidence of multiple information sources.

Third, the successful attribution analysis also needs the strong support of national government institutions and close cooperation of all departments at all levels, involving many factors including national comprehensive leadership, fine management, stress testing, prudent communication and time coordination. Without the participation of government departments, "real-time, high reliability network attribution will be very difficult". Mike Connor, former director of the U.S. national security administration, once said, "the dilemma of network attribution is caused by the Internet design structure. Unless the Internet structure is rebuilt, the network attribution technology will never be solved.".

2. Network attack consequence assessment

Network attack consequence evaluation is an important basis for network attack response decision-making. Decision makers need to understand the impact of network attacks, and make an accurate assessment of the consequences of network attacks to determine the type and level of response. Once the decision-makers respond to the cyber attack, they will be involved in future cyber capacity-building policies, which may increase the probability of encountering attack risks, even increase the possibility of asymmetric arms race, and may also lead to the loss of cyber deterrence. Moreover, the network attack consequence evaluation should not only consider the economic loss caused by the attack, but also consider the macro and long-term political gain and loss.

The evaluation of network attack consequence has great uncertainty. On the one hand, the starting and ending time of network attack are difficult to determine, and the scope, consequence and influence of network attack are also uncertain. For example, it took the Saudi authorities about two weeks to understand the scope of damage caused by the shamoon virus incident in 2012, which led to the deletion of data from 30000 computers of Saudi Aramco, making it more difficult to accurately assess the damage and long-term impact. However, the reality is that more companies or governments or organizations do not realize the existence of attacks until months or years after they are attacked by hackers.

On the other hand, accurate assessment of the impact and consequences of cyber attacks requires multiple corroborations. Generally, it is easier to evaluate the physical impact of network attacks. When the effect of network attack is not clear, it is difficult for decision-makers to determine whether the network attack reaches the level of response. Even if we can clearly foresee the consequences of network attacks, we need to consider various relevant factors when taking response measures. In a statement, Max Cheng, Consulting Director of Trend Micro, said that in 2017, the problem of cyber attacks on global enterprises was very serious and there was a growing trend. According to Indian media in September 2017, in the first half of 2017, the total amount of global enterprise losses caused by cyber attacks amounted to 4 billion US dollars.

3. Network attack response policy making

What kind of policy response to cyber attacks is determined by many factors, including national interests, international relations, damage degree of attacks, level of network technology and protection ability of one's own side, etc. Therefore, decision makers should carefully weigh the advantages and disadvantages before making response decisions. We should not only respond to the cyber attacks properly and relieve the huge political pressure, but also have certain political wisdom and restraint to some extent, because the result of the escalation of the situation is often worse than that of restraint, and restraint may sometimes be a more powerful means to show the power of the state.

On the one hand, policy makers need to consider their national security and Cybersecurity strategies, which are general policy guidelines that involve the political will of countries. Countries need to develop special plans for network attack response, including a detailed description of the extent, means, consequences and impact of network attacks. According to the cyberspace action strategy released by the United States in 2011, some serious cyber attacks will be regarded as acts of war, and the United States will use missiles and other high-tech weapons to attack hostile countries.

On the other hand, if a country is a member of an international alliance or an international organization, it must also take into account the policy guidelines of its institutions and organizations when formulating its cyber attack response policies. Otherwise, the country could be accused of not complying with international conventions. Therefore, countries all over the world need to pay attention to the network space security defense system and capacity-building, especially the various decisions and strategies to make response when attacked by the network.

4. Choice of response means for network attack

In September 2017, Gadi evron, CEO of cymmetria, an Internet security company, and Boaz dolev, CEO of CLEARSKY, jointly wrote an article to analyze whether the United States would launch a cyber attack on North Korea. In October, trump authorized the U.S. command to launch a sustained DDoS attack on the North Korean reconnaissance headquarters. Although the impact of the cyber attack on North Korea is limited, it is considered a retaliatory act. The means that decision-makers choose to respond to cyber attacks include not only traditional national behavior patterns, but also other means influenced by cyber political factors.

First, the existing paradigm and means of state behavior. Decision makers can respond to cyber attacks by at least four means: diplomatic (i.e. foreign policy, including diplomatic communication, warning and sanctions), intelligence, military and economic. Policy makers need to consider the consequences of various response measures according to the international situation and the relations between countries at that time. In July 2017, the US Senate overwhelmingly passed the sanctions bill against Russia and other countries. According to the bill, the United States added economic sanctions against Russian individuals and entities on the grounds that Russia was suspected of interfering in the 2016 presidential election of the United States and the Ukrainian crisis.

Second, the combination of network means and non network means. The response of network attack is not limited to network space, but also includes the use of other non network means. The key is to consider those network or physical (or other) countermeasures. It is also possible to choose to implement network response measures through proxy hacker groups. However, this approach has uncertainty on the control of response consequences and may also lead to the escalation of network attack actions.

Third, the combination of public response and non-public response. Network attack response can be public or covert. Covert responses using network means may involve cyber espionage, and rarely warn other countries when taking countermeasures. Public cyber attack responses are often accompanied by just speeches and rituals, such as press releases through the media or warnings through diplomatic channels, and the purpose of doing so is not revenge.

5. Network attack response time selection

Time is an important factor affecting the response to cyber attacks, especially when the impact of cyber attacks is open, if the response speed is not fast enough, it means the loss of the government's political credibility. At the same time, the government also needs to look at the opportunity to take response actions against cyber attacks, because at the same time, political opponents may also take the opportunity to make a big deal and exert greater political pressure 。 In short, network attack response includes not only the specific time to take response measures, but also the time to choose to make network attack response.

The analysis of Russia's attempts to interfere with the US presidential election through cyber attacks during the 2016 US presidential election shows that from the perspective of the overall characteristics and attack characteristics, the attacks of Russian cyber forces and cyber hackers are often driven by profound political factors. By attacking political enemies and interfering with political candidates through cyber technology, Russia can effectively control the Internet Guided by public opinion, the balance of the game is turned to itself, and then Russia's national security and core interests in the international and domestic political arena are safeguarded.

In the United States, more than a year has passed since the incident, and no appropriate response decision has been made for the authorities involved in the incident. Although it is also an objective fact that the United States is unable to implement appropriate coping styles and means when it is difficult to determine the attribution and consequences of cyber attacks, in the real world, the United States has lost its political opportunities.

3、 Building a political response framework for cyber attacks

Due to the interactive characteristics of the Internet's global connectivity, the network attacks and network attack response actions of a country will have an impact on the relevant countries, and sometimes even change the international political situation and pattern. As the response to cyber attacks "takes one lead and moves the whole body", it is necessary for the international community to improve consensus, cooperate with each other and jointly build a political response framework to deal with cyber attacks. Based on the comprehensive analysis of the political motivation of cyber attacks and the necessary political considerations of cyber attack response, we believe that the political framework of cyber attack response should at least include the following contents:

1. Political level of network attack response framework

In order to establish the framework of political response to cyber attacks, we should consider the extent and severity of the proliferation and escalation of cyber attacks in combination with the different levels of cyber politics, the degree of traceability, event impact, policy choice, security risk, security strategy, international law and other elements, so as to provide decision-making reference for making response or not making any response. Article 51 of the Charter of the United Nations stipulates that states reserve the right to exercise self-defence in the event of an armed attack. If the cyber attack reaches the level of "armed attack", then it can exercise the right of self-defense, including the use of force; however, the international community has not reached a consensus on what is the legal definition of cyber space armed attack. Therefore, according to the current global development in this field, the response measures of countries to cyber attacks are more based on their own national conditions. Moreover, the interaction between the Internet world and the real world should not be viewed in isolation from the actual political decision-making.

2. Political means of network attack response framework

According to the framework of political response to cyber attacks, the more serious cyber attacks are, the stronger the response should be, covering from the peaceful means reported by the media to the scope of military force in military response, including the selection of appropriate time and opportunity, the adoption of covert and / or open means, and the assessment of response consequences according to the actual situation. Network attack response requires governments to make a series of complex decisions, from understanding the accuracy of traceability and the severity of attacks, to moderate response assessment and risk assessment of action plans. In addition, kinetic and non kinetic means must be assessed, and the increasing political pressure of these means over time must be considered. Every decision has its inherent political and legal risks, and the risks increase with the increase of response level. Therefore, policy makers should have a clear understanding of the cost of response, because the response decision will affect the country's diplomatic relations, reputation, rights and interests, as well as military and information actions.

3. Principles of network attack response framework

In addition to the network political level and network political means mentioned in the network attack response framework, the network attack political response framework should also include the principles to be grasped in making the network attack response decision, including:

Cost principle. Decision makers and policy makers should assess the cost of responding to cyber attacks. The principle of response cost of cyber attack includes not only evaluating the loss caused by the adversary's cyber attack before making response actions, but also the consequences caused by taking corresponding response measures. This process involves the input of decision makers, relevant government agencies and private enterprises.

Boundary principle. In the face of the challenge of provocative cyber attacks, countries need to define acceptable and appropriate response boundaries. Each country should formulate its own policy response framework according to its own cultural, political and military characteristics. In the future, cyber politics will have a greater significance, because it is the political factor that ultimately determines whether cyber attacks are acts of war or other acts, and policy makers must redefine "cyber war" or "cyber conflict", and make more specific strategies, strategies and measures in this regard.

"Red line" principle. Network attack response framework should not be regarded as the political "red line" of some specific responses, but the bottom line of network confrontation that both sides should consider. On the one hand, delimiting the "red line" can warn the adversary not to cross the line, remind them to consider self-protection, reduce political risks or preserve credibility when conducting network operations. On the other hand, setting a "red line" is a powerful signal sent by the hostile forces of deterrence countries. If they cross the line, the country will respond.

The principle of initiative. The negative face of network attack may make the opponent take more active action. Therefore, the decision-maker needs to actively make the appropriate choice to respond to network attack. According to the network attack response framework, decision makers need to comprehensively consider the existing response elements and analyze the possible consequences before making a response. By predetermining the principle of response, we can prevent countries and governments from making decisions in a hurry that may endanger their political, economic, intelligence and military interests.

Principle of cooperation. The response to cyber attacks is not a matter of one country. It needs the cooperation of all parties. In the cloud flare Internet Summit in September 2017, evril Haines, former deputy director of the CIA and deputy national security adviser of the Obama administration, said: in the face of cyber attacks, the United States is more vulnerable than any other country in the world. "In the area of the Internet, we are trying to clarify what constitutes' the use of force ', but we are far from that." Haines here refers to the "use of force" of cyber attacks and explains the extent of such attacks: when cyber attacks have the same impact as bomb blasts - "blow up" an infrastructure. Although it is easy to regard the network as a battlefield, in fact, it is more necessary to ensure that the network attack response is not understood as only conducted through the network. We believe that, more importantly, the international community needs to develop a network attack response framework for the participation of all countries.

(source: China information security, issue 12, 2017)