Cyber attribution isn’t so important, even for nation states

Australia can pinpoint the individual humans responsible for a cyber attack, according to foreign minister Julie Bishop. You can assume that the other Five Eyes nations — the US, UK, Canada, and New Zealand — have access to that same capability.
“Depending on the seriousness and nature of an incident, Australia has the capability to attribute malicious cyber activity in a timely manner to several levels of granularity — ranging from the broad category of adversary through to specific states and individuals,” Bishop said at the launch of Australia’s International Cyber Engagement Strategy last Wednesday.
“Australia has developed offensive cyber capabilities,” Bishop said. “Having established a firm foundation of international law and norms, we must now ensure that there are consequences that flow for those who flout the rules.”
With such assertive cyber diplomacy, being able to attribute malicious activity is important, of course.
“It’s well and good to have a cyber offensive capability, but you need to know who hit you,” said Peter Coroneos, founder of Coroneos Cyber Intelligence, at the strategy launch. But it may not be as important as we think.
For businesses and other non-government organisations, attribution can even be a distraction, as then Telstra chief information security officer Mike Burgess said in 2015. Time spent on attributing the source of a cyber attack is time not spent on fixing the problem.
According to Australia’s Ambassador for Cyber Affairs Dr Tobias Feakin, precise attribution may not even be needed for a diplomatic or even a stronger response. The question of attribution often “stunts any response”, he said, but maybe “certain paradigm shifts in attribution” could work within a “normative framework”.
That framework would include the 11 international norms for behaviour in cyberspace set out by the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) in their 2015 report [PDF].
“States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs,” the report said. “States must not use proxies to commit internationally wrongful acts using ICTs, and should seek to ensure that their territory is not used by non-State actors to commit such acts.”
In others words, states need to have “their own backyard in order”, as Feakin put it.
“If attacks are emanating from within your own borders, then you have a prerequisite to tidy those up. Now if you could begin looking at forms of attribution which weren’t quite so specific as to an individual user, [or] an individual IP address, but you understand geographically where that might be, then you can begin to look at what ways that you could respond,” Feakin said.
“It wouldn’t necessarily always be, if you like, deterrence by punishment. There might be ways that you can assist if that country can’t clean up their own mess, if you will.”
Many of the problems could be sorted out through international cooperation, according to David Koh Tee Hian, chief executive of Singapore’s Cyber Security Agency, and Defence Cyber Chief in the Ministry of Defence.
The first step, even before attributing attacks to specific individuals, is determining whether an attack originates from actors in a specific state, or from elsewhere but using that state’s infrastructure.
“In my view, it’s not particularly difficult. It’s just making sure that [each] individual country has basic competency to, as you put it, clean up its own backyard,” Koh said.
不少新功能有时会带来新的安全漏洞,所以安全需要有一个基本的思想,关闭不甚必要的功能和服务。
In the nine months since Feakin was appointed as an ambassador, Australia’s diplomatic wins have included a cybercrime agreement with Thailand, and even a cybersecurity agreement with China that includes the UN GGE norms, as well as an agreement not to “conduct or support cyber-enabled theft of intellectual property, trade secrets, or confidential business information with the intent of obtaining competitive advantage”.
But on a wider front, progress may slow as the UN GGE process stalls.
“On June 23, after years of slow yet meaningful progress in developing State consensus regarding the application of international law norms to cyberspace, the [UN GGE] collapsed,” reported Just Security.
CyberSecurity Law Introduction 网络安全法宣传视频系列
The problem? Three additions to the list of 11 norms: the right to respond to internationally wrongful acts, which is reportedly a veiled reference to countermeasures; the right to self-defence; and the applicability of international humanitarian law.
“Since no international lawyer can, in 2017, deny their applicability to cyber activities, the failure of the GGE can only be interpreted as the intentional politicisation in the cyber context of well-accepted international law norms,” Just Security wrote.
There is diplomatic progress, but it’s clear to this writer that it’s far, far too slow to keep pace with the technological advances. The Cyber Cold War is moving much faster than the original.
Tech Pro Research
IT leader’s guide to the threat of fileless malware
Network security policy

Lunch and learn: BYOD rules and responsibilities
Guidelines for building security policies
Security awareness and training policy
针对在线银行使用OTP安全认证系统的攻击手法,多因子身份验证被击溃的案例越来越多,如果用户不能得到适当的安全意识教育,盲目迷信服务提供者的安全保障措施,可能会付出很大代价。

猜您喜欢

南市幼儿园:防空演练进行时 爱国安全教育中
网络安全公益短片扫描二维码的安全风险
Security-Frontline-安全前线
2.0T/368马力 新牧马人将于11月底发布
WIGHTLINK TEXASDPS
面向企业员工的HSE基础知识扫盲式在线学习教程