Dr. Georgianna Shea
Source LinkIn an unprecedented show of international coordination, the United States, European Union, and NATO last week attributed the recent hack of Microsoft’s Exchange Server and other “malicious cyber activity” to the People’s Republic of China and its Ministry of State Security (MSS). As attribution is a prerequisite for punishing those responsible, this collective action is a leap forward in establishing international norms and standards in cyberspace.
The White House explained that in the Microsoft breach, MSS-affiliated hackers compromised tens of thousands of networks around the world. The European Union noted that the operation was particularly “irresponsible and harmful” because numerous other hackers have continued to exploit the vulnerability first used by Chinese operatives, causing “significant economic loss.” Meanwhile, in its first-ever condemnation of Chinese cyber operations, NATO stated that this kind of malicious cyber activity “undermine[s] security, confidence and stability in cyberspace.”
These statements by the United States and its allies come months after private cybersecurity and technology firms first pointed fingers at the Chinese government. This delay stems partly from the different ways that the U.S. government and private industry attribute cyberattacks. The U.S. government relies on the intelligence community for attribution based on a combination of signals and human intelligence along with assessments of the tradecraft, infrastructure, and malware the hackers employed.
The private sector, on the other hand, generally makes attributions based on forensic analysis of the malware and the network infrastructure the attackers used. This process is vulnerable to false-flag operations. For example, there is nothing stopping an Iranian hacker from leasing space in China and launching attacks on the United States using known Chinese malware and emulating Chinese tradecraft. If the adversary is sophisticated enough to hack into U.S. systems, it may also be sophisticated enough to conceal the source of the attack. While the U.S. intelligence community can also be fooled, its reliance on a broader array of sources makes it less susceptible to surface-level deception.
Private security firms help limit the impact of breaches by quickly providing information that network defenders can use to detect intrusions. The attribution provided by private industry is useful for understanding cybersecurity trends and similar patterns of activity. Only U.S. and allied attribution, however, will lead to punitive actions to hold malicious actors accountable. In this case, Washington and its allies have yet to announce collective steps to punish China, although the Department of Justice announced separate criminal charges against other MSS-affiliated hackers for stealing “information that was of significant economic benefit to China’s companies and commercial sectors.”
U.S. allies have joined the White House in attributing previous international cyberattacks, but this has always occurred on an ad hoc basis. In its statement attributing the Microsoft hack to Beijing, the White House noted that China’s malicious cyber activity “is bringing [countries around the world] together.” The United States must seize this moment of international cooperation to develop intelligence sharing processes and attribution standards with its allies. In so doing, Washington can streamline the investigation process to ensure a more rapid response to future attacks and swifter punishment for violators of international cyber norms.
No comments:
Post a Comment