- Aug 2022
Declare norms against destructive attacks on election and financial systems.
Possible further norms. Though the more norms they have, the bigger limitations the US will have on their possible offensive operations referred to above and below. ||AndrijanaG|| ||Pavlina||
balance more targeted diplomatic and economic pressure on adversaries, as well as more disruptive cyber operations, with clear statements about self-imposed restraint on specific types of targets
when it comes to adversaries, a combination of economic pressure and 'disruptive' (read also: offensive?) cyber operations - while respecting the OEWG/GGE norms endorsed by partners
Question is if partners (esp. beyond EU - eg. India, Brazil) would accept that offensive approach of the US against their adversaries - even if respecting the norms and int. law?
Norms are more useful in binding friends together than in constraining adversaries
An interesting and well articulated point: US should make sure that friends and partners (in broader sense - esp. swing states) adhere to norms. They can't expect that Russia and China will adhere, so for them they might need a different approach (combining multiple options as discussed elsewhere in the document)
- Jul 2022
Its Digital Crimes Unit applies legal and technical solutions to identify, investigate, and disrupt malware-facilitated cybercrime and nation-state-sponsored activity.
This, and the example below, of Microsoft's actions against malicious infrastructure are worth exploring in greater details. Part of it was taking over malicious domains - that is somewhat legal and certainly welcomed. But were there any 'penetrations' and exploits? I doubt so.
Many U.S. private-sector companies have strong corporate incentives to support conformance with proposed prohibitive norms. Some also have the capacity, capability, and legal standing to engage in responsible, exploitation-based activities.
A very interesting - and, indeed, dangerous - claim that companies have legal standing to engage in 'responsible, exploitation-based activities' against malicious actors.
Does Microsoft really have legal ground to exploit any system (be in malicious or not) in another state - or even in US? (Not to ask if this goes against its own philosophy against exploiting vulnerabilities and vulnerable systems)
Do Huawei or Kaspersky have legal grounds to exploit systems in the NL or US - systems that they, or their governments, deem as malicious? What would the US say in such occasion (even if they dismantle C2 based in US - which is, btw, host of majority of malicious C2s)?
From the US defence perspective, this is, of course, very acceptable. From an international perspective - including legal and diplomatic - this is very problematic. It could actually put private sector actors on list of 'non grata' for many other countries, as they will be seen in breaching sovereignty of states. It is counter-productive.
This is not to say that such cooperation - and overall 'defence forward' - against malicious actors is a wrong way to go. It is not about 'if', but about 'how': if it is unilaterally done by the US (and allies), it resembles the US political and military dominance of the 21st century - its understanding of a role of international policeman. We have seen where that lead geopolitically.
It is much better to approach this 'new approach' through garnering broader international support for such actions - even through the UN. It is slower ,but more legit and with less risks for escalations and further political polarisation.
||JovanK|| ||Pavlina|| WDYT - from legal and political perspective?
CYBERCOM’s hunt-forward operations enable anticipatory resilience by discovering adversary malware, techniques, tactics, and procedures as well as indicators of compromise and releasing this information through VirusTotal and Cybersecurity and Infrastructure Security Agency (CISA) alerts to inoculate U.S. companies from malicious cyber activity.
This is, however, different from active attacks: this is information sharing, which is - no doubt - very efficient and needed
The FBI itself recently removed the CyclopsBlink C2 malware associated with a Russian APT-built botnet off of thousands of devices before it was activated toward malicious ends. It also closed the external management ports being exploited to access the C2 malware.
Another useful example
or example, to preclude technical disruption and interference in the 2020 U.S. elections, CYBERCOM reportedly engaged in an operation to temporarily disrupt what was then the world’s largest botnet: Trickbot.
The U.S. Department of Defense’s defend forward cyber strategy as operationalized by U.S. Cyber Command’s (CYBERCOM) doctrine of persistent engagement embodies the notion of achieving security through responsible, persistent exploitation-based operations, campaigns, and activities.
Link to US 'defence forward'
Cultivating conformance through a cyber persistence-based approach should aim to coordinate campaigns among government agencies with cyber capabilities and authorities and, where possible, with private-sector actors that have legal standing to engage in such behavior
Another explanation of 'cyber persistence' concept
overt naming and shaming, which seeks to exert such pressures to achieve conformance, may be counterproductive to stability
Valid point - naming and shaming attacks a reputation (and often without publicly valid evidences), which doesn't help de-escalation
Covert operations scholarship suggests that secrecy dampens risks of instability by reducing potential pressures from domestic or other audiences and by allowing states to manage reputational concerns. Leveraging the “open secrecy” of persistent cyber campaigns is thus not just a more promising approach but also a more prudent one.
Interesting point on covert operations, and the importance of reputation! When it comes to espionage and eventually striking malicious infrastructure, this may make sense. But if the strike spills over to an infrastructure that is critical or public (say: adversaries use a hijacked public infrastructure of a country - a hospital network or other - as part of their C2) covert wouldn't be covert any more, and could actually be both embarrassing and dangerous.
It is time better spent tacitly communicating to the malicious source by exposing, disrupting, and contesting threatening behaviors.
One 'problem' with many such analysis is that they only observe the US perspective. This is not healthy even from the military point of view, and let alone from diplomatic point of view (norms) which should strive towards a compromise.
Let's put ourselves in the shoes of Russians, or Chine. For them, the threat is not cyber groups, but Microsoft, for instance. Microsoft is vulnerable; Microsoft is dominating the market and imposing solutions; Microsoft is engaging against their sovereignty... Whether we agree or not with this stand, we have to understand their view. Using this strategy, Russians would legitimately act against a threat to them: Microsoft. Or Cyber peace institute. Or any other institution which they deem causes a threat to them.
If we 'legitimise' intrusion into other systems as defence, it may have a counter-effect of escalations, and setting erroneous precedents.
revealing publicly indicators and warnings of malicious activity, the techniques, tactics, and procedures associated therewith, and malicious malware itself that was discovered after an opponent’s intrusion or in anticipation of one
This is a second part of suggested strategy - besides attacking malicious actors: it boils down to publishing the know details about the threat actor and threat infrastructure, and sharing all this intelligence among various actors. This info exchange indeed is a cornerstone of better protection.
set security conditions in one’s favor by exploiting adversary vulnerabilities and reducing the potential for exploitation of one’s own
This might look meaningful from the US perspective. But if you would put this in the mouth of, say, Russians - the US would be heavily against it. So 'it is in the eye of a beholder'. It is rather a military (zero-sum) than a diplomatic strategy (win-win).
exploiting and then closing a vulnerability for the sole purpose of removing malicious malware
In theory, this looks smart: you attack the attackers. There are good examples of successful campaigns (also illustrated below).
In practice, it is not so smart: any exploitation of an existing vulnerability involves developing an exploit - usually a sophisticated one, if developed by the US security services, say. That exploit can leak (as we have seen before, from CIA stockpiles), and can get in hands of malicious actors including petty criminals (we have seen that as well).
That's why 'closing a vulnerability' is done to prevent? Can't work. Even though 'zero days' are most dangerous ones, most exploited vulnerabilities are actually years (and even decades long) - a CISA list of most exploited vulnerabilities, which it publishes regularly to motivate CI sector to patch, shows just that. Thus there is no way to instantly close an old vulnerability around the world (even in US) - and creating a powerful exploit for it doesn't help at all. If it is about a zero-day exploit, it is certainly welcomed that it would be reported to a vendor which would immediately patch it - but again, the existing exploit is even more dangerous, since patching process will take years.
In a word - very dangerous strategy.
persist and responsibly leverage exploitation-based activities that preclude, inhibit, or otherwise constrain behaviors inconsistent with proposed prohibitive norms.
Basically using activities that inhibit irresponsible behaviour
cyber persistence, which manifests as a threat through the malicious exploitation of cyber vulnerabilities.
new concept explained below - basically, 'defence forward' ie a) attacking malicious groups and infrastructure preemtively and b) sharing publicly information about those structures and attacks
All three mechanisms have a poor track record, in isolation and in combination, for cultivating conformance by malicious state and non-state actors with proposed prohibitive peacetime cyber norms.
Gut-feeling is that this is right - there is no high adherence to cybernoms. Here, an Oxford article is added to support this argument
Unlike the U.N. GGE and OEWG products, the GCSC report proposes prohibitive norms addressing ongoing destabilizing behaviors.
Good point that GCSC norms are more 'down to earth' and reflect actual problems
States are engaging in a range of cyber behaviors that undermine peace and stability, but these proposed prohibitive norms do not address those behaviors. There is no reported instance of states engaging in cyber operations against another state’s cyber emergency response teams or using their teams for malicious purposes. And, although states have targeted critical infrastructure in armed conflict and non-state actors have done so in peacetime, the proposed prohibitive norms are not framed in a manner addressing that context or those actors, respectively.
Interesting observation: that current prohibitive norms of GGE/OEWG actually mis-shoot. Example on CERTs is a good one: while this norm is important - it doesn't reflect the reality (there were no documented cases. The one on CI, however, doesn't stay: this is the major issue between US and Russia - it is a valid norm.
Interesting blog that comments on lack of conformance of states to cyber norms: that OEWG/GGE norms don't reflect the reality of attacks, while GCSC which reflect better are not in the game; and on three ways conformance is currently cultivated (persuasion, socialization, and incentives) - all three failing.
Then, it proposes 'a new way' which should complement this process of turning norms into customary law - by inhibiting the ability for misbehavior/irresponsible behaviour . This should be done through 'defence forward': actively disrupting malicious groups and their systems (malware, botnet C2 infrastructure, etc) before they strike (includling through exploitation of vulnerabilities!), and publicly disclosing the information about such operations. To them, this would support better conformity to norms (by preventing them to misbehave?)
There is a number of valid points in the doc. But, there are also many problematic ones; to start with - do you, by preventing someone to misbehave, actually promote adherence to norms? Or are these two distinct issues - norms, and defence/military strategy.
I added number of comments throughout.
||Pavlina|| ||AndrijanaG|| ||JovanK||