Cyber security is a fascinating topic and the debate on cyber security in respect to Taiwan is very much needed. Thus, it is always good to see elaborated argument such is the case of Yau Hon-min’s reaction to one of the authors’ piece for Thinking Taiwan. Hon-min added some great points on a wide range of related issues such as damage assessment from the perspective of the attacker, further elaborate on the attribution problem, its implications for how states do react to cyber-attacks, and last but not least the very interesting debate on cyber warfare and rules of law, codified in international treaties and customary alike. However, some of his arguments are problematic in one way or another.
It should be stressed that nowhere in the original piece there is an argument that China is the only cyber threat to Taiwan. Cyber-attacks are not just limited to targeting military or governmental institutions in order to either obtain classified information, sabotage defence infrastructure, or deface websites. Large chunk of world-wide cyber-attacks are various forms of corporate cyber-attacks. Scrupulous entrepreneur entities routinely employ Cyber Threat Actors (CTA) against their competitors. Let’s not forget that Taiwan’s cyberspace constituted significant amount of virus samples in Southeast Asia.
However due to the prevalence of cyber-attacks, we shall limit ourselves in this discussion within the realm of cyber-espionage, where CTAs conduct systematic attacks against another foreign country, i.e. its governmental, military, or infrastructure targets, with the backing of a state. What we would argue is that in cases of specific targets of government or military nature in Taiwan, Beijing is the most likely culprit, an assumption supported by various Advanced Persistent Threats (APTs) been attributed to PLA actions over the years.
Hon-Min’s observation that “international politics do not play by the rules of the criminal court, and simply looking at the tensions, motivations, and costs that lie behind the issues, we may better understand why things happen in cyberspace the way they do,” is spot on and in Taiwan’s case (and given specifics of the respective target) it would be certainly easier to conclude who is behind the attacks. Yet, having good guess evidence does not make. China (or any other perpetrator) will always have plausible deniability. Let’s take the Apple Daily attacks in 2014 as an example. Was it the work of the Chinese state, the People’s Liberation Army, or intelligence services? Or were the perpetrators private citizens? What if some of the attacks were committed by Chinese citizens residing in third countries? What exactly then is the responsibility of Chinese state? What would be the responsibility of third countries that happened to host one of the attackers? These are all questions that state authorities of a country that experienced serious cyber-attack have to deal with. SONY Pictures attack is actually great example of how problematic the attribution is. The US government asserted that North Korea might be behind the attack, however experts expressed serious doubts about the allegation.
Even in the case where the attribution appears to be clear, where the Command & Control domains, CTA IPs, or even operator codenames were readily available, such as the highly publicized Mandiant APT1 report exposing the People’s Liberation Army (PLA) Unit 61938, it would still not constitute an evidence beyond the shadow of a doubt for various reasons, not the least of which would be how such information were collected.
The attribution problem echoes debate within NATO on whether cyber-attacks could constitute activation of Article 5 of the North Atlantic Treaty. Debate that intensified in the aftermath of cyber-attacks against Estonia in 2007 and Georgia in 2008. The broader question is – as Hon-Min accurately points out – how would (or should) states react against cyber-attacks? “Can Iran declare war on the U.S. or Israel? Why hadn’t Iran do so? Could the U.S. or China justify aggression on the grounds of a Stuxnet-level cyber-attacks?” The crux of the difficulty in answering these questions lies in the attribution of an attack and the difficulty for defender to conduct damage assessment in a timely fashion. Whereas attribution is crucial for the identification of the attacker, damage assessment is important for crafting a proportionate response. If the damage is clear after few months of careful analysis, and the attacker is identified as a foreign government following thorough investigation that takes months at least, and assuming that it is possible to gather enough evidence, what would be the appropriate reaction when the momentum of the attack has been long gone, and/or the information has already been compromised?
Questions pertaining to how states or organizations like NATO should react have not been resolved and unless defensive measures become so sophisticated that the attribution would be possible within hours or days, and not months or years, it is safe to assume that we won’t have clear answers in the foreseeable future.
Moreover, states tend not to declare wars even in case of ‘conventional’ acts of violence. Did Libya declare war on the US in 1986? Did US declare war on Afghanistan in 2001? Did Syria declare war on the US or Turkey this year? If states are apparently hesitant to resort to declaration of war even in case of obvious armed attacks against their territory (if not sovereignty), why and based on what criteria would they declare war on each other in the aftermath of cyber-attacks?
This problem changes when cyber-attacks are part of preparation for and commencement of hostilities. It was in this context that pre-planted viruses as a method of exposing opponent’s defences were mentioned in the original piece. Of course, not all pre-planted viruses are preparation for war, as most of these attacks in recent times were actually cyber-espionage operations. However, it is very likely that in the future, states would do just that before they proceed with physical violence, as indicated by the recently exposed Operation Cleaver, when South Korean infrastructures, including air traffic control, was compromised by actors with suspected connection to Iran, and with possible North Korean support. It doesn’t take a great stretch of imagination to see the potential utility of having such control over one’s adversary during a wartime scenario.
Much of the argument in the original article, however, is focused on peace time state-state cyber-attacks, as even a wartime utilization of cyber-attack would require extensive preparation and infiltration during peacetime, just like any intelligence operation. Hon-min is correct to point out that Taiwan needs to be careful not to appear as the one who initiates the conflict. When the original piece argued that “During conflict or immediately before the commencement of hostilities, the incentive to hide one’s actions is greatly reduced and the attacker may concentrate on brute force with the help of pre-planted viruses, worms, and Trojan horses inside an opponent’s computer systems,” it had China’s combined kinetic and cyber-attack on mind. It is still safe to argue that at the outset of war, aggressor does not need to hide in cyber shadows anymore because anonymity is no longer an issue when the cyber-attack is part of large-scale use of force across all physical domains. Standard techniques such as masking IPs and utilizing compromised domain as Command and Control (C2) would no longer be necessary.
Such inherent difficulties with attribution makes the question of whether Taiwan should conduct peacetime cyber operations perhaps a little naïve. How do we know that Taiwan is not already conducting such activities right at this very moment? Almost every other nation does. We do not necessarily need to talk about causing infrastructural damage, since persistent cyber-espionage operations provide arguably much more benefit then an attack against infrastructure resulting in physical damage. The distinction between cyber offense, cyber defence, and cyber espionage is unimportant, as in reality the applicable skills and infrastructure are much the same. A good cyber-attack against physical infrastructure cannot proceed without persistent cyber espionage operations, providing access, conducting reconnaissance through lateral movement and/or privilege escalation within the network. Good cyber defence cannot hope to succeed without occasional offensive campaigns against CTA’s C2s in order to obtain crucial information for threat intelligence. This is a bit of a different picture than what Hon-min would have us believe, i.e. where Commercial off the Shelf (COTS) technology would ensure a “reasonable” amount of security. In fact, such a precarious escalation of threats has made the acquisition and merchandising of threat intelligence one of the fastest growing cyber security sectors.
The reality is that no state would openly acknowledge that it is engaging in cyber-attacks. Institutions like NICST or Taiwan’s national CERT indeed list defence as their mission and that is how it should be. NICST specifically is just a coordinating agency under the Executive Yuan, thus it has no in-house capacity for either cyber defence or offense. Moreover, expecting CERT, National Security Bureau (NSB) or any other relevant agency to acknowledge offensive cyber actions or cyber espionage is not realistic. Furthermore, the attribution issue works the other way round too. It is rather conservative to assume that Taiwan is engaging in cyber-attacks.
Suggestion that non-selective cyber-attacks might be considered a war crime if they spiral out of control does not hold water as only a deliberate attack would be considered illegal. It is certainly intriguing to consider outlawing cyber-attacks on the ground of the impossibility to control the consequences, even though actions with this potential account for rather small portion of existing threats, and could be easily remedied in a timely fashion once exposed. However, that would require an international consensus and the creation of new rules regulating cyber warfare. Moreover, it is not clear if Hon-Min refers to war-time situations, or – and this would appear to be the case – generally refers to any attack that might result in damage to civilian infrastructure. However problematic that might be, it could hardly be considered a war crime if the attack does not occur as a part of ongoing kinetic hostilities. It is the same problem as with NATO debate on activation of article 5: no consensus whether cyber-attack is a form of an armed attack, and even if there is a consensus, we still have to deal with damage assessment and, yes indeed, the attribution.
We would agree that DDoS attacks as one of the more common forms of cyber-attack are no laughing matter. However, their impact, and psychological impact in particular, has been so far limited and context-dependent. Let’s bring up the Apple Daily attack again as an example. It only confirmed existing negative perception of Beijing interference on the side of the protesters and for news site like Apple Daily, being under attack for what they report, is not entirely a bad situation, however inconvenient it is for their operation. (Note: as one of the authors actually worked inside the Next Media group – an owner of Apple Daily, we could attest to the regularity and the ineffectiveness of such attacks, which amounts to nothing more than simple annoyance most of the time). To say the least, it means they do something right. Could DDoS attack be more spectacular and cause long disruption of services and thus having more lasting psychological impact on a broader population? Yes, it could. However, real threat from DDoS is still when they are part of broader military activity thus contributing to pressure on private, governmental, and military information infrastructure.
Finally, it may be true that in individual cases defence is cheaper than offense. However, that is definitely not a rule and Stuxnet example – as noted by Hon-Min – takes into consideration only presumed costs of research against off the shelve protection measures. This assumption greatly underestimated the flexibility of the extraordinary resources devoted into the continued operation and evolution of a cyber-weapon such as the Stuxnet. Whether Iran could do better and cheaper if it was merely managing better its network may be a valid point. But it is also a conjecture. Iran did not and damage was done. Moreover, if Stuxnet was a test for further research than the cost issue becomes even more complicated. However, what makes the attacks cheaper is that the perpetrator is the one with initiative whereas defender has to build multi-purpose protection and even that is no guarantee if attackers is able to infect system from within, as one could not possibly defend against the “unknown unknowns.”
What Hon-Min’s piece clearly exposes is that there is lack of definition, lack of consensus, and basically no regulation. This also result in whole set of dilemmas for policy makers, namely how to secure nation’s information infrastructure under lawless conditions which are both curse and a blessing. It would be detrimental to Taiwan’s security to posit itself as a good sheep amongst pack of wolves, especially if its main source of cyber threat has plenty of resources and is not shy of using them.
Michal Thim is a postgraduate research student in the Taiwan Studies Program at the China Policy Institute (CPI), University of Nottingham, a member of CIMSEC, an Asia-Pacific Desk Contributing Analyst for Wikistrat and a Research Fellow at the Prague-based think-tank Association for International Affairs. Michal tweets @michalthim.
Liao Yen-Fan is a Taipei-based analyst for the Cyber Security firm Team T5, specializing in cyber security, air power and Taiwanese military. He can be reached for comment at firstname.lastname@example.org
Thanks for your inputs to the dialogue. The following are my responses.
First, I certainly recognize that threats to cyberspace can be either state or non-state actors, and activities can range from cyber crime, cyber espionage, cyber terrorists, or even cyber warfare. As you start your previous article by stating:” The last large-scale outbreak of hostilities was the 1958 Taiwan Strait Crisis and minor clashes throughout the 1960s…….,” I was assuming that within the context of your discussion, a state-sponsored attack is the focus. As you also rightly pointed out, “the main challenge is defending against Advanced Persistent Threats (APT) attacks that require levels of sophistication that are typically out of the reach of disgruntled individuals,” I also agree with Vice Premier Simon Chang’s assessment. But It is always great to have your point clarified.
Second, in terms of the attribution issue in cyberspace, I acknowledge that common conception is that attackers in cyberspace have ” plausible deniability”. It is true that NATO did not activate the Article 5 of the North Atlantic Treaty in 2007 Estonia event, but I will argue that attribution is not the only factor driving NATO’s decision. Especially when we compare 2014 Apple Daily attacks with SONY Pictures attack, we can see very different outcomes. The alleged attacker, China, can get away from the accusation, but the North Korea was further sanctioned by the US. In 2014, five members of PLA officers from Unit 61398 were charged by the US for cyber espionage. Something tells me that “plausible deniability” works differently today in international politics, and I believe Taiwan needs to be careful of such observation. I actually agree with your point “states tend not to declare wars even in case of ‘conventional’ acts of violence”. Would this point be useful in thinking about the issue of ” plausible deniability”?
Third, in terms of “who starts the fight”, my point is when an attacker pre-plant a malware during the peace time with the intentions of probing the vulnerabilities of the adversary, could the attacked adversary claim itself under the aggression of a certain state actor and retaliate with a proportional response since no one actually know the extent of damage except for the victim (adversary) itself? 2014 SONY Pictures incident seems to suggest an interesting development.
Fourth, you mention:” Such inherent difficulties with attribution makes the question of whether Taiwan should conduct peacetime cyber operations perhaps a little naïve. How do we know that Taiwan is not already conducting such activities right at this very moment”? There are actually three elements in this question, and they are “attribution in cyberspace”, “Taiwan’s peacetime cyber operation”, and “how do we know Taiwan is not doing”. I guess my first three points explain my observations to the problem of “attribution”. Yes, attribution in cyberspace is difficult, but I see states act differently in solving the attribution problem. Regarding Taiwan’s peacetime operation, I think the previous three pieces of writing clearly indicating that there are cyber defence operations going on in Taiwan as shown by information related to NICST and TWCERT. I feel that your third element is actually about “how do we know Taiwan is not doing cyber espionage or offence operations”? I need to agree with your assessment that nobody knows, and I do not think engaging in such kind of assessment is what I am doing in the previous piece. What I want to point out is while thinking about cyber offence or espionage, shall we think through the observations I mentioned in the previous article.
Fifth, you mention:” it could hardly be considered a war crime if the attack does not occur as a part of ongoing kinetic hostilities”, and this is related to my last point when I talking about the case of Stuxnet (creating physical damages) and what are things Taiwan needs to consider when developing such cyber weapon. You use the case of Estonia, but I believe you understand there is no kinetic effect of this cyber attack. I think the answer is inside your question already.
Sixth, I do not quite understand your response to my point, the psychological impacts derived from the collapse of Nationwide DNS service, as you just talk about the 2014 Apple Daily incident, but Taiwan’s national DNS service was not collapsed during that specific event. In fact, Vice Premier Simon Chang’s also supports the same assessment at https://anntw.com/articles/20140623-yQfl. Unfortunately, I can only find a source in Chinese language. The psychological impacts will base on the scale of collapse in the Nationwide DNS service, not the inaccessibility of the Apple Daily website.
To answer your last point about defending against “unknown unknowns,” people in Information Industry always have a similar saying: ” No single formula can guarantee 100% security, there is a need for a set of benchmarks or standards to help ensure an adequate level of security is attained;” and I agree with such view.(Please see http://www.infosec.gov.hk/english/technical/files/overview.pdf) Of course insider attack is the most severe threat to information systems as pointed by your article. However, will just plant a (physical) time bomb easier and cheaper than developing Stuxnet when “attackers are able to infect a system from within”? I also want to point out that Iranian nuclear facility is an air-gapped system, and it is because that Iranian engineers did not follow some basic Software Configuration procedures when encountering Stuxnet-level attack as explained in https://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon#t-70828 . Of course insider attack is the most severe threat to information systems. As you rightly pointed out ” Iran did not and the damage was done,” but I do not think Iran has done their job well. I felt that reducing human negligence is still cheaper; as I have no insight into the Iranian’s information procedure, such debate probably will continue.
To conclude, I fully agree with your view in the last paragraph. This is the reason that I pointed out ” Taiwan needs to approach this frontier prudently and holistically.” I feel that only notice Taiwan’s hacking capability without investigating all relevant issues can trap us into the problem of not see the forest for the trees.
1. NICST was established in 2001. Please see the Chinese version of the regulation, http://www.nicst.ey.gov.tw/cp.aspx?n=AB87FBE484641E36#sthash.IZiO8bgI.dpuf. The webpage you point out in the Thinking Taiwan is showing the latest update time of the regulation, but the Chinese version contains all the modification history.
2. I truly enjoy the conversation with you, and appreciate your a lot of your view. Hope to meet you in the future.
After reading your response, I thought a few clarifications might be in order.
The scope of such discussion was definitely cyber espionage/ sabotage operations conducted by state-sponsored actors, that was never the question. The issue lies with the exclusivity of the PLA as THE only actor in play, which was never stated in the original article.
Even in cases where the “attribution” of similar offence was “allegedly” clear, such as the 2003 US invasion of Iraq over WMD, other agendas would, of course, still influence, and in this case overtaken the formulation of policy and actions taken by the state. Hence the stated reason for the sanction of North Korea, and the apparent inaction with regard to the Apple Daily Hack, cannot really provide any useful information in this context.
Plausible deniability owing to attribution issues would be unlikely to change in the foreseeable future, sanctions and prosecutions notwithstanding. And such ambiguity would bring into question the legitimacy behind sanctions and retaliatory actions, and compromise the credibility of said state actors in the process.
Regarding the pre-plant argument. Since most targeted attacks require gaining access to targets through actions or inactions of the victims, this would mean almost every offensive move conducted in an operation fits the “pre-plant” description, sans the unobtainable “intention”. And since the attacker won’t be aware that the victim’s onto them unless the victim makes a move, it is in the interest of the victim of such attacks to maintain radio silence and gather as much as they can regarding the adversary’s operation, or even feeding them false information. To announce one’s outrage and plan for a retaliatory attack does nothing except alerting your potential opponent that you’re onto them. Furthermore, attribution issues will play its part and further distort the legitimacy and intention of such an announcement, which while might be useful under certain context, makes very little sense in the realm of Cyber-warfare.
The statement ”Such inherent difficulties with attribution makes the question of whether Taiwan should conduct peacetime cyber operations perhaps a little naïve. How do we know that Taiwan is not already conducting such activities right at this very moment?” should not be segregated into three distinct issues that distort the original intention. The statement merely addresses the irrelevancy of discussing the legitimacy of a state conducting peacetime Cyber operations, since the “facts on the ground’ are so prevalent, that it’s little more than an open secret that every country is either already engaged in, or desired to, conduct integrated Cyber operations, including the sensitive, provocative offensive portion of it.
The statement “it could hardly be considered a war crime if the attack does not occur as a part of ongoing kinetic hostilities” should not be misinterpreted in such a way that physical damage resulting from cyber operations became the defining characteristic of a war crime, as the definition of a war crime lies more with [what could be proven in court] the intention of the belligerent. As for Estonia, in the original context I believe it was merely brought up as a prelude to the debate over article 5 of NATO, and does not have anything to do with the war crime discussion.
It was never stated that the inaccessibility of the Apple Daily website was the cause of the so called “psychological impact.” In fact, it was stated that ” their impact, and psychological impact in particular, has been so far limited and context-dependent. ” And that the ” real threat from DDoS is still when they are part of broader military activity thus contributing to pressure on private, governmental, and military information infrastructure. ” And as I’m sure you’re aware that such attacks relied heavily on the element of surprise, since vulnerability against DDoS attacks could be easily remedied with advance warning. Also the source article you provided never specifically mentioned, let alone elaborate upon the potential “psychological impact” that such an attack might bring.
I’m unclear as to which “insider attack” in the article you were referring to, but the development of Stuxnet was forced by various circumstances and it was calculated as the most cost-effective way of achieving the operational goal. Also, the employment of Air-gap, although significantly simplifies the task faced by security administrators, does not in and of itself provide an air-tight security, as I’m sure you’re aware that the previously mentioned Operation Cleaver also managed to compromise several air-gapped systems. Spear-phishing and psychological manipulation plays a role as well, reducing “human negligence” might SEEM to be easy, but when implemented on a large scale (hundreds of thousands of activities by hundreds of operators over a span of years), it became nearly impossible, be it for the attacker or the defender.
In fact, a recent attribution for certain attacks were only possible because of such “human negligence” by the Threat Actor in question, and that was hardly the only instance.