Cyber security is a fascinating topic and the debate on cyber security in respect to Taiwan is very much needed. Thus, it is always good to see elaborated argument such is the case of Yau Hon-min’s reaction to one of the authors’ piece for Thinking Taiwan. Hon-min added some great points on a wide range of related issues such as damage assessment from the perspective of the attacker, further elaborate on the attribution problem, its implications for how states do react to cyber-attacks, and last but not least the very interesting debate on cyber warfare and rules of law, codified in international treaties and customary alike. However, some of his arguments are problematic in one way or another.
It should be stressed that nowhere in the original piece there is an argument that China is the only cyber threat to Taiwan. Cyber-attacks are not just limited to targeting military or governmental institutions in order to either obtain classified information, sabotage defence infrastructure, or deface websites. Large chunk of world-wide cyber-attacks are various forms of corporate cyber-attacks. Scrupulous entrepreneur entities routinely employ Cyber Threat Actors (CTA) against their competitors. Let’s not forget that Taiwan’s cyberspace constituted significant amount of virus samples in Southeast Asia.
However due to the prevalence of cyber-attacks, we shall limit ourselves in this discussion within the realm of cyber-espionage, where CTAs conduct systematic attacks against another foreign country, i.e. its governmental, military, or infrastructure targets, with the backing of a state. What we would argue is that in cases of specific targets of government or military nature in Taiwan, Beijing is the most likely culprit, an assumption supported by various Advanced Persistent Threats (APTs) been attributed to PLA actions over the years.
Hon-Min’s observation that “international politics do not play by the rules of the criminal court, and simply looking at the tensions, motivations, and costs that lie behind the issues, we may better understand why things happen in cyberspace the way they do,” is spot on and in Taiwan’s case (and given specifics of the respective target) it would be certainly easier to conclude who is behind the attacks. Yet, having good guess evidence does not make. China (or any other perpetrator) will always have plausible deniability. Let’s take the Apple Daily attacks in 2014 as an example. Was it the work of the Chinese state, the People’s Liberation Army, or intelligence services? Or were the perpetrators private citizens? What if some of the attacks were committed by Chinese citizens residing in third countries? What exactly then is the responsibility of Chinese state? What would be the responsibility of third countries that happened to host one of the attackers? These are all questions that state authorities of a country that experienced serious cyber-attack have to deal with. SONY Pictures attack is actually great example of how problematic the attribution is. The US government asserted that North Korea might be behind the attack, however experts expressed serious doubts about the allegation.
Even in the case where the attribution appears to be clear, where the Command & Control domains, CTA IPs, or even operator codenames were readily available, such as the highly publicized Mandiant APT1 report exposing the People’s Liberation Army (PLA) Unit 61938, it would still not constitute an evidence beyond the shadow of a doubt for various reasons, not the least of which would be how such information were collected.
The attribution problem echoes debate within NATO on whether cyber-attacks could constitute activation of Article 5 of the North Atlantic Treaty. Debate that intensified in the aftermath of cyber-attacks against Estonia in 2007 and Georgia in 2008. The broader question is – as Hon-Min accurately points out – how would (or should) states react against cyber-attacks? “Can Iran declare war on the U.S. or Israel? Why hadn’t Iran do so? Could the U.S. or China justify aggression on the grounds of a Stuxnet-level cyber-attacks?” The crux of the difficulty in answering these questions lies in the attribution of an attack and the difficulty for defender to conduct damage assessment in a timely fashion. Whereas attribution is crucial for the identification of the attacker, damage assessment is important for crafting a proportionate response. If the damage is clear after few months of careful analysis, and the attacker is identified as a foreign government following thorough investigation that takes months at least, and assuming that it is possible to gather enough evidence, what would be the appropriate reaction when the momentum of the attack has been long gone, and/or the information has already been compromised?
Questions pertaining to how states or organizations like NATO should react have not been resolved and unless defensive measures become so sophisticated that the attribution would be possible within hours or days, and not months or years, it is safe to assume that we won’t have clear answers in the foreseeable future.
Moreover, states tend not to declare wars even in case of ‘conventional’ acts of violence. Did Libya declare war on the US in 1986? Did US declare war on Afghanistan in 2001? Did Syria declare war on the US or Turkey this year? If states are apparently hesitant to resort to declaration of war even in case of obvious armed attacks against their territory (if not sovereignty), why and based on what criteria would they declare war on each other in the aftermath of cyber-attacks?
This problem changes when cyber-attacks are part of preparation for and commencement of hostilities. It was in this context that pre-planted viruses as a method of exposing opponent’s defences were mentioned in the original piece. Of course, not all pre-planted viruses are preparation for war, as most of these attacks in recent times were actually cyber-espionage operations. However, it is very likely that in the future, states would do just that before they proceed with physical violence, as indicated by the recently exposed Operation Cleaver, when South Korean infrastructures, including air traffic control, was compromised by actors with suspected connection to Iran, and with possible North Korean support. It doesn’t take a great stretch of imagination to see the potential utility of having such control over one’s adversary during a wartime scenario.
Much of the argument in the original article, however, is focused on peace time state-state cyber-attacks, as even a wartime utilization of cyber-attack would require extensive preparation and infiltration during peacetime, just like any intelligence operation. Hon-min is correct to point out that Taiwan needs to be careful not to appear as the one who initiates the conflict. When the original piece argued that “During conflict or immediately before the commencement of hostilities, the incentive to hide one’s actions is greatly reduced and the attacker may concentrate on brute force with the help of pre-planted viruses, worms, and Trojan horses inside an opponent’s computer systems,” it had China’s combined kinetic and cyber-attack on mind. It is still safe to argue that at the outset of war, aggressor does not need to hide in cyber shadows anymore because anonymity is no longer an issue when the cyber-attack is part of large-scale use of force across all physical domains. Standard techniques such as masking IPs and utilizing compromised domain as Command and Control (C2) would no longer be necessary.
Such inherent difficulties with attribution makes the question of whether Taiwan should conduct peacetime cyber operations perhaps a little naïve. How do we know that Taiwan is not already conducting such activities right at this very moment? Almost every other nation does. We do not necessarily need to talk about causing infrastructural damage, since persistent cyber-espionage operations provide arguably much more benefit then an attack against infrastructure resulting in physical damage. The distinction between cyber offense, cyber defence, and cyber espionage is unimportant, as in reality the applicable skills and infrastructure are much the same. A good cyber-attack against physical infrastructure cannot proceed without persistent cyber espionage operations, providing access, conducting reconnaissance through lateral movement and/or privilege escalation within the network. Good cyber defence cannot hope to succeed without occasional offensive campaigns against CTA’s C2s in order to obtain crucial information for threat intelligence. This is a bit of a different picture than what Hon-min would have us believe, i.e. where Commercial off the Shelf (COTS) technology would ensure a “reasonable” amount of security. In fact, such a precarious escalation of threats has made the acquisition and merchandising of threat intelligence one of the fastest growing cyber security sectors.
The reality is that no state would openly acknowledge that it is engaging in cyber-attacks. Institutions like NICST or Taiwan’s national CERT indeed list defence as their mission and that is how it should be. NICST specifically is just a coordinating agency under the Executive Yuan, thus it has no in-house capacity for either cyber defence or offense. Moreover, expecting CERT, National Security Bureau (NSB) or any other relevant agency to acknowledge offensive cyber actions or cyber espionage is not realistic. Furthermore, the attribution issue works the other way round too. It is rather conservative to assume that Taiwan is engaging in cyber-attacks.
Suggestion that non-selective cyber-attacks might be considered a war crime if they spiral out of control does not hold water as only a deliberate attack would be considered illegal. It is certainly intriguing to consider outlawing cyber-attacks on the ground of the impossibility to control the consequences, even though actions with this potential account for rather small portion of existing threats, and could be easily remedied in a timely fashion once exposed. However, that would require an international consensus and the creation of new rules regulating cyber warfare. Moreover, it is not clear if Hon-Min refers to war-time situations, or – and this would appear to be the case – generally refers to any attack that might result in damage to civilian infrastructure. However problematic that might be, it could hardly be considered a war crime if the attack does not occur as a part of ongoing kinetic hostilities. It is the same problem as with NATO debate on activation of article 5: no consensus whether cyber-attack is a form of an armed attack, and even if there is a consensus, we still have to deal with damage assessment and, yes indeed, the attribution.
We would agree that DDoS attacks as one of the more common forms of cyber-attack are no laughing matter. However, their impact, and psychological impact in particular, has been so far limited and context-dependent. Let’s bring up the Apple Daily attack again as an example. It only confirmed existing negative perception of Beijing interference on the side of the protesters and for news site like Apple Daily, being under attack for what they report, is not entirely a bad situation, however inconvenient it is for their operation. (Note: as one of the authors actually worked inside the Next Media group – an owner of Apple Daily, we could attest to the regularity and the ineffectiveness of such attacks, which amounts to nothing more than simple annoyance most of the time). To say the least, it means they do something right. Could DDoS attack be more spectacular and cause long disruption of services and thus having more lasting psychological impact on a broader population? Yes, it could. However, real threat from DDoS is still when they are part of broader military activity thus contributing to pressure on private, governmental, and military information infrastructure.
Finally, it may be true that in individual cases defence is cheaper than offense. However, that is definitely not a rule and Stuxnet example – as noted by Hon-Min – takes into consideration only presumed costs of research against off the shelve protection measures. This assumption greatly underestimated the flexibility of the extraordinary resources devoted into the continued operation and evolution of a cyber-weapon such as the Stuxnet. Whether Iran could do better and cheaper if it was merely managing better its network may be a valid point. But it is also a conjecture. Iran did not and damage was done. Moreover, if Stuxnet was a test for further research than the cost issue becomes even more complicated. However, what makes the attacks cheaper is that the perpetrator is the one with initiative whereas defender has to build multi-purpose protection and even that is no guarantee if attackers is able to infect system from within, as one could not possibly defend against the “unknown unknowns.”
What Hon-Min’s piece clearly exposes is that there is lack of definition, lack of consensus, and basically no regulation. This also result in whole set of dilemmas for policy makers, namely how to secure nation’s information infrastructure under lawless conditions which are both curse and a blessing. It would be detrimental to Taiwan’s security to posit itself as a good sheep amongst pack of wolves, especially if its main source of cyber threat has plenty of resources and is not shy of using them.
Michal Thim is a postgraduate research student in the Taiwan Studies Program at the China Policy Institute (CPI), University of Nottingham, a member of CIMSEC, an Asia-Pacific Desk Contributing Analyst for Wikistrat and a Research Fellow at the Prague-based think-tank Association for International Affairs. Michal tweets @michalthim.
Liao Yen-Fan is a Taipei-based analyst for the Cyber Security firm Team T5, specializing in cyber security, air power and Taiwanese military. He can be reached for comment at firstname.lastname@example.org