Handle With Care: The Pandora’s Box of Cyber Attacks

In his article “Taiwan’s Invisible Frontier: Cyberspace,” Michal Thim looks at cross-Strait interactions via the domain of cyberspace. While providing a good start to the discussion, I would like to add a few points.

Thim opens by talking about how Taiwan perceives China as the only source of cyber threat, though he does so under the constraints of limited attribution on the Internet. He further elaborates the problem of damage assessment due to the anonymous nature of cyber attacks during peace time. Thim considers unsophisticated attacks such as cyber vandalism, patriotic hacking, and spreading misleading information to be common techniques, but believes that Advanced Persistent Threats (APT) are the major concern. The article maintains the view that not much regarding the cyber threat has changed, as testified by various examples of hacking Thim describes, but we must also note the dramatic expansion and penetration of cyberspace into people’s daily activities.

In the final part of the article, Thim discusses further Taiwan’s cyber security in terms of the establishment of Computer Emergency Response Team (CERT), the National Information & Communication Security Taskforce (NICST), and military exercises, and encourages Taiwan to accept the asymmetrical advantage of cyber attacks. He concludes with the need for Taiwan to attract more talent in the area of cyber security given the international competitive performance of Taiwanese hackers.

Undoubtedly, cyber security has been an important item on Taiwan’s security agenda since the 1999 “Special State-to-State” incident, and this is demonstrated most clearly by the high-profile 2014 cyber attacks against Taiwan’s Apple Daily during the Sunflower movement and Hong Kong’s Occupy Central movement. Although I agree with Thim on many issues, I diverge from some of his conclusions.

First, his quote from Vice Premier Simon Chang (張善政) is a very powerful statement to resolve the conventional problem of attribution in cyberspace. China is Taiwan’s sole traditional security concern. When occurrences of cyber attacks correspond with some high-profile political events without the involvement of monetary gain as exemplified by the Apple Daily incident in 2014, it would be quite easy to attribute such kind of politicised cyber attacks to China. There is no simple silver bullet to know precisely who the attackers are in cyberspace. But international politics do not play by the rules of the criminal court, and simply looking at the tensions, motivations, and costs that lie behind the issues, we may better understand why things happen in cyberspace the way they do.[1]

Second, I wish to add to the effects of cyber attacks in comparison with kinetic attacks. Thim talks about the difficulty of knowing the actual scale of damage from the victim’s point of view. But the problem of clear damage assessment is true for both victims and attackers in different cases. Even in the case of Stuxnet, nobody knows the scale of damage except for Iranians, the victims themselves. In military operations, the follow-up actions are normally decided by the Battle Damage Assessment, traditionally undertaken by reconnaissance, so military personnel know if the designated objective is achieved or whether a further attack is required. This problem is especially salient for attackers when not knowing whether the planned objective is met since an effective way of conducting reconnaissance in cyberspace is still absent. If we categorize cyber attacks into cyber defence, cyber offence, and cyber espionage, I feel that Thim’s point is only applicable to cyber espionage.

Third, although Thim seems to agree with Vice Premier Chang’s attribution to China, he also believes “the real source of an attack cannot be identified beyond reasonable doubt.” This kind of asymmetric observation is better explained in the 2014 SONY cyber attack. In December 2014, SONY Pictures was attacked by a group of hackers who named themselves “Guardians of Peace” in an attempt to stop SONY’s plan to release a comedy film about the assassination of North Korea leader Kim Jong Un. Although the Guardians of Peace claimed sole responsibility for this act, U.S. intelligence concluded that North Korea was behind the attack regardless of Pyongyang’s vociferous and public denial of being involved. Such observations are significant for the further development of Taiwan’s cyber capability: Will China behave in a similar way as the U.S. when facing such attacks?

Fourth, Thim states: “During conflict or immediately before the commencement of hostilities … the attacker may concentrate on brute force with the help of pre-planted viruses, worms, and Trojan horses inside an opponent’s computer systems.” However, the meaning of “pre-plant” can be interpreted in different ways, and I feel that Taiwan needs to be careful about the issue of “who starts the fight” as the aggressors in any conflict are typically condemned according to International Law. In the traditional view of inter-state war, the military will conduct various preparatory battlefield activities such as redeployment of troops, logistic preparations, and intelligence collections about the adversary’s leadership, organization, vulnerabilities, terrain, etc. prior to the actual occurrence of the conflicts or even during the peace time.[2] The difference between Preparation of the Battlefield and the actual conduct of aggression in the physical domains is based on the manifest effects of force. However, such difference would be blurred in cyberspace. Stuxnet is not a pre-planted worm for the purpose of Preparation of the Battlefield in cyberspace, and this malware is not a mere Trojan horse or logic bomb, as it worked perfectly in searching for its target once deployed inside Iran’s network. When a state pre-plants malware to explore the vulnerability of the adversary, would the adversary leverage such a move and claim it was an act of aggression? The subtle difference would be something that Taiwan needs to think through carefully.

Fifth, Thim sees the scale of penetration as the biggest difference in cyber security, but I think there is more. What is more important are the implications of cyber attacks. Today a cyber attack can spark a kinetic conflict as its effect is not about defacing websites only (as supported by the Stuxnet case). When an attacker has no clear assessment of the intended damage of an attack, with the possibility of provoking conflict, there are significant implications for Taiwan. Can Iran declare war on the U.S. or Israel? Why doesn’t Iran do so? Could the U.S. or China justify aggression on the grounds of a Stuxnet-level cyber attacks?

Sixth, I would also like to point out the problem of unsophisticated Distributed Denial of Service (DDoS) attacks and how they can affect the nationwide network. In the event of DDoS attacks, a significant volume of DNS (Domain Name System) queries can simultaneously be sent to national DNS servers in order to locate the correct IPs of the victims, and this makes a fragile national DNS potential collateral damage. On the one hand, the collapse of DNS will impact the normal operation of the nationwide network, but without risking the problem of violating the Law of Arm Conflict as it delivers no “physical” damage to civil utility infrastructures such as electrical grids, hospitals, and nuclear power plants.[3] On the other hand, such attacks can deliver a stronger disruption to people’s daily life as the availability of DNS affects banking, government agencies, media, etc. The collapse of DNS does not make you bleed; it can disrupt and shut down the availability of information on the Internet, and deliver serious psychological impacts.

Seventh, Thim says the National Information and Communication Security Taskforce (NICST) was established in 2014. In fact, this specialized office was created in 2000 to develop a public and private partnership in defending Taiwan’s information and communication security. The agency is not planning to pursue cyber offence or espionage capabilities, but rather to design a purely defensive capability that will protect the development of Taiwan’s information infrastructure.

Finally, Thim observes: “Defense is costlier and places the defender at a great disadvantage against relatively cheap attacks. It is also asymmetrical in that the attacker may impede military operations and decision-making through attacks on the civilian information infrastructure. This works as well for China as it might for Taiwan.” As Stuxnet demonstrated, computer viruses are extremely expensive, but existing “Commercial Off the Shelf” (COTS) techniques such as encryption, authentication, access control, and administration and personnel clearance, could in theory maintain one’s cyber security to an acceptable extent. If Iran had done a better job to manage its network (which is much cheaper than the development of Stuxnet), it would have been able to avoid the attack.

The advantages of cyber attacks exists in war time, when Taiwan would justly try to defend itself. This is especially important for a state like Taiwan that needs to justify self-defence in order for either the U.S. to fulfil its commitment in Article 2(Section 2) of the Taiwan Relations Act — “the future of Taiwan will be determined by peaceful means” — or to give the international community the legitimacy to intervene according to the growing norm of Responsibility to Protect (R2P) for humanitarian reasons.[4] The other concern is jus in bello, and especially the principles of “proportionality” and “discrimination.”

The attackers have little control over the target and potential damage of their cyber weapons, so the spread of a computer virus can travel quickly from governmental to civil sectors, often transcending the nation-state. The lack of effective control over the scale of potential collateral damage and the effects of cyber weapons can substantially damage Taiwan’s public image, and using cyber weapons may raise political accusations of violating international law. If attackers cannot effectively control the spread of the computer virus and the resulting damage to the civil infrastructure, Taiwan needs to think through such issues before cultivating the uncontrolled power of cyberspace. Will cyber attacks not only undermine Taiwan’s legitimacy to defend itself, but also become a war crime?

To conclude, the way Taiwan perceives cyber security can affect its strategy in the virtual domain. Cyberspace is a new frontier for Taiwan, but Taiwan needs to approach this frontier prudently and holistically. It needs to attract talent to enhance its cyber security, but it would be misleading to simply focus on attracting more individuals with ever-more sophisticated knowledge of hacking techniques.

[1] P. W. Singer, Cybersecurity and Cyberwar : What Everyone Needs to Know (New York OUP, 2014), 10.

[2] The most common type of such activities is Intelligence Preparation of the Battlefield (IPB). Please see US Army Field Manual 34-130 for detailed explanation. A copy is available at https://fas.org/irp/doddir/army/fm34-130.pdf

[3] Such understanding is examplified by China’s 2014 Internet disruption. See: Paul Mozur, “China Websites Hit with Disruptions,” WSJD, http://blogs.wsj.com/digits/2014/01/21/chinas-sina-baidu-and-other-big-websites-are-hit-with-disruptions/

[4] The details of R2P can be found in Cristina G. Badescu, Humanitarian Intervention and the Responsibility to Protect : Security and Human Rights ( New York: Routledge, 2011).

4 thoughts on “Handle With Care: The Pandora’s Box of Cyber Attacks”

  1. Dear Hon-Min, thank you for your piece. It is great to see good discussion on this topic. I meant to respond briefly here in comment section and it was getting longer and longer. So in the end, there is a full piece I co-wrote with a colleague: http://taiwan-in-perspective.com/2015/09/11/user-not-found-attribution-issue-in-taiwans-cyber-security/
    One thing that is not in the article. I am afraid that you got the date of National Information and Communication Security Taskforce (NICST) wrong. If you click on the link that you provide, you will see that it says: ” the National Security Council in May 2000 formulated the National Information and Communication Infrastructure Security Mechanism Plan under the direction of the President.” To find the date of NICST founding, one needs to go under Establishment and then click on the first link which leads here: http://www.nicst.ey.gov.tw/en/News_Content.aspx?n=11B0E260E6E03508&sms=C22B05A29C978D0F&s=A88A5340E446C672. From there is clear that Executive Yuan approved establishment of the National Information and Communication Security Taskforce (NICST) in March, 2014.

    Reply
  2. Dear Michal,
    Thank you for your response.
    NICST was initiated in 2000 and officially established in 2001 by the Executive Yuan. You can see a brief introduction to the organization in the following English document (National Strategy for Cybersecurity Development Program), http://www.nicst.ey.gov.tw/Upload/RelFile/3172/720371/84ad506e-d1d2-4978-ba21-fb392fdcf494.pdf .
    The webpage that you indicate is showing the latest update of the regulation, which is done by March 2014, but this does not mean that NICST is only a couple of years old.
    If you look at the title page of the National Strategy for Cybersecurity Development Program, you will find it is authored by NICST in December 2013, which is prior to March 2014. The primary source, the Chinese version of the regulation, is at http://www.nicst.ey.gov.tw/cp.aspx?n=AB87FBE484641E36 . I am sure you can have your colleague to read the top right corner of the modification history, which indicated the clear date on the first promulgation date in the first line.
    I am happy to have this opportunity to share my view with you.

    Reply
  3. Dear Michal,
    I just responded to your other comments on your website, and please see
    http://taiwan-in-perspective.com/2015/09/11/user-not-found-attribution-issue-in-taiwans-cyber-security/comment-page-1/#comment-2421 .
    Thanks for the rewarding experience, and a fascinating website indeed.

    Reply

Leave a Comment