The Enemy Has a Voice
Understanding Threats to Inform Smart Investment in Cyber Defense
Policy Paper
Feb. 28, 2017
In late July 2016, flight status screens in airports in Hanoi and Saigon broadcast derogatory messages toward Vietnam and the Philippines instead of the normal flight information. This cyber-attack, allegedly conducted by the notorious 1937CN Chinese hacking group, led to mass disruption to numerous travelers in the Asia-Pacific region that day.[1] However, this was not a random event, but rather the latest in a series of escalating back-and- forth cyber-attacks between China and Vietnam. Understanding such ongoing conflicts, as wellas the capabilities of groups like 1937CN canhelp organizations better brace themselves when most at risk.
For much of the past, cybersecurity measures have focused on looking internally at the vulnerabilities of an enterprise network. While this will continue to remain important, we will not obtain substantial improvement in cybersecurity of our infrastructure until we adopt an approach that is focused on the adversary. In short, the enemy has a voice in what happens—and we should expect attackers to adapt, innovate, and leverage community resources. Quality information on these enemies, also known as cyber threat intelligence (CTI), helps defenders better understand what vulnerabilities their likely adversaries will seek to exploit.
Taking a threat-focused approach to cybersecurity seems like a natural and sensible thing to do for organizations from small and medium enterprises to massive government agencies. In understanding the nature of the threat they face—that is to say who might be interested in breaching their security and why—they are able to craft better informed and data-driven security policies and maximize the return on their cybersecurity investments by identifying specific pressure points and crafting solutions that produce outsized impact. This reality makes ensuring a thriving market for CTI directly relevant to policymakers tasked with crafting policies that promote better national cybersecurity. This report is designed to help policymakers better understand what CTI is and how they can leverage it to help achieve public policy goals.
In this report, I start by discussing the general concept of CTI and how this powerful concept can reduce “offensive dominant” nature of cybersecurity and describe various types of such information. Then, to make the ideas a bit more concrete we examine how such information can provide insight into malicious hacker communities—in particular those on the deep and dark web. I then outline some challenges with cyber threat intelligence going forward and propose policy ideas that can help lead to improved access to such information across a variety of organizations.
[1] Tao, B., & Grimm, A. (2016, Sep.). South China Sea Conflicts Spills into the Cyber Domain: China vs. Vietnam. www.cyr3con.com/blog