Paper Review: The unexpected norm-setters: Intelligence agencies in cyberspace
I wanted to do a line by line review of Ilina Georgieva's recent piece on cyber norms because on a brief read-through, I liked a lot of it. That said, the difficulty with reviewing policy pieces is you tend to think the ones that AGREE with you are naturally genius, which is not always the case. So after a more thorough review, there are a lot of serious issues with the piece and these are painfully listed below (if you happen to be Iliana).
To be specific, the paper focuses on the norms implications of NSA's leaked tool TERRITORIAL DISPUTE which is, not really this at all, and it's weird how confused the author sounds trying to describe it:
What TeDi (to use her terminology) really is, is a simple script that you can run once you are on a box to find out if another APT is also installed on that box, complete with a few simple signatures, essentially the simplest and dumbest anti-virus of all time. It is a not a "technique of infiltrating computer networks" and the main flaw of the whole paper is that it's impossible to say what the norm implied by TeDi is in a simple sentence. Without a very clear statement as to what the norm is, it's folly to analyze or draw any conclusions.
Another major issue with the paper is purely stylistic, in the sense that many international relations papers will say things like:
But we have no public evidence that any other group has anything like TeDi, or a clear understanding of what norm it would imply if they did.
The paper also confuses activities taking place because there is a norm of behavior with activities taking place because operational security (OPSEC) measures are part of how you do this business. This includes not leaving your rootkits around to be looked at by your opponents, which is the obvious purpose of TeDi. The attacker running TeDi wants a minimal number of signatures because they:
Any real critique of the paper would have to put words in the author's mouth - starting with what you propose specifically is the norm implied by the existence of TeDi. That seems a bit like tilting at windmills. A better question around TeDi is probably what it means to the FBI or other defensive domestic teams that these signatures were not shared more widely, but then we don't know that they were not.
It's true, as the paper points out, that almost all discussion of cyber norms is fantasy. Every paper is a broadside focused on trying to make some imaginary opponent believe they should adopt a particular set of rules. Nobody wants to say what the current rules of the game are, perhaps because it means admitting to things they would rather not say out loud.
To be specific, the paper focuses on the norms implications of NSA's leaked tool TERRITORIAL DISPUTE which is, not really this at all, and it's weird how confused the author sounds trying to describe it:
This article examines a particular technique of infiltrating computer networks to gather intelligence data (i.e., computer network exploitation or CNE), in order to exemplify the norm-setting impact of intelligence agencies.
What TeDi (to use her terminology) really is, is a simple script that you can run once you are on a box to find out if another APT is also installed on that box, complete with a few simple signatures, essentially the simplest and dumbest anti-virus of all time. It is a not a "technique of infiltrating computer networks" and the main flaw of the whole paper is that it's impossible to say what the norm implied by TeDi is in a simple sentence. Without a very clear statement as to what the norm is, it's folly to analyze or draw any conclusions.
Another major issue with the paper is purely stylistic, in the sense that many international relations papers will say things like:
The exploitation technique portrays a norm of cyber espionage that is
widely implemented by the intelligence community.
widely implemented by the intelligence community.
But we have no public evidence that any other group has anything like TeDi, or a clear understanding of what norm it would imply if they did.
The paper also confuses activities taking place because there is a norm of behavior with activities taking place because operational security (OPSEC) measures are part of how you do this business. This includes not leaving your rootkits around to be looked at by your opponents, which is the obvious purpose of TeDi. The attacker running TeDi wants a minimal number of signatures because they:
- Assume their checks will leak as someone may eventually detect them via some sort of honeypot
- Know that every check they run is taking time away from running the mission of their operation, and adds potential complicated failure modes to something already difficult to do
Any real critique of the paper would have to put words in the author's mouth - starting with what you propose specifically is the norm implied by the existence of TeDi. That seems a bit like tilting at windmills. A better question around TeDi is probably what it means to the FBI or other defensive domestic teams that these signatures were not shared more widely, but then we don't know that they were not.
It's true, as the paper points out, that almost all discussion of cyber norms is fantasy. Every paper is a broadside focused on trying to make some imaginary opponent believe they should adopt a particular set of rules. Nobody wants to say what the current rules of the game are, perhaps because it means admitting to things they would rather not say out loud.
No comments:
Post a Comment