Build an end-to-end linkage mechanism to respond to national cyber threats promptly.
Nowadays, informatization has been deeply integrated into all aspects of China’s economy, society and science and technology, and has become one of the important driving forces for national development. The General Secretary of the Supreme Leader regards the agricultural revolution, industrial revolution and information revolution as three eras: "The agricultural revolution has enhanced the survival ability of mankind and made mankind move from barbarism to civilized society. The industrial revolution expanded human physical strength and replaced manpower with machines. The information revolution has enhanced human brain power and brought about another qualitative leap in productivity. " On February 27th, 2014, the Central Leading Group for Cyber Security and Informatization was established, which fully reflected that the CPC Central Committee attached great importance to cyber information work.
China is a cyber power and one of the countries facing the most serious cyber security threats. In order to improve the level of information security, a series of special information security laws and regulations have been promulgated at the national level, such as Regulations on the Security Protection of Computer Information Systems, Administrative Measures for the Prevention and Control of Computer Viruses, and Administrative Measures for the Protection of Information Security Levels. The Cyber Security Law of the People’s Republic of China (hereinafter referred to as the Cyber Security Law), which came into effect on June 1, 2017, belongs to the same rank as the previous National Security Law and the Anti-Terrorism Law, and is of milestone significance for establishing the basic management system of national cyber security. The "Network Security Law" attaches great importance to the linkage mechanism of information security, and emphasizes that the national network information department should co-ordinate and coordinate network operators, industry organizations, key information infrastructure operators and other related parties to jointly do a good job in monitoring, early warning and emergency response of network threats.
At 20: 00 on May 12th, WannaCry ransomware broke out all over the world. Once infected with this worm variant, important data files of the system will be encrypted and a high bitcoin ransom will be extorted. Within 5 hours, the attack covered nearly 100 countries and regions including the United States, China and Europe. Within 72 hours, more than 200,000 computers in more than 150 countries and regions have been recruited, and the affected areas include government departments, medical services, public transportation, postal services, communications, and automobile manufacturing.
The reason why this virus attack is so harmful is that it uses the "Eternal Blue" network attack tool. Eternal Blue is just one of the 12 cyber weapons released by NSA (National Security Agency) after its recent theft. According to Snowden, there were more than 1,000 such weapons in 2013. Therefore, it can be said with certainty that similar cyber attacks will happen again in the future, which will have an overall impact on China’s network security. In order to effectively attack such "national cyber threats", China should further build a new national information security linkage mechanism under the guidance of the Cyber Security Law.
First, to achieve rapid linkage with the goal of "golden 24 hours".
In earthquake rescue, 72 hours after the earthquake is called the prime time of rescue. According to statistics, the relationship between rescue time and survival rate after Tangshan earthquake is: 99.3% within half an hour, 81.0% on the first day, 33.7% on the second day, 36.7% on the third day, then it drops to 19.0% on the fourth day and only 7.4% on the fifth day.
Network attack tools developed by professional hackers often take advantage of Oday vulnerabilities, so they can be widely spread and destroyed in a short time. However, this kind of large-scale attack will inevitably attract the attention of information security professional organizations, and generally the corresponding solutions can be found within 24-48 hours. Therefore, the key to deal with the "national cyber threat" lies in whether we can seize the "golden 24 hours".
The premise of grasping the "golden 24 hours" is to clarify the identification standard of "national cyber threat". Article 51 of the Cyber Security Law stipulates: "The State establishes a network security monitoring, early warning and information notification system. The national network information department shall co-ordinate and coordinate relevant departments to strengthen the collection, analysis and notification of network security information, and uniformly release network security monitoring and early warning information in accordance with regulations. " Launching the emergency measures of "national cyber threat" not only involves a wide range, but also costs a lot to mobilize. Only after the "national cyber threat" is given a clear technical standard can the network security organization test and identify the new threat according to the standard, and report it to the national cyber information department according to the preliminary identified threat level according to the corresponding process.
????Second, with the goal of "end-to-end process", realize the whole process of getting through to the user’s desktop.
In the domestic units attacked by WannaCry, most of them have made emergency plans for network security and conducted drills. There are three main reasons why they failed to play their due role: First, the concept is backward, thinking that "nothing will happen with the physical isolation of the intranet", and only taking some temporary measures to cope with the superior inspection, the information security management has not really been put in place; Second, there is a lack of "cross-level" standard process, and there are many decision-making levels, which leads to slow response. Two days after the national network information department has publicly issued an emergency notice, some units still failed to take countermeasures, resulting in unnecessary losses.
"End-to-end process" means "starting from the customer demand side and going to meet the customer demand side". Corresponding to the information security linkage mechanism, it is from the discovery of network threats to the completion of the security deployment of each user’s desktop.
Article 53 of the Network Security Law stipulates: "The national network information department coordinates relevant departments to establish and improve the network security risk assessment and emergency work mechanism, formulate emergency plans for network security incidents, and organize drills regularly." In order to deal with the "national cyber threat", we should formulate a "national chess game" cyber security emergency plan, including government agencies at all levels, important enterprises and institutions and colleges and universities. After confirming the "national cyber threat", the traditional information transmission mode of "layer by layer communication and decision-making" is no longer adopted, but the front-line network security and operation and maintenance personnel who have filed in advance can get relevant information as soon as possible by means of flat process and informatization, so as to quickly start targeted measures. Because "national cyber threat" is very rare, in order to ensure that the emergency plan can effectively play an "end-to-end" role, we should further strengthen the "actual combat drill", take the low-threat Oday vulnerability as an example, start national emergency measures, and conduct spot checks on the implementation of relevant units.
????Third, with the goal of "capacity sharing", realize the great synergy of network security forces.
Complex application software, such as Windows operating system, often has hundreds of millions of lines of code, and logical loopholes are inevitable. Hacker organizations in various countries often trade Oday vulnerabilities and cyber weapons through the Internet, which has achieved "great collaboration" in a sense. For example, the "eternal blue" used in this WannaCry attack was released on the Internet as a free trial by the hacker organization "Shadow Brokers" in order to sell other cyber weapons stolen from NSA at a high price.
In order to counter the great cooperation of hackers from various countries, it is necessary to further strengthen the cooperation of domestic network security forces. Article 39 of the Network Security Law stipulates: "Promote the sharing of network security information among relevant departments, operators of key information infrastructure, relevant research institutions and network security service institutions". After the WannaCry attack, most domestic security companies have released their own security patches in a short time, but there are still some differences in response time and protection effect. If a reasonable technology sharing and interest incentive mechanism can be established, when the "national cyber threat" occurs again, the domestic cyber security forces will be able to achieve a faster and more effective response.
In addition to the emergency response after the attack, a more active strategy is to find the potential loopholes of ODA before robbing hackers, and to change the thinking mode from "mending after death" to "preparing for a rainy day" and from "pure defense" to "attacking to promote defense", so as to finally realize the great synergy between "cyber attack" and "cyber defense". Article 16 of the Network Security Law stipulates that "the State Council and the people’s governments of provinces, autonomous regions and municipalities directly under the Central Government should make overall plans, increase investment, support key network security technology industries and projects, and support the research, development and application of network security technology". The network attack and defense shooting range is the key to "attack to promote defense". By providing a simulated network attack and defense environment, "white hat hackers" are encouraged to find and block network vulnerabilities before malicious attacks by real hackers. Because most government agencies and national defense military units in China use physically isolated intranets, it is of great significance to build a network shooting range based on classified networks for national security. By making our security defense system and independent application software tested in actual combat, we can speed up the discovery and repair of vulnerabilities, and form a certain degree of "information fog" for external hackers, increasing the difficulty and complexity of their attacks.
With the outbreak of artificial intelligence technology, the "great synergy" between machine intelligence and human brain intelligence has become the development trend of network security in the future. Since 2013, DARPA (National Defense Advanced Research Projects Agency) of the United States has launched the Cyber Grand Challenge (CGC). The participating teams are all composed of computers. Without any human intervention, they can automatically identify system defects and vulnerabilities in real time, and automatically complete patching and system defense. In August 2016, at —Defcon CTF, the world’s top event in information security, the winner of CGC, Mayhem Machine Team, staged a man-machine hacking battle with fourteen human teams, and once surpassed two human teams. Artificial intelligence can continuously scan system defects or vulnerabilities faster and more effectively than human teams, and improve the ability to quickly repair these program defects in billions of lines of code. However, due to the lack of human flexibility, it is unable to automatically detect logical vulnerabilities, unable to cope with many more subtle attacks initiated by human hackers, and has a certain probability of causing information security accidents (such as confidential information leakage, server downtime, important file deletion, etc.). Therefore, the future development trend is to promote the collaborative work between AI and human beings, filter out most suspicious information on the network through artificial intelligence systems, and greatly reduce the number of potential threats that need to be dealt with by human experts.
The Cyber Security Law is an important embodiment of the country’s overall security concept, which will certainly improve citizens’ awareness of cyber security in an all-round way, and make China’s network safer, more open, more convenient and more dynamic on the basis of ensuring the national interests and the vital interests of the people! (Deng Hu, Institute of Computer Application, China Academy of Engineering Physics, Tian Zhihong, Secretary-General of the Competition and Evaluation Exercise Committee of China Cyberspace Security Association)