Military Cyber Threats and Responses
2019.01.22
Views
10995
By Ma Ying-han
Commander Ma delivered this speech as the lunch keynote on October 8, 2018, at the 2018 Defense Forum on Regional Security, which focused on the theme of “New Security Challenges in the Indo-Pacific Region: Cybersecurity Governance and China’s Sharp Power”. The speech was delivered in Mandarin. It is translated here into English by J.R. Wu.
Mr Chairman, distinguished guests, good afternoon.
My name is Lieutenant General Ma Ying-han. I am the Commander of the Information Communications and Electronic Force Command of the Ministry of National Defense. It is my great pleasure to be invited to speak at the “2018 Defense Forum on Regional Security”. I’m going to talk about the issue of “Military Cyber Threats and Responses”. But before I begin my report, let me give a brief introduction of myself.
This is a short curriculum vitae of myself. I will let you read for yourself my education. As for my career, I have worked in the General Staff Headquarters in recent years. I have been a Director of information security for J6, Commander of the Joint Information Operation Command, and Director of the Army’s communication information division G6.
My presentation today includes five sections, which I am going to report on to the scholars and guests here. Including the preface and conclusion, I am going to talk about international cyber threats and trends, the development and intentions of the PLA’s cyber corps, and Taiwan’s cyber security defense strategy.
Information Communication Electronic Force, the fourth branch of the R.O.C. armed forces, has been established on June 29, 2017. (Source: R.O.C. Military News Agency)
With the advancement and development of technology, the tools of human communication are constantly evolving and the importance of the Internet is beyond words; there are those who would use it to deliberately deceive, steal and destroy in order to influence a country’s politics, economy, psychology and military, or to achieve a criminal purpose. Its influence crosses modern sovereignty and governance, making cyberspace a new type of space that is different from land, sea, air and outer space.
Nowadays, the image of the mobile device represents access to all-inclusive services. With the touch of a finger, personal needs are met (knowledge), but at the same time there is high cyber security risk.
Let’s turn to the first section: international cyber threats and trends. With one word leaked out, the cover of an entire military is wiped out. It may be just a one-click mistake, but it will never be recovered.
The United States’ 2018 Department of Defense Cyber Strategy report clearly stated that the openness, trans-national, fragmented nature of the Internet creates serious vulnerabilities. Based on The Global Risks Report 2018 by the World Economic Forum, cyber attacks have risen to be the number three risk this year, jumping from number six in 2017.
Among the top five risks listed, three of them are related to the environment. The other two are cyber attacks and data fraud or theft. According to an October 5 article by Bloomberg’s Business Week, a micro-chip as tiny as a sharpened pencil tip was implanted during a specific stage of the supply chain production of Super Micro Computer Inc., that collected and stole data, reportedly affecting more than 30 enterprises. This goes to show that, in the future, the risks of the virtual world are becoming more and more difficult to identify.
Let’s take a look at the trends in cyber threats.
According a report by European Union Agency for Network and Information Security (ENISA) issued at the beginning of this year, malware, web-based attacks, web-application attacks, phishing and spam were ranked at the forefront of cyber threats. In particular in late 2017, the discovery of ten vulnerabilities in the WPA2 (Wi-Fi Protected Access) security protocol and the KRACK (Key Reinstallation Attack) attacks allowed hackers to systematically crack Wi-Fi network passwords, then eavesdrop on the content, kidnap the connection or launch an attack.
Although at this year’s International Consumer Electronics Show (CES), the Wi-Fi Alliance announced the new WPA3 security protocol, current Wi-Fi hotspots cannot all be transformed overnight. Special care should be used when accessing public, password-less Wi-Fi hotspots.
Now let’s take a closer look at hackers using the above attack techniques and what they are after.
According to an article on May 28 in Taiwan’s Liberty Times, in order to obtain and grasp the information on the military insurance and health insurance of Taiwan’s military personnel, their relatives and of the general public, the Chinese Communist Party (CCP) has repeatedly wanted to break into the website of our military hospitals and steal military medical records. Based on statistics, last year there were more than 162.45 million of such attacks.
In addition, the well-known global social media Facebook recently disclosed that last month on the afternoon of September 25 it discovered a security problem. Attackers exploiting vulnerabilities in the system could access user accounts, directly affecting 50 million accounts. 90 million users had to re-login.
It is clear that in recent years, no matter if it is an official government or non-government institution, the theft of personal data is still one of the main objectives of hacking organizations. Because personal data can be used in many ways, nothing is beyond what they can accomplish, even if you cannot imagine it.
So apart from personal data, what else do they want? Let’s look further.
Here domestically, from the ATM heist of First Commercial Bank to the hacking of Far Eastern International Bank, those cases show hackers intruding into the dedicated financial telecommunications networks used by financial institutions. Just like a movie plot, NT$1.8 billion in funds was transferred out, a success, and no handling fee charges.
CCP’s cyber corps is not only composed of military units, but also a large number of peripheral civil organizations.
When the Wannacry ransomware happened, U.S. media cited South Korean scholar Boo Hyeong-wook as describing, this is what North Korean hackers do. They loyally extort large sums of money for their government. The FBI recently filed charges on this case. They are convinced the Wannacry ransomware was carried out by the North Korean hacking group Lazarus. Therefore, the purpose of an incursion is not solely for stealing personal data. Money is another great incentive.
We have the threat trends, the methods, the purpose. Where is the source?
On April 5, 2018, the Executive Yuan’s Department of Cyber Security stated that public offices are hit by cyber attacks over 20 million times a month on average, and at most over 40 million times a month. Although the volume of attacks is gradually trending down, the success rate of these attacks is on the rise. According to Cisco’s Talos, its threat intelligence organization, a single hacking group (the Russians who initiated the VPNFilter malware) has infected more than 500,000 routers worldwide, showing that the methods of cyber attacks are constantly evolving into something new. Meanwhile, high-risk networking equipment has become the optimal method of hackers on the other side of the Taiwan Strait.
The Executive Yuan pinpointed that among the cyber attacks that Taiwan suffers, 80% of them are from the CCP. Its “attack and scare” tactics not only occur in tangible space, but more and more also in the cyber space where it pokes holes through the walls, virtually, to press its advantage. Looking at the CCP’s cyber corps development and intentions, we can make a further analysis:
How many times on average is Taiwan’s Ministry of National Defense attacked each year? In 2017, 734,502 times. That’s 61,208 times on average a month. For 2018 so far, it has been 678,318 times, or averaging 75,368 times a month. In this case, it is trending higher.
Under the goals of the CCP’s 2015 “China Dream” and “Strong Military Dream”, with the “Small Leading Group for Deepening the National Defense and Army Reform” at its core, the planning for the structural reform of the military and related details abolished the four major headquarters in 2016. It also reorganized the high-level divisions and consolidated the seven major military regions into five major theaters.
An original 11-level command system was simplified to a three-level command system. Think of the changes like this: What had been “individual” horse-drawn carriages were transformed into a single chariot being powered by many horses to increase its “unified strength.”
So what kind of organization holds the reins of so many horses? Let’s look at the next page – the Three-Level Command System: Joint Strategy Command, Operations Command, and Brigade.
The most noteworthy, of course, is that the CCP established a Strategic Support Force on December 31, 2015, that included the former General Staff Department’s Third Department (and GSD’s Fourth Department and Fifth Department), as well as other units involved with electro-magnetics, cyber and aerospace. Its main mission is to provide joint operations with "accurate, efficient and reliable information to guarantee strategic support.” In other words, the CCP’s Strategic Support Force is like the reins pulling many horses in the picture, effectively integrating the strategic support forces with the theaters and forming the core of joint warfare.
This kind of plan resonates with what was in the US Department of Defense’s 2018 cyber strategy report. The US report disclosed that "the joint forces will adopt cyber attack capabilities and innovative concepts, and conduct cyberspace operations in full spectrum conflicts." This is possibly the new benchmark for various countries as they develop warfare capabilities in cyberspace in the future.
What does the face of the cyber corps supporting the force look like?
Everyone knows that the CCP’s cyber corps is not only composed of military units, but also a large number of peripheral civil organizations. These are mostly units cultivated by the People’s Liberation Army (PLA). Reviews by Crowdstrike, Mandian and FireEye, three cyber firms in the US, inferred that hacker groups in China, based on the behavior patterns of their cyber attacks, the techniques and tools they used, tied them to the CCP’s cyber warfare forces.
Among the dozens of hacker organizations, Crowdstrike identifies those with close interaction with the PLA under the variant of the “***panda” name, for example “Deep Panda”; Mandiant uses an “APT X” identifier, for example APT-19 (Winnti umbrella); FireEye doesn’t utilize specific naming rules. What is currently certain is the relationship between Unit 61398 and Unit 61486 of the PLA, and these civil or private hacker organizations is extremely tight.
Let’s look at what they have done and their intentions.
This chart is an excerpt. It is summary statistics of intrusions by China’s cyber corps into Taiwan’s public sector prior to 2013 (these are publicly available information). We can see that between 2008-2011, in these three years, there were 4 cases. Between 2011-2013, these two years, there were 7 cases. In 2013, alone, there had been at least 8 cases. There has been a large amount of data that has been leaked, leading to various policy developments being detected by the enemy in advance and then in turn employed by various strategies targeting Taiwan. This is the first intention of the PLA’s cyber corps.
Cybersecurity intelligence firm FireEye on Jun 21 this year released M-Trends 2018 in Taiwan. The report showed that the dwell time (the number of days from first evidence of compromise that an attacker is present on a victim network before detection) for Asia-Pacific enterprises was four times the global median (498 days to 101 days).
Many industries in Taiwan have repeatedly suffered from attacks suspected of being cyber espionage activity from China. Chinese hackers like to use Taiwan as a testing ground for sophisticated cyber-spyware technology. Many experimental malware will be first launched in attacks against Taiwan before they are used to attack American companies. This is the second intention of the PLA cyber corps.
Taiwan have repeatedly suffered from attacks suspected of being cyber espionage activity from China. (Source: R.O.C. Military News Agency)
In addition to data theft, destruction and other kinds of cyber attacks, the most distinctive mode of operation in recent years is the CCP's “50 Cent Party” (中共五毛黨; colloquial term for Internet commentators hired by Chinese authorities to manipulate public opinion to the benefit of the CCP). These commentators are employed to publish articles on the Internet in favor of the Chinese government, while at the same time besiege their online critics. Recently the most common trick has been to publish fake news to achieve the purpose of mis-leading online public opinion. However, in the near future, this work may be partially replaced by artificially intelligent editing robots.
In September after US President Donald Trump at the UN Security Council accused China of meddling in the US 2018 mid-term elections, he tweeted China was placing ads in Iowa media and other newspapers to spread propaganda that the US trade war against China was hurting the interests of American farmers, with the intent to interfere in the US midterm elections.
Bloomberg also reported in September, Taiwan’s Executive Yuan’s cyber security department chief Howard Jyan stating that hacker groups will try to interfere during our November’s local elections. We believe this is the PLA’s cyber corps third intent.
Chinese hackers like to use Taiwan as a testing ground for sophisticated cyber-spyware technology.
In summary, the intentions are to understand the enemy's extreme weaknesses for source of threats in cyberspace, in order to build up the combat capabilities, while also understand the nature of its own vulnerabilities, in order to develop appropriate security policies.
Now let us turn to how Taiwan has been enhancing its cyber security defense strategy.
The latest summary on cyber strategy by the US government identifies China and Russia as the top threats in cyber security. There is no doubt about this.
Addressing this close-at-hand threat, Taiwan’s National Security Council and the Executive Yuan on August 27-28, 2016, held a strategic conference on “Cyber Security Is National Security.” This opened the opportunity for settling major national strategy and continued the 3X3X3 national-level cyber security strategy.
President Tsai, on June 29, 2017, presided over the ceremony of our command (Information Communications and Electronics Force Command). She said: “As the Ministry of National Defense enters the era of comprehensive information warfare, the threat comes not only from territories with borders, but more threats come from cyberspace. The harm to national security from cyber threats is not any less than traditional armed attacks.” Therefore, the government not only established the Executive Yuan’s Department of Cyber Security, but also established the Information Communications and Electronics Force Command as specific actions of “Cyber Security Is National Security.”[1]
I personally see that under the framework of our National Cyber Security Strategy Report that to continue to improve the cyber defense of our military, we must implement intelligence integration (know the enemy), have multi-layered defense (defend against the enemy), set a methodology for educational training (win against the enemy), in order to form a formidable force, effectively defending the country's digital territory.
Let’s continue further to look at the framework of intelligence-driven national cyber joint defense.
According to our national Cyber Security Strategy Report, the joint defense system of our national cyber security comprises of three levels: the government, critical information infrastructure areas and providers. This joint defense system includes national security units and cabinet agencies and ministries forming and integrating teams for emergency response, early warning, notification and processing to set up a cyber security joint defense framework for “information sharing, collaboration and response”. This enhances the capabilities and effectiveness of early warning, emergency response and continuous operations.
A new National Cyber Security Strategy Report provided by ICT Security of National Security Council, September 14, 2017. (Source: R.O.C. Military News Agency)
The cyber defense of Taiwan’s military also needs the technology, experience, connections and exchanges with the outside world. Within the national cyber security joint defense mechanism, our cyber command force – apart from carrying out the good work in protecting the cyberspace within our own military – we are also part of the Executive Yuan’s push to integrate and establish the cyber security joint defense and intelligence sharing system of critical information infrastructures.
We are actively absorbing Europe, the US and other advanced countries’ coordination in Defense Critical Infrastructure (DCI) and Defense Industrial Base (DIB) operational mechanisms, to achieve a broader early warning system and more rapid response capabilities.
Apart from the mission of coordination of information and of critical infrastructure, what are the cyber security defense concepts of our cyber command?
Currently, the US military is orienting itself from a “zero-defect culture toward one that is increasing its innovation and agile response capabilities.” In addition to the integration of sophisticated equipment and technology, we also focus on multi-layered defense, forensic knowledge and rapid recovery, because only from an invincible position, we can talk about the development of military cyber combat power. Distinguished guests, if you pick up a piece of cheese, you will see that there are many holes in the surface of the cheese because of the fermentation. But as long as the cheese is thick enough, you will not be able to see through it.
From the perspective of cyber security, no security protection system is perfect, but as long as multiple defenses are formed, various security risks cannot form a straight line, and cyber defenses will not be broken. We must build a multi-layer cyber security defense, from the information server to the network node to the terminal equipment. That is, from the cloud to the terminus, the all-round information security environment, so that the enemy cannot enter, cannot take, and cannot unlock to achieve his goal to make a tiny change or chain reaction.
So how do we form a formidable combat force?
Combat power is the basis for victory. From the perspective of overall combat power, we must consolidate cyber security defenses and continue to strengthen cross-domain cooperation alliances to build solid multi-layered deterrence capabilities. The strategy of our systematic education and training is to require the troops to pass the test of three levels of professional licenses, establish basic knowledge, and then train in six professional areas of cyberspace (program development, operating systems, network equipment, databases, web systems and cryptography). These stages focus on the combination of theory and practice, and the final stage is a Level Three specialization training course, utilizing the expert-level capabilities of the military.
Usually, we participate in the national-level cyber attack drills and special projects of various ministries of the Executive Yuan. We review the effectiveness of the capabilities, combat equipment and training, and then adjust the training program to grow combat power and – with the government’s cyber security team – together give play to our national-level joint cyber defense warfare.
Finally, let me offer a brief conclusion.
The latest September issue of one of our defense publications examined an article from a defense bi-monthly in the US that discussed Sun Tzu's Art of War in the use of cyber warfare. The article takes the thireen chapters of Sun Tzu's Art of War to interpret cyber warfare, strategy and tactics. From this, came some interesting and appropriate links.
For example, the chapter on Tactical Dispositions: The skillful fighter puts himself into a position which makes defeat impossible, and does not miss the moment for defeating the enemy.
The author believes the information system must have the resilience to withstand attacks and be invincible. When taking action in cyber security defense, we must follow the decision cycle of “observe, orient, decide, act " (OODA) to respond and defeat the cyber attack. In the future, cloud technology will become the basic framework for the Internet of Things, combat management and information transfer. From the cloud to the terminus, cyber security is a holistic issue.
Let me use the rigorous and shifting Bagua structure in Chinese culture to convey an all-round cyber security concept. The core of Bagua is the Taiji philosophy, the yin and yang principles. The core of harmonious operations in cyberspace is – information security, and its yin and yang are "convenience and risk" complementing, interacting, shrinking and growing with each other.
Yin and yang then grows in four directions, and extending the metaphor for maintaining cyber security is the ISO-27001 international information security standard with the four major steps in risk prevention of “Plan, Do, Check, Act” (PDCA) to allow for a continuous cycle of corrective measures.
Finally, the eight trigrams, the metaphor is the Certified Information Systems Security Professional (CISSP) – security and risk management, asset security, security architecture and engineering, communication and network security, identity and access management, security assessment and testing, security operations, and software development security, make up the eight faces.
These form “all-round information security” so that it can achieve in cyberspace what Sun Tzu’s Art of War’s Tactical Dispositions (Chapter 4) says: The skillful fighter puts himself into a position which makes defeat impossible, and does not miss the moment for defeating the enemy.
Lieutenant General Ma Ying-han is the Commander of the Information Communications and Electronic Force Command of the Ministry of National Defense, R.O.C.. He was the Director of Communications, Electronics and Information Division of the Army Command of the Ministry of National Defense, R.O.C.. He has a master’s degree in information management from Yuan Ze University College of Informatics.
[1]National Cyber Security Strategy Report, ICT Security of National Security Council, September 14, 2017, https://www.president.gov.tw/File/Doc/8f65b086-6be5-4481-b376-a4001204f003