多年前,我曾在美国陆军担任高级领导职务,主要负责网络行动、政策和战略。让我一直深感忧虑的是管控松散的第三方行为体或组织——他们动机可疑,行事上别有用心,并受命于敌对势力——他们可能会发起或将引发热战的网络攻击。
这样的警情已经出现。例如NotPetya攻击,《Wired》杂志中曾将其描述为是“一种网络战争行为……其猛烈程度很可能连发动者自己都意想不到。”这种有国家力量支持的攻击行为表现出了引发热战的危险性。
网络攻击的挑战性部分在于技术层面,但归根结底在于行为准则的建立和遵循。但在网络空间,尚没有用于描述并管控何种行为可接受或不可接受的相关规则。
各国已在朝着这个方向努力,尤其是中美之间的网络协议以及联合国层面的工作。可惜的是,联合国的倡议却由于几个关键国家退出原定协议而受挫。同样,互信缺失也让人们担心《美中网络协议》可能会破裂。
尽管挫折连连,但这些工作还是为制定网络行为准则提供了一个可贵的出发点。联合国着手处理了一些国家对国家发起的不可接受的行为,如网络攻击别国关键基础设施、干预别国应急响应、或利用他国网络实施不正当行为。《美中网络协议》也试图将禁止窃取知识产权用以牟利编纂成法。
在制定国家网络行为准则的进程中,我们承受不起更长时间的耽搁了,也同样承受不起对这一问题的忽视。这一问题关系甚大——关系到人类的一切数字生活。
应对这些广泛挑战说到底是世界各国政府的责任,但制定网络空间行为准则的努力必须积极主动寻求私营部门、非政府组织和学术界的参与。
通过与世界各地高等院校合作,我提出了和平时期负责任国家应当遵守的5大行为准则。如果这些准则得到各国遵守,将有助于在技术、业务和政策层面增进国际共识;有助于加强对网络活动的主动、细致的控制和监督,也有助于带动更多负责任的伙伴加入其中。
透明度
负责任国家在其网络空间行为以及行为动机上应当更加透明。完全透明不可奢求,但更高透明度可以降低不确定性、提高稳定性。这是增进各国在共同利益问题上的互信和合作所需要的。
标准化规程
负责任国家应当制定并执行标准化的规程,用以监督军事、执法和国土安全部门的网络行动。包括制定风险管理、评估和管控规程,从而在国内和对外政策,技术、情报和法律层面进行恰当监管以及有效的行动问责。
共享情报
负责任国家应当共享威胁情报,以利于打击共同关心的犯罪和恐怖主义威胁。网络威胁情报和信息共享计划的重点应当是网络威胁存在周期中各个环节的受损迹象,以及背景信息。但不应包括个人身份识别信息、受保护的健康信息、知识产权信息,或者会引发监视、隐私、责任或法律问题的其他信息。此项准则对于减少不明确性而言尤其重要,因为不明确会导致在应对越来越多的非国家网络活动(使得网络环境模糊不清)时发生误判和错误。
业界参与
各国应当鼓励、激励业界积极参与到负责任行为准则的制定和执行中来。互联网的绝大部分都由私营部门所有、运营并维护,可是长期以来对行为准则的探讨都是局限在政府之间。业界的声音至关重要,因为这会让行为准则更切实际,而且业界对准则的执行会远比政府更有效。
无第三方
负责任国家不应雇用松散管控的第三方行为体和组织来遂行网络活动。各国越来越多使用代理人、幌子公司和爱国黑客,这一趋势令人担忧,因为这些人可能出于个人动机而采取错误或非授权行为,加剧了引发重大网络险情的风险。
这五大准则切实可行吗?答案是肯定的。实际上,越来越多的美国网络安全企业都在积极践行此类准则。美国军方已经在前两项准则上作出了表率;而美国国会2015年通过的《网络安全信息共享法案》则主要针对第三和第四条。
此外,美国执法部门、国土安全部门、各大情报和军事组织正在推行多项情报和信息共享计划,并得到了越来越多外国和业界伙伴的参与。
通过践行负责任行为准则,美国将起到表率作用,而且应当与其他世界领导者如中国合作,以发扬光大这项事业,使之通行全球。
退役美国陆军少将John Davis现任Palo Alto Networks公司公共事务部门副总裁,该公司是一家领先的网络安全解决方案供应商。John Davis曾任国防部负责政策的副部长和负责网络政策的代理副助理部长的网络事务高级军事顾问。
It’s time to set behavior norms for responsible nations
Years ago, I held senior leadership positions in the U.S. military focused on cyber-operations, policy and strategy. What kept me up at night was the concern that a loosely controlled third-party actor or organization — operating with suspicious motivations or questionable skills at the behest of an adversary — might initiate a cyberattack that could escalate to a physical conflict.
The warning signs are there. Consider the NotPetya attack, which was described by Wired Magazine as “an act of cyberwar… that was likely more explosive than even its creators intended.” This nation-sponsored attack demonstrated the dangers that could lead to conflict.
While part of the challenge is technological, it also comes down to establishing and adhering to behaviorial norms. In cyberspace, there are no rules that describe and govern what type of behavior is and isn’t acceptable.
There have been several efforts in this direction, notably the U.S.-China Cyber Agreement and work from the United Nations. Unfortunately, the U.N. initiative faltered when several key countries backed out from the original agreement. Similarly, gaps in trust have led to concerns about a breakdown of the U.S.-China Cyber Agreement.
Despite stumbles, these efforts provide a valuable starting point for creating a set of norms. The U.N. addressed a number of unacceptable actions for nations to take against another country such as attacking critical infrastructure, interfering with emergency response efforts, or using foreign networks to deploy wrongful acts. The U.S.-China Cyber Agreement attempted to codify the banning of intellectual property theft for profit.
We can’t afford to let our progress towards setting international cyber norms be impeded any longer, nor can we afford to ignore the problem. There is too much at stake, namely our entire digital way of life.
While addressing these broad challenges is ultimately the responsibility of governments around the world, our efforts to define norms for cyberspace behavior must also actively involve private industry, non-governmental organizations (NGOs) and academia.
In collaborating with colleagues around the world, I have identified five norms that responsible nations should follow during peacetime. If nations follow these norms, it will contribute to an improved, common, international understanding at the technical, operational and policy levels. It will reinforce positive, careful control and oversight of cyber activities. It will also bring in additional responsible partners to these efforts.
Transparency
Responsible nations should be more transparent about what they are doing in cyberspace and why they are doing these things. There is no expectation of total transparency, but improved transparency can lead to reduced uncertainty and greater stability. This is required for better trust and cooperation on common interest issues.
Standard Procedures
Responsible nations should establish and enforce standardized procedures for oversight of military, law enforcement and homeland security cyber-operations. This includes risk management assessment and control procedures that provide proper oversight from domestic and foreign policy, technical, intelligence and legal perspectives, as well as effective operational accountability.
Shared Intelligence
Responsible nations should share threat intelligence for criminal and terrorist threats of common interest. Cyber threat intelligence and information sharing programs should focus on indicators of compromise along the cyber threat lifecycle steps, as well as contextual information. They should not include personally identifiable information, protected health information, intellectual property or other information that creates surveillance, privacy, liability or legal issues. This norm is particularly important for reducing confusion that can lead to miscalculations and mistakes caused by increased non-state cyber activities that blur the digital environment.
Industry Participation
Nations should encourage and incentivize increased industry participation in the development and enforcement of norms of responsible behavior. The private sector owns, operates and maintains the vast majority of the internet, yet the norms discussion has traditionally been a government-only conversation. Industry’s voice is critical because the norms will be more practical and can be enforced by industry much more effectively than the government.
No Third-Parties
Responsible nations should not employ loosely controlled third-party actors and organizations to engage in cyber activities. The increased use of surrogates, front companies and patriotic hackers by nations is an alarming trend, due to the growing risk of a major cyber event caused by a mistake or unsanctioned action by someone with a personal motivation.
Are these norms realistic? Yes. In fact, an increasing number of U.S.-based cybersecurity companies are actively pursuing some of these norms. The U.S. military has already led the way on the first two proposed norms, and the Cyber Information Sharing Act of 2015 focused on the third and fourth norms.
In addition, U.S. law enforcement, domestic security, intelligence and military organizations are implementing many threat intelligence and information sharing programs with an increasing number of international and industry partners.
The U.S. can lead by example by following these norms of responsible behavior and should engage with world leaders, such as China, to broaden this effort, making it a global one.
Ret. U.S. Army Maj. Gen. John Davis is the Vice President of Public Sector at Palo Alto Networks, a leading provider of cybersecurity solutions. Previously, he served as the Senior Military Adviser for Cyber to the Under Secretary of Defense for Policy, and the acting Deputy Assistant Secretary of Defense for Cyber Policy.
声明:本文来自安全内参,版权归作者所有。文章内容仅代表作者独立观点,不代表安全内参立场,转载目的在于传递更多信息。如有侵权,请联系 anquanneican@163.com。
