September 2017 proved to be a banner month for cyber attacks. From Equifax to Dragonfly, APT33 to the SEC breach to the CCleaner attack for industrial espionage, these attacks reflect the increasing and continuous exposure and theft of data at unprecedented scales. What is lost in these headline-grabbing attacks is that September 2017 may also be a turning point when it comes to cooperation and norms in cyberspace.

In 2015, then-President Barack Obama met with Chinese President Xi Jinping. Amongst other policy areas, the two leaders agreed that commercial espionage was off limits, thus formulating a bilateral norm in cyberspace. This agreement already may be put to the test, as evidence from recent cyber attacks points back to a Chinese espionage group. In a year when the breadth, extent, and impact of cyber attacks continues to expand as geopolitical tensions escalate, the creation of norms remains essential to shape behavior in cyberspace and identify which targets are off limits. However, as these latest attacks may demonstrate, absent any coherent cybersecurity strategy and response framework, adversaries will disregard norms as long as they can attack with impunity.

CCleaner Supply Chain Targeted Attack

Google, Microsoft, and several other high profile tech companies were compromised when a backdoor was inserted into a popular computer cleaning software, CCleaner. The investigations into the extent of the CCleaner attack are still underway, but by some estimates it may be among the largest remote execution cyber attacks. CCleaner is a tool used to clean personal computers (PCs) by removing unused files to free up disk space and help computers run faster. A mid-August software update contained a hidden backdoor to compromise, as well as an additional payload deployed on a subset of targets. The attack appears to have targeted tech and telecommunications companies, largely in the U.S., Japan, and Europe. Although the virus infected over two million machines, researchers have identified hundreds of unique PCs infected by the second stage payload.

Preliminary evidence points the attacks to APT 17, a Chinese espionage group often referred to as Axiom. Amongst many other attacks, the group has been linked to the Operation Aurora compromise of Google in 2009. The evidence they conducted the CCleaner attack is based on malware code similarities with the Aurora compromise, and researchers have narrowed the attackers to two time zones covering parts of Europe, the Middle East, and Asia. In addition, the attacks did not target any Russian or Chinese companies. Finally, the Axiom group has a long history of targeting tech companies. Therefore, this would be continuation of the group’s previously exhibited behavior and objectives.

Deviation from the Norm

Only a few weeks after initial disclosure of the attack, evidence linking the CCleaner to Axiom is not definitive. However, if they are linked, it raises an important challenge to those concerned with defining appropriate behavior in cyberspace and limiting the proliferation of targets, objectives, and collateral damage during peacetime. More specifically, if true, the Axiom attack deviates from the agreement made between the United States and China in 2015 because the attacks targeted private companies, and the intent is likely industrial espionage. It remains unknown (and may never be revealed) whether intellectual property was stolen, but given the targets, industrial espionage is currently the most probable motive.

Two years ago, following the Obama-Xi summit, the White House issued a press release including the comment:

"The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

This agreement came at a time when numerous high profile breaches were linked back to China—including the breach of the Office of Personnel Management) (OPM), stealing blueprints from Lockheed Martin, and economic espionage leading to the indictments of five People’s Liberation Army officers. Cyber espionage, especially by China, was called the “greatest transfer of wealth in history” by then National Security Agency Director General Keith Alexander. As these cases continued to pile up, they were noticeably separated into more traditional state espionage and commercial espionage. Those that fell into commercial espionage reached a point where the Obama administration considered sanctions in response. This may have been what prompted Xi to accept the 2015 agreement. Since then, many have referenced this agreement as the catalyst for a potential decline in Chinese commercial espionage. However, others felt the more likely scenario was not that the espionage stopped, but that the Chinese changed their tactics, techniques, and procedures to cover their tracks. Not surprisingly, the latter appears to be the case as evidence continues to link the CCleaner attack to the Axiom group.

What’s Next?

On October 6th, 2017, the U.S. Department of Justice released a summary of the U.S-China law enforcement and cybersecurity dialogue. The announcement reiterated language similar to that of the 2015 agreement, reaffirming the consensus against intellectual property theft for commercial gain. This dialogue occurred apparently with little consideration of the initial evidence pointing to China for the targeted attack against the U.S. tech sector, highlighting the compliance challenges and fragility of such an agreement. Moreover, while this is a bilateral consensus, China’s potential lack of adherence has global ramifications. Both Canada and Australia signed similar bilateral agreements with China prohibiting commercial espionage.

Over the summer, discussions pertaining to global cyber norms fell apart at the United Nations Group of Governmental Experts (GGE). The GGE process for addressing security in cyberspace has been ongoing for over a decade, and came close to agreeing upon the ‘low hanging fruit’ of norms, such as: not to intervene in Computer Emergency Response Teams (CERTs), critical infrastructure is off limits, as well as other voluntary, non-binding capacity-building efforts. In the past, they have agreed that international law adheres to cyberspace, but this summer’s initiative was intended to cement baseline rules of the road for appropriate behavior in cyberspace. The failure of those discussions, coupled with the resignation of Chris Painter, who was at the time the United States’ main advocate for norm propagation, has left a vacuum of leadership and direction when it comes to structuring agreed upon digital rules of road.

Attackers continue to exploit this vacuum and are increasingly brazen in their objectives and targets with little fear of repercussions. This past year alone has seen a dramatic increase in the global reach of attacks (e.g., WannaCry), election targeting across Europe and the U.S., and additional critical infrastructure attacks. The successful Kiev attack in late 2016 with the highly customized Crash Override is part of the broader discoveries of destructive malware, often found within critical infrastructure, including Shamoon 2.0, Stonedrill, and NotPetya as well as renewed Dragonfly activity and APT 33, both of which target a range of critical infrastructure with sabotage as the objective. Given the inability to agree upon even informal norms at the global level, the United States must push forth with a declaratory policy that explicitly states the range of responses to the ever-growing breadth and reach of these attacks. This does not mean policy makers should abandon the effort toward global norms, as both bilateral and multilateral efforts, such as the Global Commission on the Stability of Cyberspace, are essential for the pursuit of a stable and secure cyberspace. Instead, domestic level policies must acknowledge the current reality and shape a coherent response framework based on the effects and targets of the attack. Otherwise, attackers will continue to push the limits, and the government will remain ill-prepared for an impactful response or deterrence capability.

The outlook for norm entrenchment looks bleak heading into 2018. If the Sino-US agreement was indeed broken with the CCleaner attack, it is just the latest attack in a year that has seen adversaries across the globe test the limits on targets and effects. At the time, President Obama noted, “The question now is, are words followed by actions?” If the initial evidence holds, the CCleaner attack demonstrates yet again the challenges and importance of structuring norms in cyberspace. The pursuit of global norms should continue, but given the challenges of norm creation, the U.S. should also formalize a declaratory policy of what will happen if these agreements are broken or certain targets or effects are achieved via a cyber attack. Until then, attackers will continue to act with impunity, and the range of targets will only continue to grow.

Andrea Little Limbago is the Chief Social Scientist at Endgame, where she researches and writes on the intersection of geopolitics and cybersecurity. She was previously a technical lead at the Joint Warfare Analysis Center. Andrea earned her PhD in Political Science from the University of Colorado at Boulder.

Have a response or an idea for your own article? Follow the logo below, and you too can contribute to The Bridge:

Enjoy what you just read? Please help spread the word to new readers by sharing it on social media.

Header Image: Home sweet home. (Edgar Su/Reuters)