The Way to the Specialist and Management Level of Cyber Hygiene Initiative

Küberruumi kuritarvitused, s.h küberkuritegevuse arvukus ja riikide huvides ning nende poolt toetatud spionaaž, näitavad jätkuvalt kasvutrendi. Samuti suureneb igapäevaselt küberintsidentidest mõjutatud organisatsioonide ja ettevõtete arv. Paljud neist saavad teada küberründe ohvriks langemisest suhteliselt ruttu, kuid esineb juhtumeid, kus sihtmärgil puudub võimekus oma turvasüsteemi lubamatut tungimist ise avastada. Küberintsidentide ja –rünnete peamiseks võimaldavaks faktoriks on saanud IT infrastruktuuri kasutaja. Kasutajast tuleneva riski maandamist raskendab asjaolu, et ei ole olemas kahte ühesuguse käitumismustriga inimest. Erinevused esinevad mistahes faktorites alates füsioloogilistest (sõrmejäljed) ja lõpetades teadmiste, kogemuse ja iseloomuomadustega. Küberruumis aktsepteeritavate käitumisjuhiste väljatöötamiseks ja rakendamiseks on ellu kutsutud ’Küberhügieeni initsiatiiv’, mille üheks kõrvaleesmärgiks on nimetatud reeglite kasutamist soodustava e-õppe platvormi loomine. Küberhügieeni e-õppe keskkonna testversiooni katsetas Eesti kaitsevägi esmakordselt 2016. aasta lõpus. Sellest katsetusest saadud kogemusest käesolev lõputöö räägibki. E-kursust aluseks võttes, analüüsib uurimus, 3 missugune informatsioon peaks olema tehtud kättesaadavaks IT spetsialistidele ja missugune informatsioon tuleks edastada juhtkonnale. Töö üheks eesmärgiks on aidata kaasa küberhügieeni initsiatiivi sees spetsialistide ja juhtkonna taseme loomisele ja eristamisele. E-õppe kursuse metoodiline alus sobitus hästi varasemate töödega. Antud töö tutvustab uurimuse tulemusi ja metoodikat, näitamaks missuguseid andmeid ja raporteerimist peaks rakendama nii spetsialistide kui ka juhtkonna tasemel. Juhtkonna ja juhataja jaoks on uueks võimaluseks intsidentide kokkuvõte, mis on võtnud arvesse spetsialistide teadmised, rakendamaks korrektset raporteerimist. Lisaks paljudele intervjuudele spetsialistidega ja turvalisuse ekspertidega, loodi laiema info saamiseks küsimustik. Küsimustiku tõhusust katsetati rahvusvaheliselt tuntud mõttekojas. Küsimustiku ja intervjuude tulemused viitavad sellele, et see metoodika on kehtiv, parandamaks raporteerimist ning vastumeetmete rakendamist. Väljatöötatud metoodikat ja küsimustikku on kavas rakendada küberõppusel, s.t. BHC Laboratory ja ByteLife’i ühisettevõtmisel, millel on 2016.aastal sõlmitud 3-aastane leping EDA’ga õppeprogrammi edasiarendamiseks ning spetsialistide ja juhtkonna taseme õppe lisamiseks. Võtmesõnad: küberhügieeni initsiatiiv, e-õpe, spetsialist, ekspert, juhtkond, raporteerimine CERCS: P170 Arvutiteadus, arvutusmeetodid, süsteemid, juhtimine (automaatjuhtimisteooria)The Way to the Specialist and Management Level of Cyber Hygiene Initiative Abstract: Cybercrime and state sponsored espionage is still growing rapidly. The number of affected organizations increases day by day. Some know that they are effected, some still do not know. The user is a main factor in cyber security incidents. No two humans are the same (e.g. fingerprints, skill, knowledge, attitude). The behaviour of humans is influenced by various factors. The goal of the Cyber Hygiene Initiative is to adopt internal guidelines for comprising the best behavioural principles for cyber hygiene, as well as to create an e-learning platform, where these guidelines get implemented. The prototype, of the Cyber Hygiene e-learning course was implemented and tested in the Estonian Defence Forces in early 2016. This thesis builds up on this. It tries to clarify what data should be available to the specialists and what information should be reported to the management. This shall help to create the specialist and management level of the Initiative. The methodological foundation of the elearning course was well laid with other theses. This thesis introduces the methodology and shows the results, what kind of data and reporting should be implemented on the specialist- and management-level. Decision makers and managers have now an Executive summary available, to take specialists view into account and to implement proper reporting. Additional to many interviews with specialists and security experts, a questionnaire was created to raise coverage. The testing of the questionnaire was done at an international well known think tank. Results from the interviews and the survey indicated that the methodology proves to be valid for improving reporting and should help with implementation. The developed methodology and questions will be further considered at CybExer Technologies, a joint venture of BHC Lab and bytelife, who contracted with EDA for a period of 3 years at the end of 2016 to further improve the programme and include the specialist- and management- level. Keywords: Cyber Hygiene Initiative, e-learning, specialist, expert, management, reporting CERCS: P170 Computer science, numerical analysis, systems, contro

AppCon: Mitigating evasion attacks to ML cyber detectors

Adversarial attacks represent a critical issue that prevents the reliable integration of machine learning methods into cyber defense systems. Past work has shown that even proficient detectors are highly affected just by small perturbations to malicious samples, and that existing countermeasures are immature. We address this problem by presenting AppCon, an original approach to harden intrusion detectors against adversarial evasion attacks. Our proposal leverages the integration of ensemble learning to realistic network environments, by combining layers of detectors devoted to monitor the behavior of the applications employed by the organization. Our proposal is validated through extensive experiments performed in heterogeneous network settings simulating botnet detection scenarios, and consider detectors based on distinct machine-and deep-learning algorithms. The results demonstrate the effectiveness of AppCon in mitigating the dangerous threat of adversarial attacks in over 75% of the considered evasion attempts, while not being affected by the limitations of existing countermeasures, such as performance degradation in non-adversarial settings. For these reasons, our proposal represents a valuable contribution to the development of more secure cyber defense platforms

Aplikace principu náležité péče v kybernetickém prostoru

The due diligence principle is a well-established general principle of international law. The adequacy of its use proved in many special regimes of international law, especially in international environmental law. Cyberspace is another regime where the application of the due diligence principle is desirable. An adequate application of the due diligence principle might mitigate the problem of attribution of cyber operations and help in denying safe havens of non-state actors, who conduct malicious operations in cyberspace. The adequacy of the application of the due diligence principle in cyberspace is further indicated by the results of discussions in international fora and by the emerging trend of support of the application in official declarations of States on the application of international law in cyberspace. The thesis further suggests how the due diligence principle should be applied by introducing three elements that trigger the due diligence obligation and three possible adjustments to them. It also identifies the essence of some controversial aspects of the application of the due diligence principle and introduces cyber- specific considerations for the determination of breaches of the due diligence obligation and evaluation of lawfulness of responses to the breach, which consist of acts of retorsion...Princip náležité péče je ustálený obecný princip mezinárodního práva. Jeho použití se osvědčilo v mnoha zvláštních režimech mezinárodního práva, zvláště v mezinárodním právu životního prostředí. Kybernetický prostor je dalším režimem, kde se aplikace principu náležité péče zdá žádoucí. Vhodná aplikace principu náležité péče by mohla zmírnit problém přičitatelnosti kybernetických operací a také pomoci v odstraňování bezpečných přístavů nestátních aktérů provádějících škodlivé kybernetické operace. Vhodnost použití principu náležité péče je dále možno dovozovat z výsledků diskuzí na půdě mezinárodních organizací a nastupujícího trendu podpory aplikace principu v oficiálních prohlášeních států ohledně aplikace mezinárodního práva v kybernetickém prostoru. Tato diplomové práce dále navrhuje, jak by měl být princip náležité péče aplikován. Uvádí tři prvky, které dávají vzniknout povinnosti náležité péče a tři možné přizpůsobující prvky k nim. Práce také představuje podstatu některých sporných aspektů aplikace principu náležité péče a upozorňuje na okolnosti specifické pro kybernetický prostor, které je třeba brát v potaz při určování porušování povinnosti náležité péče a vyhodnocování oprávněnosti reakcí na takové porušení. Práce také vysvětluje, proč princip prevence, který je součástí náležité péče v...Katedra mezinárodního právaDepartment of Public International LawFaculty of LawPrávnická fakult

Anonymity networks and access to information during conflicts: towards a distributed network organisation

Access to information is crucial during conflicts and other critical events such as population uprisings. An increasing number of social interactions happen in the cyberspace, while information exchanges at the infrastructural level (monitoring systems, sensor networks, etc.) are now also based on Internet and wireless links rather than ad hoc, isolated wired networks. However, the nature of the Internet allows powerful hostile actors to block, censor, or redirect communication to and from specific Internet services, through a number of available techniques. Anonymity networks such as Tor provide a way to circumvent traditional strategies for restricting access to online resources, and make communication harder to trace and identify. Tor, in particular, has been successfully used in past crises to evade censorship and Internet blockades (Egypt in 2011, and Iran in 2012). Anonymity networks can provide essential communication tools during conflicts, allowing information exchanges to be concealed from external observers, anonymised, and made resilient to imposed traffic controls and geographical restrictions. However, the design of networks such as Tor makes them vulnerable to large-scale denial of service attacks, as shown by the DDoS targeted at Tor hidden services in March 2015. In this paper, we analyse the structural weaknesses of Tor with regard to denial of service attacks, and propose a number of modifications to the structure of the Tor network aimed at improving its resilience to a large coordinated offensive run by a hostile actor in a conflict scenario. In particular, we introduce novel mechanisms that allow relay information to be propagated in a distributed and peer-to-peer manner. This eliminates the need for directory services, and allows the deployment of Tor-like networks in hostile environments, where centralised control is impossible. The proposed improvements concern the network organisation, but preserve the underlying onion routing mechanism that is at the base of Tor's anonymity

The Diffusion of Cyber Forces: Military Innovation and the Dynamic Implementation of Cyber Force Structure

What explains the variation in implementation dynamics for cyber forces across militaries? In other words, as cyber forces emerge in states across the international system, why do some militaries undertake wide-ranging implementation efforts with few alterations to cyber force structure, while implementation in other militaries is characterized by a drawn-out, incremental process entailing several changes in cyber force structure? Militaries have been building cyber capabilities since the late 1980s; however, formalized military cyber organizations for these capabilities have only recently emerged. These cyber forces—active-duty military organizations that possess the capability and authority to direct and control computer network operations (CNOs) for strategic ends—have received little attention from scholars. Despite the potential impacts cyber forces might hold for international security dynamics, there exists no comprehensive overview of cyber forces and no analysis on the various ways they have been implemented across militaries. Moreover, current explanations drawn from the diffusion of military innovations remain incomplete in explaining the ways in which cyber force structure change over the course of the implementation process. In this dissertation, I examine the diffusion and implementation of cyber forces and advance a theory of organizational size to account for the varying implementation dynamics across militaries. My dissertation makes two important contributions to the growing literature on cyber conflict. First, I offer a novel typology for categorizing cyber forces and the respective force structures. By classifying cyber forces according to organizational model and scale of command, I identify nine distinct cyber force structures: Subordinated Branch, Subordinated Service, Subordinated Joint, Sub-Unified Branch, Sub-Unified Service, Sub-Unified Joint, Unified Branch, Unified Service, and Unified Joint. The second contribution is empirical: I create the first comprehensive database to catalogue the diffusion of cyber forces and evolution of cyber force structures across state—the Dataset on Cyber Force Structures. This dissertation also makes three broader contributions to the study of the diffusion of military innovations. First, I show how organizational characteristics mitigate diffusion pressures by constraining or enabling innovation and implementation. This dissertation moves past debates that portray militaries as either change-resistant or innovation-seeking organizations by providing a more nuanced claim: organizational characteristics—such as size—can predispose militaries to pursue certain types of changes while creating resistance to others. As such, this dissertation sheds important light on the ways in which the military organizational factors can shape the agency and decisions of those implementing an innovation principle. Second, I advance a stage-based conception of implementation for diffusion frameworks comprised of five stages: pre-adoption, introduction, modification, expansion, and full implementation. This framework can account for both partial and full adoption and provides a way to assess intermediate changes to an innovation prior to its full institutionalization. As a result, I use this framework to showcase the value of stage-based theorizing. Third, this dissertation introduces new methodological tools for testing stage-based hypotheses about adoption and implementation. In conjunction with qualitative analysis, this dissertation utilizes multistate survival modeling to assess variable effects at each stage of the implementation process. Traditional modeling techniques in the military diffusion literature—such as logistic regressions and basic survival modeling—prove both cumbersome and inadequate for assessing stage-based processes. In using multistate survival modeling, I emphasize the importance of matching methods to conceptual and theoretical assumptions

The Russian influence strategy in its contested neighbourhood

The collapse of the Soviet Union has been followed by a series of conflicts between the Russian Federation and its neighbors. Although some of these conflicts have been fought at the kinetic level, they were justified by Moscow through information warfare activities and supported by influence operations. This chapter, which includes an extensive survey of the literature on the topic, aims to investigate the hybrid warfare strategy carried out by the Russian Federation in its 'sphere of influence' over the last three decades — the Baltic states (Estonia, Latvia, and Lithuania), Ukraine (Crimea and Donbass, i.e. Donetsk and Luhansk People's Republics), Georgia (South Ossetia and Abkhazia) and Moldova (Transnistria) — and to assess the effectiveness of the Russian (dis)information strategy. The essay focuses on the nationalist discourse and the pro-Russia narrative.info:eu-repo/semantics/acceptedVersio

Cyber Law and Espionage Law as Communicating Vessels

Professor Lubin\u27s contribution is Cyber Law and Espionage Law as Communicating Vessels, pp. 203-225. Existing legal literature would have us assume that espionage operations and “below-the-threshold” cyber operations are doctrinally distinct. Whereas one is subject to the scant, amorphous, and under-developed legal framework of espionage law, the other is subject to an emerging, ever-evolving body of legal rules, known cumulatively as cyber law. This dichotomy, however, is erroneous and misleading. In practice, espionage and cyber law function as communicating vessels, and so are better conceived as two elements of a complex system, Information Warfare (IW). This paper therefore first draws attention to the similarities between the practices – the fact that the actors, technologies, and targets are interchangeable, as are the knee-jerk legal reactions of the international community. In light of the convergence between peacetime Low-Intensity Cyber Operations (LICOs) and peacetime Espionage Operations (EOs) the two should be subjected to a single regulatory framework, one which recognizes the role intelligence plays in our public world order and which adopts a contextual and consequential method of inquiry. The paper proceeds in the following order: Part 2 provides a descriptive account of the unique symbiotic relationship between espionage and cyber law, and further explains the reasons for this dynamic. Part 3 places the discussion surrounding this relationship within the broader discourse on IW, making the claim that the convergence between EOs and LICOs, as described in Part 2, could further be explained by an even larger convergence across all the various elements of the informational environment. Parts 2 and 3 then serve as the backdrop for Part 4, which details the attempt of the drafters of the Tallinn Manual 2.0 to compartmentalize espionage law and cyber law, and the deficits of their approach. The paper concludes by proposing an alternative holistic understanding of espionage law, grounded in general principles of law, which is more practically transferable to the cyber realmhttps://www.repository.law.indiana.edu/facbooks/1220/thumbnail.jp

Are Cyber Operations Having an Impact on State Electoral Processes?

Cyber-attacks have become common occurrences which have an impact on all aspects of life ranging from business transactions to personal communications. Alarmingly, coordinated cyber-attacks are increasingly targeting politicians and their associates, political campaigns, political organizations and the broader public with political messaging. Given the novelty of these new forms of attacks, little is known of their potential impact. This thesis argues that states, state-directed actors, or non-state actors are disrupting, altering or influencing the electoral process in democratic states through coordinated cyber operations. It further argues that the purpose is to increase hyper-partisanship and erode the legitimacy of democratically-elected leaders. A quantitative study analyzing the data from a test group of consolidated democracies which had experienced these types of cyber operations displayed declining confidence in both their national governments and the honesty of their elections. By investigating the most prominent and verifiable cyber-attacks against state election processes, a connection between the attacks and Russia’s state intelligence services became apparent. Further research revealed Russian intelligence agencies’ historic use of covert ‘active measures’ and their current efforts to incorporate cyber operations within those measures, thus increasing active measures’ versatility and efficiency. Historic and geopolitical insight provided by an ex-official from a former Soviet Republic contextualized how these new cyber operations could be used to advance Russian geopolitical objectives