Written by Shannon Vavra
Any nation-state behind recent hijackings of Domain Name System (DNS) records should, in theory, be held responsible under the latest cyberwarfare norms agreement made by 20 countries at the UN in 2015, says America’s top cyber diplomat.
“One of the norms is disrupting physical infrastructure providing services to the public, and I think that fully encapsulates the internet’s DNS function,” Amb. Robert Strayer told CyberScoop Tuesday on the sidelines of the Atlantic Council’s International Conference on Cyber Engagement.
The 2015 UN agreement, outlined in a Group of Government Experts (GGE), affirms that nation-states shouldn’t launch cyberattacks that intend to damage critical infrastructure in other countries. The DNS — which translates human-readable domain names of websites to their machine-readable versions — has a crucial role in directing internet traffic.
But subsequent UN talks reportedly fell apart in 2017 over disagreements China and Russia had with the rest of the member states about whether further enhancements to the GGE document would impinge on their right to self-defense in cyberspace.
Strayer, a deputy assistant secretary of State, said Tuesday he believes that the 2015 norms as they stand, however, already stipulate that nation-states can be held to account if hackers are conducting cyberattacks on their behalf.
“Nations are responsible for their proxies,” Strayer said when asked how to hold nation-states accountable for hackers that have been possibly linked with their governments. Security researchers have not pinpointed the source of most of the recent DNS hijackings, but they have reason to believe there is a nation-state, or even several nation-states, behind the attacks. DNS records are an attractive target for anyone trying to cause chaos in cyberspace; altering an organization’s DNS records allows an attacker to take over the traffic that comes to a website and route it somewhere else, without visitors knowing it.
Former Homeland Security Secretary Michael Chertoff, who also spoke at the Atlantic Council conference, said nation-states are still divided over the principles underpinning when to escalate responsibility for cyberattacks to the nation-state level in cyber norms accords.
“This really is kind of a fundamental divide in the global attitude to the internet,” Chertoff told CyberScoop. “Most Western countries want to have essentially an international regime that’ll leave international … reciprocity in treaties. The Russian and Chinese are very focused on their sovereignty.”
Cybersecurity researchers are currently tracking DNS hijacking campaigns that have been used to launch malware, steal login credentials and reroute traffic to malicious websites. While FireEye has asserted that Iran may be responsible for one of the operations, details about the sources of other attacks are scant. Researchers at Cisco’s Talos unit have said it’s possible several nation-states are behind some of them and that it’s too soon to attribute confidently.
Although the recent series of DNS attacks prompted DHS’s Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency alert to federal civilian agencies advising how to handle the threats this January, cybersecurity researchers have assessed that the DNS attacks are ongoing. To bolster U.S. defenses against these kind of attacks in the future, a CISA official told CyberScoop that federal civilian executive branch agencies “have implemented MFA [multi-factor authentication] on 99 percent of in-scope DNS accounts” since issuing the emergency DNS attack alert. The agencies “are transitioning a small number of non-compliant domains to service providers with MFA by June 2019,” the official added.
Behind the scenes, U.S. efforts to bolster the cyber norms framework appear to be caught in a lurch at the UN. Last year the U.S. proposed establishing a new round of talks in another GGE, which the UN approved, but simultaneously, the UN also adopted a proposal from Russia to establish an alternative channel for cyber norms conversations, known as a UN “open-ended working group.”
Per the Council on Foreign Relations, however, this working group designation could delay any sort of determination on international cyber norms. The group would also expand the number of countries having input in the cyber norms development from about 20 countries to over 100, and could allow the member countries to push off deadlines. Sec. Chertoff told CyberScoop, “I think it’s their intent this can be a counterweight to the norms in the GGE.”
In remarks at the Atlantic Council, Chertoff stressed the importance of fleshing out the cyberwarfare norms even more. “Much as in the physical world, we don’t bomb civilian power plants when we’re involved in conflict because it violates the laws of armed conflict, we ought to have a similar set of rules for cyber conflict,” Chertoff said.