Ethics of Disclosure: Chinese Hacking of EU Diplomatic Cable Traffic
When security company Area 1 discovered a concerted cyber campaign targeting European Union (EU) entities that it attributed to China, the company could have followed the EU doctrine of coordinated vulnerability disclosure but instead opted to publish its findings on its own blog and provide to The New York Times examples of the cables from the EU. The Times, in turn, published some of the more salacious items.
Area 1 Discovery
The Area 1 discovery, which it labeled, “Phishing Diplomacy,” identified more than 100 EU organizations that were being targeted by the Chinese. The report noted that the Chinese were ultimately successful in breaching the diplomatic communications network of the European Union. The company characterized its report as not the first to detail such activity by the Chinese, and it likely would not have an impact on deterring the Chinese. Indeed, Area 1 noted, “Chinese government hacking is technically unremarkable and consistent in three areas across all cyber campaigns.”
Phishing remains the dominant method through which cyber actors gain access into computer networks 9 out of 10 times.
Cyber-attacks are more akin to an assembly line than to individual snowflakes. Rather than characterizing the attacks as sophisticated we see them as imaginative and persistent. Very little about cyber-attacks is cutting-edge computer science. However, there is a high level of creativity in the diverse phishing lures used to gain access and in the attackers’ ability to identify non-obvious targets that allow them to achieve their desired outcomes.
Cyber actors continually use their imagination to find the weakest links in the digital chain, breaching their intended targets through open side doors instead of breaking the locks down on the front door.
From April 2015 onward, Area 1 began observing the Chinese targeting of EU government organizations. In late 2018, via phishing, the “Chinese successfully gained access to the Ministry of Foreign Affairs of Cyprus and a communications network used by the European Union,” according to the company. The COREU network, which operates between the 28 EU countries, was compromised.
The Chinese entity to which Area 1 attributed the successful execution of cyberespionage is the Chinese PLA’s Strategic Support Force. Though a bevy of researches called the attribution tenuous, what is not being debated is the fact that Area 1 was able to obtain bona fide cable traffic that at one point was resident on the EU’s COREU network.
Area 1 Revelation
In its report, Area 1 noted it had notified affected entities. It published its report to highlight the successful phishing campaign that compromised the COREU network so that other entities would be alerted. The firm’s rationale in providing the content to the New York Times is less clear.
Ethics
The sharing of the content with the EU would have made sense, as it would allow the EU to see first hand the extent of the compromise. Indeed, the Area 1 report highlighted the topical areas the compromised cable traffic covered. Availing the specific content to a media entity as an accompaniment to the firm’s press release pushes against the ethical behavior boundaries.
Nowhere in the EU’s 112-page doctrine on responsible disclosure does it include sharing examples of compromised materials with media. If the content was less salacious and did not contain commentary attributed to EU personas about the current U.S. president but rather logistics of moving medicines from country A to B, would it have made the cut for public sharing?
What Area 1 got right is the fact that the Chinese cyberespionage efforts are and will continue to target the EU, as well as the United States and others. The Chinese continue to move down that road at 100 miles per hour, with their foot firmly on the gas.
Additionally, we can expect to continue to see the use of spear-phishing arrows being pulled from the Chinese quiver and used with precision. There is no doubt we will be hearing from Area 1 in the future; after all, Area 1’s CEO Oren Flakowitz stated, “Our mission is to eliminate phishing.”
