Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


wu shizhong: some understanding of the new characteristics and trends of current network information security

Posted by deeson at 2020-02-26

Due to the international and domestic connection, the interweaving of the Internet and the superposition of the old and the new problems, the network information security in China is more complicated. Under the realistic situation that more and more people are coming to the center of the world stage, we should not only focus on local and domestic issues, but also have a global perspective. In recent years, the Party Central Committee and the State Council, especially General Secretary Xi, have attached great importance to network information security, made a series of strategic arrangements and work arrangements, and various ministries and departments and industries have done a lot of effective work. The situation of network information security in China is generally stable. However, with the rapid development of science and technology and the profound changes in cyberspace, new problems and challenges continue to be put forward to us, and we need to be cautious.

1、 Several new features in the field of network information security deserve attention

Since 2017, many new changes have taken place in the field of network information security. The following four features deserve special attention:

First, the impact of information content security is prominent, and the risk of maintaining national political security is rising.

Since 2017, false news and Internet rumors have become the focus of global attention, especially the so-called "manipulation of public opinion" and "interference in general election", etc., which have been popular in Europe and the United States. In addition, the long-standing spread of terrorist information, ideological penetration, and propaganda of extremely divided ideas have almost become the "key public opinion" in the field of network information security in the past year. In this regard, academic research, think tank analysis reports, and industry technical analysis are not only increasing in number, but also affecting more and more areas. A large number of refugees flow into Europe, especially after many terrorist attacks, terrorists use social media to link, aggregate, share information, organize activities and escape the reality of attack through the network, which makes European countries start to pay attention to and strengthen the supervision of network content. Due to the increasing influence of information content security on political security, major countries are gradually introducing relevant measures to deal with the problem of network content security. For example, the German law on improving the implementation of laws in social networks makes the content review and regulatory obligations of social network platforms and the regulatory responsibilities of the government clearer. China has long regarded information content security as an important part of information security. For a long time, we have attached great importance to both information technology security and information content security, which shows that our information security strategy is prescient. In the face of our historical period and development environment, in order to ensure national security and social development, we can not relax the management of information security content.

Second, the threat to economic security has increased significantly, and it is more difficult to maintain the security of infrastructure.

In the network era, there is no social and economic production, financial services, logistics and transportation, international commerce and so on, which does not rely on the network or information infrastructure. The technical loopholes brought by the widespread application of information and network make the control of network threats such as hacker attacks more difficult. The impact of network attacks on social life and national production is growing, especially the threat of advanced sustainable attack (APT), which has become an objective existence across sovereign countries. The possibility of cyber attacks on sovereign countries by hackers is particularly worrying. If network attacks are connected with key infrastructure such as industrial control system, financial transportation system, power energy system and even nuclear power system, the consequences will be more unimaginable. If it used to be a hacker challenging a country, now it is challenging the whole human being, which is unimaginable in the traditional sense. Recently, the international community has frequently issued risk early warning in this regard. Once network attacks are combined with economic production, especially sensitive control system, traditional and non-traditional security problems will be intertwined, and it will be more complex to deal with and solve, even touching the bottom line and lifeline of national economic and financial security. Therefore, it has become a common challenge for all countries in the information society 。

Third, the pressure to maintain social stability is mounting.

Network crime has become an inevitable problem in the information society. At the beginning of April this year, the fourth meeting of the United Nations group of Governmental Experts on Cybercrime, held in Vienna, unanimously adopted the "2018-2021 work plan" of the group of experts, and focused on the "legislative and policy framework" and "conviction" issues of cybercrime, bringing together a series of preliminary proposals put forward by various countries for consideration at the follow-up meeting. It can be seen that the prevention and control of network crime need the cooperation of all countries in the world. During the two sessions, the issue of network telecommunication fraud, which was hotly discussed by the representatives of the two sessions, has become an important topic to maintain social stability. At present, network telecommunication fraud not only presents a highly organized feature, but also has become an international "difficult problem", which brings direct harm to ordinary people. In addition, the number of incidents such as personal information disclosure, reselling and resale is increasing year by year, and new patterns of network attacks have emerged. The most typical case is the significant impact of wannacry blackmail virus incident in 2017. This is considered to be the most serious blackmail virus incident so far, which has affected at least 150 countries and 300000 users, causing losses of up to 8 billion US dollars. China's government departments and people's livelihood have also been affected. With the development of Internet of things, artificial intelligence and other new technologies, the cost of network crime is lower, the evidence of crime is more difficult to find, the case detection is more difficult, and the pressure and challenges to maintain social stability can be imagined.

Fourth, new technology implies new risks, and it is more difficult to balance development and security.

From cloud computing, the Internet of things to artificial intelligence, blockchain, new technology applications constantly subvert our cognition, break through the conventional imagination, and bring more complex security risks and hidden dangers. The more intelligent and automatic the application of new technology, the more prominent and sharp the two sides of the double-edged sword. The key is that these new technology applications are written by people. Therefore, vulnerabilities are inevitable, and hidden dangers always exist. New technologies and new applications bring us great historical opportunities, so that we can stand on the same running line with other countries in the process of moving towards an information-based power. But whether we can lead depends on whether we can handle the relationship between development and security. Looking back on the informatization process, the concept and thinking of "development before governance" has been difficult to solve the relationship between "development and security". Including artificial intelligence and other new technologies, the potential and power of new applications are beyond imagination, and the hidden dangers and risks are also beyond imagination. If we fail to pay equal attention to development and governance, there is a real possibility that disruptive technologies will eventually subvert our own harsh consequences. Therefore, from now on, we must prudently handle the two major issues of development and security, balance the relationship between development and security, pursue benefits and avoid harm, and control risks.

2、 To deal with the problem of network security, we need to improve the ability of governance

The above problems are the problems in development, and they will be solved through development. General Secretary Xi proposed that "without network security, there will be no national security, without informatization, there will be no modernization", which pointed out the direction for us to do well in network information security and informatization work, especially in building a socialist network power. Therefore, in order to deal with these risks, we need to constantly improve the governance system and the modernization of governance capacity.

First of all, we should earnestly implement a series of new ideas, new judgments and new ideas of General Secretary Xi on network security and information work, especially further strengthen the party's leadership on network information security work and practice the overall national security concept.

Since the 18th National Congress of the Communist Party of China, General Secretary Xi has put forward a series of strategic ideas, scientific judgments and development concepts on network security and information work. The key is to implement them. The top three major battles proposed in this year's report on the work of the two sessions of the CPC and the CPPCC are to resolve major risks. To implement it is to implement the absolute leadership of the party and the overall national security concept. The general secretary of the internship has always stressed that "there should be a sense of hardship, a sense of overall situation, a sense of core and a sense of political power". That is to say, in the process of seizing the opportunity of information development and pushing our country to move forward from a big country of network to a powerful country of network, the string of network information security cannot be loosened for a moment.

Secondly, we should implement the rule of law and the rule of the Internet.

Network security law is an important milestone in the legal construction of network security in China, including a series of laws and regulations related to the development of network security and information technology, such as national security law, international cooperation strategy of cyberspace, and national standards for information security, which provide legal basis and guarantee for the rule of law. At present, we need to vigorously promote the implementation of the network security law, as soon as possible on the level of infrastructure protection, network early warning and monitoring, emergency response, risk assessment and vulnerability analysis, etc., and introduce specific implementation rules, especially some institutional arrangements on network security governance, which need to be implemented as soon as possible.

Third, we should strengthen scientific and technological innovation and industrial support.

Without scientific and technological innovation, it is difficult to achieve self-reliance; without industrial support, it is difficult to gain self-confidence and self-esteem. For a long time, only when we are controlled by others in key technologies can we have endless patches and loopholes in network security work. Now, we do have many opportunities in information security technology innovation, such as quantum cryptography, big data security, Internet of things security, artificial intelligence security, etc., including defense technology, attack behavior detection and analysis, security risk analysis, big data leakage detection and prevention, etc., which all need to ultimately provide effective methods for security governance from the technical means. As an important symbol of the information-based power, it is necessary to have technological innovation in basic research that is affordable, effective and well used, which requires the constant investment of the state in basic research and the unknown research of the majority of scientific and technological workers. On the other hand, we must vigorously develop the information security industry and accelerate the transformation of scientific and technological achievements. China's existing information security industry is relatively small in scale, and the listed companies with a market value of more than 10 billion yuan are still few, which can not meet the rigid needs of the construction of a network power. Therefore, we hope that the state will increase support in industrial policies, procurement policies, localization policies, and the transformation of scientific and technological achievements, encourage the combination of industry, learning and research, and develop more independent and controllable research and development , safe and reliable products, systems and services.

Fourth, we should strengthen the training of network security personnel.

The key to network security lies in people. The shortage of network security talents is a global problem in the information age, especially for China. So far, the total number of CISP training conducted by China Information Security Assessment Center is only over 100000. In fact, there are many information departments in China, and the number of trained personnel to meet the needs of government departments is far from enough. Generally speaking, there are still serious imbalance between supply and demand, unreasonable structure and single evaluation mechanism in the construction of network security talent team in China, which restrict the ability improvement and strength growth of network security team. To this end, the country has increased the construction of network information security related disciplines and academic education, but also needs to increase non academic education, especially to strengthen social education and vocational training. At this year's two sessions, many CPPCC members called for strengthening vocational training to make up for the shortage of network security talents in China as soon as possible. The issues related to the training and education of network security talents in the proposal of the representatives of the two sessions fully reflect the actual needs of the industry and should be paid attention to.

3、 The potential risks of network information security should not be taken lightly

"If one has no foresight, he must have immediate worries." To do a good job of network information security, we need to be prepared for the future. During this year's two sessions, the representatives in the field of network information security made active proposals, involving proposals on risk assessment of smart city construction, strengthening infrastructure protection, strengthening personnel training, protecting personal information, and controlling information security loopholes. I want to put forward some suggestions on the potential hidden dangers of network information security from the perspective of preventing and resolving risks.

First, the development prospect of artificial intelligence is limitless, so we need to seek benefits and avoid disadvantages, and prevent and control risks.

The relationship between the development of science and technology and security, between human beings and technology, is directly related to technology ethics. Marx said that the fundamental difference between man and animals is that man can make and use tools. The challenges brought by the development of artificial intelligence are revolutionary, greater than the opportunities and challenges brought by any technological innovation in the past. It not only leads to the rapid growth of business investment, but also leads to strategic competition among major countries. At the same time, it raises a more rigorous principle question: whether human beings can master the control of artificial intelligence. Therefore, we must pay attention to the risk control of artificial intelligence. If there is no risk control, we will not be responsible for ourselves. Many experts worry that machines will eventually replace humans. In this regard, we really can't take it lightly. Qian Xuesen, an old master, once put forward the important concept of "man-machine integration, focusing on people", which is of great guiding significance to today. If we want to dominate science and technology, we must have a control mechanism. The emphasis on safety control is not to restrict the development of science and technology, but to ensure the healthy development of science and technology and to seek benefits and avoid disadvantages. Therefore, the future of artificial intelligence, it is better to hand over a large number of artificial to machines, leaving advanced intelligence to humans. As the subtitle of Wiener's "Cybernetics" says: people have the use of people, the use of people is to use and manage tools.

Second, the protection of personal information is becoming more and more important, which needs to be governed by laws and regulations.

In the era of big data, everyone is not only the data consumer, but also the data producer. The collection, flow and use of data are related to the security and interests of individuals, society and the state. In terms of personal information, a person's information disclosure may directly affect personal privacy, social reputation or economic interests; local industrial personal information disclosure may cause network crime and social problems; large-scale personal information disclosure will cause more public panic and endanger social stability; sensitive, cross-border large-scale personal information disclosure, directly related to countries Family development and security interests.

Relevant experts have been calling for personal information legislation. China's "network security law" has made corresponding provisions on the protection of personal information. Many other laws and regulations also cover this aspect, but they are scattered. There is still room for perfection and soundness in terms of system, consistency and operability. At present, the key is that there is an urgent need to introduce personal information legislation that can be used by citizens, law enforcement circles and judicial circles, especially to solve the problems of difficult evidence collection, litigation and compensation.

European countries have implemented personal information protection measures for decades. With the increase of cross-border Internet trade, the EU and the United States have also reached "safe harbor agreement" and "privacy shield agreement" to ensure the personal interests of cross-border information flows. The United States has also strengthened the protection of personal information, and controlled the information of multinational companies to meet the needs of both citizens and law enforcement departments. Therefore, the protection of personal information is not a national problem, but an international problem, which must be considered from a global perspective.

The governance of global information flow involves two levels, one is individuals and countries, the other is individuals and businesses. At the personal and national level, Microsoft was sued for failing to submit the data stored overseas to the U.S. prosecutors, as an example, in court with the U.S. government. This case directly affects and promotes the promulgation of the act of clarifying the legal use of data outside the country, and then leads to disputes on data sovereignty, data control rights and other issues among relevant parties. At the level of individuals and businesses, especially after the global operation of companies, the convenience and ability of enterprises to obtain information has surpassed government departments to some extent. How to keep the balance between business interests and individual rights is related to the issue of responsibility and rights, as well as the fundamental principle of fairness. Businesses should take the corresponding responsibility of protection when they obtain users' personal information. In this regard, we have not done enough in policy supervision and industry guidance. How to master the degree of ownership or protection of personal information can be started from several aspects: first, the spirit of contract, which is the most basic restriction of business activities. Before obtaining the information, the enterprise must win the consent of the user, and remind the corresponding risk in advance, and there should be no intentional or unintentional fraud. Second, business integrity. When you get information, you need to keep it. Third, it is a legal constraint. The collection, processing, storage and application of personal information should comply with the requirements of relevant laws and regulations. Fourth, there should be legal services. Law enforcement departments, especially judicial departments, should be able to improve the trial system involving these aspects, improve the trial capacity, train more judges, prosecutors and lawyers, and safeguard the rights of the people.

Third, "black swan" and "grey rhinoceros" in the field of network security need to be highly vigilant and studied in advance.

Looking back on the process of information technology for decades, it is not hard to see that we are on the way of "development first, governance second", and we are controlled by others in the core technology. For a long time, the network security work is generally difficult to get rid of the dilemma of repeatedly shouting "the wolf is coming". As there are no fundamental and subversive major accidents, people's paralyzing consciousness and fluke psychology in network security are inevitable. Considering the increasing network, information and digital life and the overlapping of various contradictions, we should still be highly vigilant against the "black swan" and "grey rhinoceros" events in the process of network security and information development. From Assange to Snowden to "want to cry" extortion virus, the "black swan" incident in the network security community has never been broken. The challenge of individuals to state entities, the challenge of terrorist groups to one or more countries may cause global disasters, or even an accident leads to a wide range of network paralysis, an attack changes the political pattern, and then affects the process of social development Unexpected emergencies still need to be studied and judged in advance. However, such as large-scale data leakage, large-scale disconnection of key infrastructure, global spread of deadly viruses, and even hacker attacks and network threats, these "platitude" phenomena and problems that people are worried about may suddenly become the "grey rhinoceros" that shocked the world. Therefore, for such incidents, we must also have a practical response plan and risk warning.

(this article is published in the 4th issue of China Information Security in 2018)

More information security expert articles

Please pay attention to the official account!