How the process of discovering cyberattacks biases our understanding of cybersecurity

IF 3.4 1区社会学 Q1 INTERNATIONAL RELATIONS

Journal of Peace Research Pub Date : 2024-02-16 DOI:10.1177/00223433231217687

Harry Oppenheimer

{"title":"How the process of discovering cyberattacks biases our understanding of cybersecurity","authors":"Harry Oppenheimer","doi":"10.1177/00223433231217687","DOIUrl":null,"url":null,"abstract":"Social scientists do not directly study cyberattacks; they draw inferences from attack reports that are public and visible. Like human rights violations or war casualties, there are missing cyberattacks that researchers have not observed. The existing approach is to either ignore missing data and assume they do not exist or argue that reported attacks accurately represent the missing events. This article is the first to detail the steps between attack, discovery and public report to identify sources of bias in cyber data. Visibility bias presents significant inferential challenges for cybersecurity – some attacks are easy to observe or claimed by attackers, while others take a long time to surface or are carried out by actors seeking to hide their actions. The article argues that missing attacks in public reporting likely share features of reported attacks that take the longest to surface. It builds on datasets of cyberattacks by or against Five Eyes (an intelligence alliance composed of Australia, Canada, New Zealand, the United Kingdom and the United States) governments and adds new data on when attacks occurred, when the media first reported them, and the characteristics of attackers and techniques. Leveraging survival models, it demonstrates how the delay between attack and disclosure depends on both the attacker’s identity (state or non-state) and the technical characteristics of the attack (whether it targets information confidentiality, integrity, or availability). The article argues that missing cybersecurity events are least likely to be carried out by non-state actors or target information availability. Our understanding of ‘persistent engagement,’ relative capabilities, ‘intelligence contests’ and cyber coercion rely on accurately measuring restraint. This article’s findings cast significant doubt on whether researchers have accurately measured and observed restraint, and informs how others should consider external validity. This article has implications for our understanding of data bias, empirical cybersecurity research and secrecy in international relations.","PeriodicalId":48324,"journal":{"name":"Journal of Peace Research","volume":"56 1","pages":""},"PeriodicalIF":3.4000,"publicationDate":"2024-02-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Peace Research","FirstCategoryId":"90","ListUrlMain":"https://doi.org/10.1177/00223433231217687","RegionNum":1,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"INTERNATIONAL RELATIONS","Score":null,"Total":0}

引用次数: 0

Abstract

Social scientists do not directly study cyberattacks; they draw inferences from attack reports that are public and visible. Like human rights violations or war casualties, there are missing cyberattacks that researchers have not observed. The existing approach is to either ignore missing data and assume they do not exist or argue that reported attacks accurately represent the missing events. This article is the first to detail the steps between attack, discovery and public report to identify sources of bias in cyber data. Visibility bias presents significant inferential challenges for cybersecurity – some attacks are easy to observe or claimed by attackers, while others take a long time to surface or are carried out by actors seeking to hide their actions. The article argues that missing attacks in public reporting likely share features of reported attacks that take the longest to surface. It builds on datasets of cyberattacks by or against Five Eyes (an intelligence alliance composed of Australia, Canada, New Zealand, the United Kingdom and the United States) governments and adds new data on when attacks occurred, when the media first reported them, and the characteristics of attackers and techniques. Leveraging survival models, it demonstrates how the delay between attack and disclosure depends on both the attacker’s identity (state or non-state) and the technical characteristics of the attack (whether it targets information confidentiality, integrity, or availability). The article argues that missing cybersecurity events are least likely to be carried out by non-state actors or target information availability. Our understanding of ‘persistent engagement,’ relative capabilities, ‘intelligence contests’ and cyber coercion rely on accurately measuring restraint. This article’s findings cast significant doubt on whether researchers have accurately measured and observed restraint, and informs how others should consider external validity. This article has implications for our understanding of data bias, empirical cybersecurity research and secrecy in international relations.

查看原文本刊更多论文

发现网络攻击的过程如何使我们对网络安全的理解产生偏差

社会科学家并不直接研究网络攻击，而是从公开可见的攻击报告中得出推论。就像侵犯人权行为或战争伤亡一样，研究人员没有观察到的网络攻击也会缺失。现有的方法是要么忽略缺失的数据并假定它们不存在，要么认为报告的攻击事件准确地代表了缺失的事件。本文首次详细介绍了攻击、发现和公开报告之间的步骤，以确定网络数据的偏差来源。可见性偏差给网络安全带来了巨大的推论挑战--有些攻击很容易被观察到或被攻击者声称，而另一些攻击则需要很长时间才能浮出水面或由试图隐藏其行动的行为者实施。文章认为，公开报告中遗漏的攻击很可能与报告中浮出水面时间最长的攻击具有相同的特征。文章以 "五眼"（由澳大利亚、加拿大、新西兰、英国和美国组成的情报联盟）政府发动或针对其发动的网络攻击数据集为基础，增加了有关攻击发生时间、媒体首次报道时间以及攻击者和攻击技术特征的新数据。文章利用生存模型，展示了攻击与披露之间的延迟如何取决于攻击者的身份（国家或非国家）和攻击的技术特征（是否针对信息的保密性、完整性或可用性）。文章认为，缺失的网络安全事件最不可能由非国家行为者实施，也最不可能以信息可用性为目标。我们对 "持续参与"、相对能力、"情报竞赛 "和网络胁迫的理解有赖于对克制的准确测量。本文的研究结果让人对研究人员是否准确测量和观察了克制产生了极大的怀疑，并告诉其他人应如何考虑外部有效性。这篇文章对我们理解数据偏差、网络安全实证研究和国际关系中的保密问题都有影响。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Peace Research Multiple-

CiteScore

6.70

自引率

5.60%

发文量

期刊介绍： Journal of Peace Research is an interdisciplinary and international peer reviewed bimonthly journal of scholarly work in peace research. Edited at the International Peace Research Institute, Oslo (PRIO), by an international editorial committee, Journal of Peace Research strives for a global focus on conflict and peacemaking. From its establishment in 1964, authors from over 50 countries have published in JPR. The Journal encourages a wide conception of peace, but focuses on the causes of violence and conflict resolution. Without sacrificing the requirements for theoretical rigour and methodological sophistication, articles directed towards ways and means of peace are favoured.