China Cyberspace Security Strategy and Implications // 中國網絡空間安全戰略思考與啟示

China Cyberspace Security Strategy and Implications  //



General Secretary Xi pointed out that no network security is no national security, no information will be no modernization. Internationally, the United States on security in cyberspace absolute dominance, they establish hegemony, rules, seeking advantage to control the world, to China’s cyberspace poses a severe challenge.
A US cyberspace security strategy revelation
(a) by the US cyberspace security “policy”, “plan” a national strategy to enhance
the United States in cyberspace is a strategic understanding of the development process. First released in 1998, Presidential Decree No. 63 (PDD63) “Clinton administration policy on critical infrastructure protection,” followed in 2000 issued a “national plan for the protection of information system v1.0”. The Bush administration immediately after the September 11, 2001 issued Executive Order No. 13231 “Information Age critical infrastructure protection,” and announced the establishment of “President Critical Infrastructure Protection Committee” on behalf of its government fully responsible for national security in cyberspace . And to study the drafting of a national strategy, in February 2003 formally issued “to protect cyberspace national strategy”, and posting confidential level No. 54 National Security Presidential Decree in 2008, set up a “comprehensive national cybersecurity plan,” the plan in the “Manhattan” (World War II atomic bomb) name, the specific content of the “Einstein” one, two, three composition, aimed at building the federal government and major information systems engineering protection, the establishment of a unified national security posture information sharing and command system.
(Ii) US cyberspace security strategy to further improve
in April 2008, President Bush issued a “44th president submitted the report to protect the network security space,” suggesting how the next US government to strengthen security in cyberspace.
February 2009, the Obama administration after a comprehensive demonstration, announced the “Cyberspace Policy Assessment – Ensuring credible and robust information and communications infrastructure,” the report, the cyberspace security threats as “the most serious faced by the national economy nationwide one of the challenges and safe country “and declared that” digital infrastructure will be considered national strategic asset, the protection of this infrastructure will be a priority of national security “, a comprehensive plan of strategic measures to defend cyberspace.
June 2009, US Defense Secretary Robert Gates issued an order formally establishing the United States “Cyberspace Command” to the harmonization of network security and protection of US forces to carry out cyber warfare and other military operations. The command part of the US Strategic Command, the preparation of one thousand, in May 2010, the US Cyber ​​Command officially start work.
(C) international and cyberspace war strategy
in May 2011, the White House cybersecurity coordinator Schmidt released in the United States “cyberspace international strategy”, its strategic intentions clear, namely to establish hegemony, rules, seeking advantage, control the world ; in July, the US Department of Defense released “cyberspace operations strategy” put forward five strategic measures for defending US interests in cyberspace, making the United States and its allies and international partners can continue to obtain from the innovation in the information age beneficial.
October 2012, Obama signed the “American Action Network Policy” (PDD21), the law gives the US military has carried out non-traditional combat power, clearly spread from network-centric warfare to cyberspace operations and the like.
In February 2013, Obama published Executive Order No. 13636 “Enhanced network security of critical infrastructure,” clearly states that the policy action to enhance the nation’s critical infrastructure and maintain environmental security and resilience.
In April 2013, Obama Ma Xiangguo submit “fiscal year 2014 defense budget priorities and select” proposed to 2016 reorganized into 133 network forces, including the national task force 68, combat task force 25, the network defense forces 40.
February 2014, the US National Institute for Standards and Technology “to enhance critical infrastructure cybersecurity” that “the United States critical infrastructure to enhance network security framework” (V1.0), emphasizing the use of business-driven network security operations guide, and four levels, the organization’s risk management process. According to different levels of network security risk points
of April 23, 2015, the Pentagon released a new version of network security strategy summary, the first public should cyberwarfare as a future military conflict tactical options, an explicit proposal to increase the US military deterrence in cyberspace and offensive capability.
Not only the United States in full swing and the implementation of international cyberspace war strategy, NATO cyberspace security framework, issued recently shows that there are currently more than one hundred countries in the world have a certain network warfare capabilities, the National Cyber ​​Security Strategy published up to as many as 56.
Thus, cyberspace has become after land, sea, air, space is the fifth largest sovereign area of space, but also the evolution of the international strategy in the military field, which is China’s network security posed a severe challenge, we should actively respond, accelerate the construction of network security system, to defend our national sovereignty cybersecurity.
Second, build the active defense technology security system
(a) immunity trusted computing architecture
computer architecture now used in the design calculation when only the pursuit of speed and no safety factor, such as the difficult task of isolating the system, no memory protection, cross-border, this led directly to the presence service network computing environment, a large number of security issues, such as source configuration can be tampered with, it is implanted malicious programs executed by using a buffer (stack) overflow attacks, illegally take over the system administrator permissions.
Trusted Computing is the result of the development of information science, is a novel immune trusted computing model.Trusted computing using parallel computing and defense dual architecture, at the same time to obtain the computation of security protection, so that the calculation result is always as expected, can be measured to calculate the full control, it is not disturbed.
Compare current most network security system, which is mainly by a firewall, intrusion detection and virus prevention and other components, known as the “third kind.” The image of that, these passive blocking killing is a temporary solution, and trusted computing to achieve active immunization computer architecture, and human immunodeficiency as timely identify “self” and “non-self” ingredients, thereby undermining and exclusion of harmful substances into the body, so that there are shortcomings and gaps being exploited by attackers. .
Cloud computing, big data application of new information technology, networking, industrial systems, mobile Internet, virtual dynamic heterogeneous computing environment requires credible immune system as its base support. Construction of triple protection framework trusted security management center security system can be supported by the structure, to ensure operation behavior, resource allocation, data storage cartridge policy management credibility, the attacker reached the entrance, an unauthorized person can not get vital information, theft Confidential information can not read, can not tamper with systems and information system paralysis not work and can not afford to rely on aggressive behavior of protective effect, if there is credible mechanism, “shock web”, “flame”, “heart blood” and other malicious code may since kill off.
(Ii) China Trusted Computing technology innovation
China Trusted Computing in 1992 and officially approved research and large-scale application early (TCG, established in 2000) in the international Trusted Computing Group.
TCG Trusted Computing research program found that the system problems are: (1) the limitations of cryptography: TCG public key cryptography algorithm using only the RSA, SHA1 hash algorithm only supports series, avoided symmetric cryptography, the resulting key design management, key migration and complicated licensing agreement, but also a direct threat to the security of passwords; (2) the system structure is irrational: TPM calls TCG plug is a passive architecture, dynamic initiative measure can not be performed.
China Trusted Computing over a long period of research, not only to solve the above problems TCG, but also the formation of independent innovation system, its innovative points include:
(1) Trusted Computing Platform password innovative programs
using national self-designed algorithm, credible computing a cryptographic module (TCM), with symmetric cipher and asymmetric cryptography combined system, improve the safety and efficiency; dual certificate structure, simplify certificate management, improved usability and manageability of.
(2) trusted platform control module innovation
presented trusted platform control module (TPCM), TPCM self-control as a trusted root node implant trusted source, be trusted root control functions on the basis of TCM, realized with a password based active control and measurement; TPCM prior to startup of the CPU and BIOS to verify, thereby changing the TPM as the traditional idea of passive devices, to achieve TPCM active control of the whole platform.
(3) a credible innovation board
increase in the amount of confidence in the board trusted platform node (TPCM + TCM), plus a host constitutes a credible two-node, to achieve trust transfer of the operating system, providing reliable hardware environment for the upper platform ; implementation of hardware control bus credible level of peripheral resources, power on the CPU front of the Boot ROM TPCM initiative to measure, so that in the chain of trust “powered first time” to start building; and the use of multi-metric agent establishes a chain of trust for dynamic and virtual measures to provide support.
(4) a credible basis to support innovative software
using host-based software system + double trusted software system architecture ,, trustworthy software group is the Trusted Computing Platform Trusted capabilities to achieve the credibility of all software elements, the host software The system provides active protection of the credibility of the amount of storage, and reporting.
(5) Trusted Network Connect innovation
based on three ternary and other trusted connection architecture, access requester, triple control and identification and access control policies arbiter between; ternary centralized management, improve infrastructure security and manageability; and access requester and the access controller to achieve a unified policy management, improve the system overall credibility.
(Iii) core technology controlled by others to solve the problem
(1) China Trusted Computing industrialization conditions are met. “Long-term Scientific and Technological Development (2006-2020)” made ​​it clear “to the development of high trusted network focusing on the development of network security technology and related products, the establishment of network security technology security system”, “five” plan works trusted computing project regarded as the focus of development, the trusted computing standard series of progressive development, and study of more than 40 units, more than 400 participants, the standard of innovation have made ​​technology validation, to declare more than 40 patents. Many units and departments have developed a chip, machine, software, and network connections and other trusted components and equipment in accordance with relevant standards, and has been effectively used in critical systems in the national grid scheduling. April 16, 2014, established the Zhongguancun Trusted Computing Industry Alliance, and vigorously promote the industrialization and marketization.
(2) laying the foundation for the comprehensive alternative to foreign products. April 2014, Microsoft stopped support for Windows XP Service country about 200 million running XP operating system, the terminal will face a situation of no service; and Windows 8 and Vista (2006 Government procurement is not clear) is the same architecture, Windows8 upgrade is not only costly, but also lose control over security and the secondary development rights. Trusted computing innovation reinforcement XP system can easily upgrade existing equipment as a trusted computer system, a credible alternative service patching services, applications do not change the system, to facilitate the application.
Based on open source technology to develop independent operating system is a realistic option. After 20 years of research, we have accumulated considerable reserves in the operating system and key technologies, which is a breakthrough in technology accumulation mainly based on the open source operating system made. From the perspective of inheritance, we need to select the source as a technical route; from a development perspective, the current is too late to re-encode the formation of a completely new operating system, you want to share the wealth of human knowledge, open source is still a realistic option. Independent innovation is not blocking them out safe, but to fully inherited and developed.
To achieve the “five may” “have a”:
understood: open source system to fully grasp the details, there can be confusion unknown code;
editable: should be based on open source code understood completely customize the code;
Reconfigurable: for specific application scenarios and security requirements, based on open source code refactoring, forming a customized new architecture;
credible: to strengthen the independent operating system immunity with trusted computing technology to prevent autonomous system vulnerability system security;
available: applications and operating system to do the adaptation, ensuring independent operating system to replace foreign products.
We have independent intellectual property rights: to own intellectual property rights on the final autonomous operating system, and deal with intellectual property issues are using open source technologies. GPL open source technology to be bound by the agreement, our country based on existing open source operating system has not encountered significant intellectual property disputes, but just because there is no large-scale application of these systems, once I customize the operating system form a climate, will face challenges in this regard.
Meanwhile, in the process of implementation of the localization of alternative strategies, the trusted protection system fully supports localization of hardware, software, although there are more domestic product defects and loopholes can make credible security flaws and vulnerabilities will not be attacked use ensure more secure than foreign products, localization is self-controlled, safe and reliable escort.
  Faced with increasingly severe international cyberspace situation, we should be based on national conditions, innovation-driven, solving the kinds of problems. Adhere to defense in depth, to build a strong network security system, to build China into a world power network security and work hard!

Original Mandarin Chinese:


2009年6月,美國國防部長羅伯特.蓋茨正式發布命令建立美國“網絡空間司令部”以統一協調保障美軍網絡安全和開展網絡戰等軍事行動。該司令部隸屬於美國戰略司令部,編制近千人, 2010年5月,美國網絡司令部正式啟動工作。
2013年4月,奧巴馬向國會提交《2014財年國防預算優​​先項和選擇》提出至2016年整編成133支網絡部隊,其中國家任務部隊68支,作戰任務部隊25支 ,網絡防禦部隊40支。
對比當前大部分網絡安全系統,其主要是由防火牆、入侵監測和病毒防範等組成,稱為“老三樣”。形象的說,這些消極被動的封堵查殺是治標不治本,而可信計算實現了計算機體系結構的主動免疫,與人體免疫一樣,能及時識別“自己”和“非己”成份,從而破壞與排斥進入機體的有害物質,使有缺陷和漏洞不被攻擊者利用。 。
在可信平台主板中增加可信度量節點(TPCM+TCM),構成了宿主加可信的雙節點,實現到操作系統的信任傳遞,為上層提供可信硬件環境平台;對外設資源實行總線級的硬件可信控制,在CPU上電前TPCM主動對Boot ROM進行度量,使得信任鏈在“加電第一時刻”開始建立;並利用多度量代理建立信任鏈,為動態和虛擬度量提供支撐。
(1)中國可信計算產業化條件具備。 《國家中長期科學技術發展(2006-2020年)》明確提出“以發展高可信網絡為重點,開發網絡安全技術及相關產品,建立網絡安全技術保障體系”,“十二五”規劃有關工程項目都把可信計算列為發展重點,可信計算標準系列逐步製定,研究制定單位達40多家,參加人員達400多,標準的創新點都作了技術驗證,申報專利達40多項。不少單位和部門已按有關標準研製了芯片、整機、軟件和網絡連接等可信部件和設備,並在國家電網調度等重要係統中得到了有效的應用。 2014年4月16日,成立了中關村可信計算產業聯盟,大力推進產業化、市場化。
(2)為全面替代國外產品打基礎。 2014年4月微軟公司停止對Windows XP的服務支持,全國約2億台運行XP操作系統的終端將面臨無人服務的局面;​​而Windows 8和Vista(2006年政府明確不採購)是同類架構,升級為Windows8不僅耗費巨資,還會失去安全控制權和二次開發權。利用自主創新的可信計算加固XP系統可以方便的把現有設備升級為可信計算機系統,以可信服務替代打補丁服務,應用系統不用改動,便於推廣應用。

Original Source: X


Leave a Reply

Your email address will not be published. Required fields are marked *