Reverse Deception: Organized Cyber Threat Counter-Exploitation (106 page)

Micro- and Macro-Level Analyses

We’ve taken a brief look at one example of how profilers and analysts might analyze more macro-level phenomena such as shifts in the social structure of the hacking community. But why would this effort be useful?

Part of the answer lies in the fact that these more macro-level forces do have more micro-level consequences. Understanding how certain dimensions of the social structure of the hacking community are changing can provide profilers and analysts with an important contextual foundation on which to place their more micro-level profiling efforts. It gives the profiler the advantage of understanding the bigger context within which individual actors and groups are operating. This can contribute significant additional insight and give meaning to attitudes and behaviors that the profiler or analyst is observing in a specific situation, which in turn can color the interpretations and conclusions that come as a result of some specific investigation.

There are also advantages to taking into account both macro- and micro-level social forces in the area of proactive investigations/actions where an analyst/investigator may need to assume the role of a malicious online actor. Understanding the social norms and values of the larger community as a whole can help investigators and analysts better frame their attitudes and behaviors so as to lessen the chance of violating social norms or holding values that lie outside the normative definitions of the community they are supposed to be joining. In turn, this significantly reduces the probability that they will be exposed.

Secondly, studies like the one in the hacking community social structure example provide the analyst with clues to the direction of longer-term trends within the community that might not otherwise be observable from a more micro-level analysis. Changes in these more macro-level structures can suggest that there are as yet unidentified events or actors whose occurrence or actions are affecting the hacking community or the cyber criminal underground in ways that might be obscured or difficult to observe from the analysis of individual-level data alone.

The value these kinds of studies and information bring to the analysis environment can be substantial. However, the number of macro-level studies of the hacking community or the cyber criminal underground is at present fairly limited. One exception to this observation is in the area of the carding
¹⁰
communities. Researchers have expended some larger than normal efforts to better understand the macro-level forces in that particular subculture.
¹¹

We hope that one of the benefits of the discussions in this chapter is that more analysts and social scientists will become interested in conducting research with the objective of producing a better understanding of the hacking and cyber criminal communities and their subcommunities at all levels of analysis.

The Rise of the Civilian Cyber Warrior

Finally, let’s take a brief look at the emergence of the civilian cyber warrior. In order to understand the significance of this phenomenon, it is necessary to briefly examine the nature of the power relationship between the nation-state and the individual. This topic is most certainly not new; it has been discussed at length by a number of philosophers and social scientists.
¹²
However, in the past few years, the psychological balance of power between these two entities has begun to shift.

An example may help illustrate this point. Imagine in the era before the Internet, a person we’ll call John is living in his home country, which we’ll call Country A. John feels that the government of Country B committed some act that he considers immoral. What is John to do? Well, he could write a letter to the president of Country B and tell the president that the country had done a bad thing and should stop doing it. What’s the likely outcome of this effort? Probably nothing would change.

So now John decides to go to Country B’s embassy in a nearby city and protest along with some other people. What’s the outcome of this action for John? Likely, it would be arrest and/or a quick whack with a police baton.

Finally, John withdraws his life savings from the bank and travels to Country B. There, he purchases some explosives and plans to blow up some building or other facility. What’s the likely outcome here? John will be arrested before he has the opportunity to carry out his plot, and he will spend a long time in prison. Or, John may die in an explosion when attempting to attack the target at hand. The likely result is that John will end up with a very negative outcome and fail at his objective at very great personal cost.

Now fast-forward to current times with the easy availability of the Internet. A person from Country A, who we’ll call Mary, is angry at the policies of Country B. She walks into her bedroom, turns on her computer, and begins to search for critical national infrastructure facilities in Country B that might be vulnerable to cyber attack. She selects a target, and then begins the slow reconnaissance, preparation, and deployment of an APT. At the appropriate time, she unleashes this threat and disables or seriously damages the critical national infrastructure element.

The Balance of Power

For the first time in history, individuals have a pathway to effectively attack a nation-state.
¹³
This opportunity represents a dramatic shift in the power relationship between the nation-state and the individual. To some extent, the awareness of this opportunity has been available within some elements of the hacking community for a number of years. The famous 1998 incident where Mudge from the hacker group L0pht told congressional leaders that he could take down the Internet in 30 minutes is one example of the existence of that awareness early on.

This issue of the change in the balance of power between the nation-state and the individual is becoming a more encompassing concern as the salience of this shift diffuses and spreads through the hacking community and beyond. One interesting evolving scenario involves the rise of hacking gangs in China and their shadowy, informal, semiofficial, or even formal relationships with various entities within the Chinese government The focus here is on the power relationship between these private hacking groups and the Chinese nation-state.

As Chinese hacking groups proliferate and become more proficient, they are beginning to amass instruments of power and prestige. These instruments may take a number of different forms. They may take the financial form of stolen credit cards, bank accounts, and actual funds withdrawn from companies and organizations in other countries. These assets may also take the form of sensitive documents containing valuable intellectual property and trade secrets, as well as sensitive documents extracted from government or military websites. These assets allow Chinese hacking gangs to enhance their power through the purchase of additional hardware, network access, and the skills of other individuals. The gangs also receive protection from local, regional, and even national-level authorities through the deployment of these assets in the form of the handover of secret documents or dispersal of bribes or other illicit payments.

Perhaps an even more serious facet of this phenomenon is the development by these Chinese hacking gangs of very sophisticated and powerful software tools and malware that allow them to continue to collect ever-increasing amounts of these assets. These tools are in and of themselves assets that have the potential to shift power relations between nation-states, as well as between the nation-state and the individual. In the case of nation-state to nation-state, shifts in the balance of political and military power can, in part, be facilitated by the extraction and exfiltration of secret government and military data and documents from foreign countries to the Chinese government. This may take place through various methods. The hackers may be employed or conscripted into government service so cyber attacks on sensitive organizations in other countries may be directly carried out by these individuals. In other cases, the Chinese hacking gangs may be obtaining information of this nature through their own initiative, and thus contributing to shifts in political, economic, and military power between China and other nation-states.

Even more interesting are the potential shifts in the power relationships between the nation-state and the individual. This is of particular interest in places like China, where a strict authoritarian form of government attempts to tightly control certain aspects of civil society, including rights to free speech, constrained economic determinism, access to the political process, and access to news and information. One potential outcome of the accumulation of financial assets is the use of these assets by Chinese hacking gangs to gain political and economic power within local regions of China. Expending these assets intelligently, such as by bribing or suborning local authorities, could conceivably expand the power base from which the private hacking gangs operate.

At the extreme, the strategic use of these malicious software tools and malware against Chinese industrial, governmental, and military infrastructures is conceivable. This potential ability could significantly shift the power relationships between individual and nation-state in the case of China. So, how real might this potential scenario be? The answer to that question is certainly not obvious. Several significant factors could effectively limit or possibly completely negate any potential shifts in power between the individuals that make up these hacking gangs in China and the Chinese government apparatus.

The first factor is the authoritarian nature of the Chinese government itself. The Chinese government has broad, sweeping powers over its populace. For example, the Ministry of State Security is involved with both foreign and domestic intelligence matters. The Ministry of State Security has wide latitude in pursuing activities and individuals who are deemed subversive or a threat to the state. In addition, China’s legal system is still tightly linked to committees within the Communist Party’s Central Committee (Cohen, 2011) and thus so-called subversive crimes committed against the state are likely to be harshly punished.

A second factor that probably has a strong inhibiting effect on the exercise of economic, political, and technical power by Chinese hacking gangs against the Chinese government is the high level of nationalism and nationalistic pride that many Chinese citizens, including members of Chinese hacking groups, exhibit. These nationalistic feelings among members of Chinese hacking groups often visibly surface during heightened tensions between China and other nations resulting from a specific incident or event. One example is the 2001 Hainan incident, where a US reconnaissance aircraft collided with a Chinese fighter aircraft, and the US aircraft was forced to land in Chinese territory. Chinese hackers attacked a number of US government websites, including that of the White House. Another incident was the accidental bombing of the Chinese embassy by NATO forces in 1999, which led to US government website defacements.
¹⁴

Finally, we must assess the potential enlistment of larger segments of the population into attacks against the nation-state’s critical infrastructures. Historically, the focal actor for attacks on the nation’s infrastructure has been limited to highly skilled members of the hacking community, terrorists, and, to some extent, cyber criminals. The ongoing shift in the nation-state versus individual power balance, however suggests that this set of focal actors is likely to expand to include other segments of the population. For example, in early February 2010, the Chinese government raided and shut down a “hacking academy” whose objectives were to educate its members in cyber attack methods and facilitate the distribution of malware. There were more than 12,000 members of this hacking academy when it was raided.

Potential Civilian Cyber Warrior Threats

The preceding discussion brings focus to the research question: Given the ready availability of the skills or tools necessary to launch a cyber attack against a nation-state, under what circumstances would people outside the usual focal actor set feel impelled to act? Would individuals from the general population be willing to attempt cyber attacks, and if so, what level of damage might they inflict? This discussion also includes the potential for domestic terrorism cyber attacks against domestic critical infrastructures. To date, there appears to be a paucity of research that addresses these particular issues.

One research study investigating this potential new threat involves assessing the likelihood that individuals would use either physical or cyber attacks to punish a foreign nation-state or their own homeland for acts of aggression against their country or their own citizens. A study currently under way by Holt and Kilger examines the magnitude or severity of a physical or cyber attack that individuals would carry out against a foreign country or the country they consider their homeland (Holt and Kilger, 2011). Multivariate statistical models from the study examine the potential effects of a number of variables on the severity of attack. Respondents in the study include both US and foreign students at a Midwestern US university. Some of the independent variables in this study are gender, age, advanced computer skills, software or media piracy, homeland,
¹⁵
out-group antagonism, and emotional ties to their homeland (such as feelings of nationalism).