The Emergence of the Cyber Militia

05/06/2012

By Richard Weitz

Despite the popularity of terrorist cyber attacks in the movies, nation states rather than non-state actors such as terrorist or criminal groups currently pose the greatest cyberthreat.

For example, the Crisis and Risk Network provides the following threat ranking, from most serious to least serious (1) State-sponsored actors; (2) “Ideological and politically extremist” non-state actors; (3) “Frustrated insiders”; and (4) “Organized criminal agents” and “individual criminal agents.”

State-Sponsored Threats

The latest biennial economic espionage report from the National Counterintelligence Executive, issued in October 2011, publicly identified China and Russia as responsible for the most extensive illicit intrusions into U.S. cyber networks and the theft of U.S. intellectual property.

The U.S. Intelligence Community also sees the Chinese and Russian governments as having the most effective cyber military capabilities. Iran is also described as a major cyber threat to the United States, and was the focus of a recent congressional hearing on the issue.

According to DNI Clapper’s written statement on the global threats,” foreign intelligence services (FIS) are constantly developing methods and technologies that challenge the ability of the US Government and private sector to protect US national security and economic information, information systems, and infrastructure. The changing, persistent, multifaceted nature of these activities makes them particularly difficult to counter.”

For example, they conduct “Cyber-Enabled Espionage” against U.S. Government agencies, businesses, and universities. “We assess that many intrusions into US networks are not being detected,” he warned. “Although most activity detected to date has been targeted against unclassified networks connected to the Internet, foreign cyber actors have also begun targeting classified networks.” In addition, foreign intelligence were exploiting “Insider Threats” and “using their access for malicious intent,” a problem that “represent one of today’s primary threats to US classified networks.”

Chinese and Russian military strategists have long perceived cyber operations as tactics integral to war.

They have expressed interest in developing asymmetric capabilities that would negate such U.S. military strengths as advanced information processing that provides American commanders with superior situational awareness. The latest U.S. Department of Defense’s Quadrennial Defense Review states that “There is no exaggerating our dependence on DoD’s information networks for command and control of our forces, the intelligence and logistics on which they depend, and the weapons technologies we develop and field.” Given the importance of information technologies in U.S. military operations, the ability to disrupt U.S. computer networks could cripple American defenses sufficiently to allow the People’s Republic of China (PRC) to conquer Taiwan before the United States could organize a coherent response.

A widely publicized cyber assault against Estonia in 2007 increased suspicions that adversarial states are using online malicious activity as a tool of national policy.

The Estonia attacks disrupted public and private information networks with massive denial-of-service attacks. Recent revelations of Chinese cyber-espionage activities against sensitive information networks in the United States, Germany, and other countries have further heightened concerns that the World Wide Web is becoming just another battlefield.

The Estonia attacks targeted the Web sites of banks, telecommunication companies, media outlets, and government agencies. They eventually forced the country to block all foreign Internet traffic.  Many Web sites were shut down by denial-of-service attacks, in which the attacker uses thousands of hijacked computers to bombarded a Web site with useless information until it is overloaded.

For one bank, disruptions in cyberspace resulted in material losses of over $1 million after it was forced to shut down online services.  At one point, telephone service for fire and rescue units was suspended for over an hour.  Estonia’s defense minister described the attacks as “a national security situation… It can effectively be compared to when your ports are shut to the sea.”  The Estonia attacks vividly testify to the disruptive power of a coordinated cyber offensive.

Chinese intentions also give cause for concern.

Senior defense analysts believe that China has undertaken a sustained effort to develop information warfare capabilities to achieve “electromagnetic dominance” over the United States and other potential competitors.  Security experts believe that the Chinese government orchestrated a sophisticated cyber-espionage effort known as Titan Rain, which downloaded information from hundreds of unclassified defense and civilian networks.

In 2007, Der Spiegel alleged that Chinese programmers had placed spy software on computers at the Foreign, Economics, and Research and Development Ministries as well as on computers used by the Chancellery office.

Such Trojan horse programs can capture data from host computers and transmit the information to external users. The immense scale of the Internet espionage operations suggest that they could not have occurred without the knowledge and at least the tacit support of an official Chinese entity.

Shortly after the Spiegel article was published, officials in Britain, France, the United States, and other countries indicated that they had found similar evidence of Chinese cyber-espionage campaigns. These include media reports of cyberpenetration of the U.S. Department of Homeland Security (DHS) and U.S. Department of Defense from Chinese-language Web sites.

China and Russia also dispose of a large number of “patriotic hackers”—non-governmental individuals having some computer knowledge who willingly launch cyberattacks against perceived adversaries.

Although the Chinese and Russian governments may hire some of these operators as cybersecurity experts, the many patriotic hackers who remain formally independent can wage cyberwarfare to support official policies while allowing their governments to deny responsibility for their actions.

Russian Duma Deputy Nikolai Kuryanovich lauded these “hacktivists” (politically active hackers) as Russia’s “information soldiers.”  China also disposes of both official and quasi-official cyber assets. Obama homeland security adviser Joel Brenner remarked that “[t]he Chinese operate both through government agencies, as we do, but they also operate through sponsoring other organizations that are engaging in this kind of international hacking, whether or not under specific direction.

It’s a kind of cybermilitia.”

In its 2008 report, the U.S.-China Economic and Security Review Commission identified some 250 independent hacker groups based in Chinese territory. The report suggests that the Chinese government tolerates and even encourages these independent groups. The presence in both China and Russia of large criminal organizations that use cyberthreats to extort money from businesses or rent their computer resources (e.g., hijacked personal computers) for illicit purposes also provides another unofficial cyber tool for those governments.

U.S. cybersecurity analysts identify China and Russia as the leading sources of cybertheft of international intellectual property, primarily by means of installing malicious software (malware) and espionage programs (spyware) on foreign computers. Many patriotic hackers may freelance as cyber mercenaries, selling their skills to clients who might include government agencies.

Terrorist Groups

According to the Federal Bureau of Investigation (FBI), cyberterrorists have not engaged in direct attacks over the Internet seeking to inflict physical damage on their target, but they have launched numerous denial-of-service attacks and defaced websites. They also use the Internet to recruit members, radicalize followers and incite viewers to commit terrorist acts. “Thousands of extremist Web sites promote violence to a ready and a willing audience,” FBI Director Robert Mueller said in a recent speech. “They are posting videos on how to build backpack bombs and bio-weapons. They are using social networking to link terrorist plotters and plans.”

Analysts have also documented a steady increase in terrorists’ use of the Internet.  In addition, transnational criminal organizations routinely conduct cyber operations including identity theft and fraud.

According to the Federal Bureau of Investigation (FBI), cyberterrorists have not engaged in direct attacks over the Internet seeking to inflict physical damage on their target, but they have launched numerous denial-of-service attacks and defaced websites. They also use the Internet to recruit members, radicalize followers and incite viewers to commit terrorist acts.

“Thousands of extremist Web sites promote violence to a ready and a willing audience,” FBI Director Robert Mueller said in a recent speech. “They are posting videos on how to build backpack bombs and bio-weapons. They are using social networking to link terrorist plotters and plans.” Other terrorist uses of the Internet include fund raising, intelligence collection and using the Web to plan, coordinate, and control terrorist operations:

  • Wage psychological warfare by spreading disinformation, delivering threats to instill fear and helplessness, and disseminating horrific images. For example, the grisly murder of Daniel Pearl was videotaped by his captors and posted on several terrorist Web sites.
  • Create publicity and spread propaganda.
  • Gather intelligence. Details about potential targets—such as transportation facilities, nuclear power plants, public buildings, ports and airports—and even counterterrorism measures are available online. For example, the DHS maintains a password-protected online site called Tripwire, which provides information on how to counter improvised explosive devices (IEDs).
  • Fundraise. Many Islamic charitable organizations allow users to make a zakat contribution online. Some terrorist organizations use front companies and charitable organizations under their control to receive such donations.
  • Recruit and mobilize supporters through chat rooms, cybercafés, and bulletin boards.
  • Communicate and coordinate with their operatives and supporters. Two terrorist cells in Florida and Canada, which were recently disrupted, passed messages via the Internet.
  • Share information, such as how to manufacture and use weapons, such as bomb-making techniques.
  • Plan attacks. To preserve their anonymity, the 9/11 attackers used the public Internet services and sent messages via free Web-based e-mail accounts.

The Internet offers terrorists certain advantages over more traditional means of communication and operation. These include easy access, low cost, little government control, potentially enormous domestic and foreign audiences, anonymous communications, rapid information exchanges, multimedia platforms, and the ability to influence other mass media that rely on the Internet for stories.

The Internet also gives terrorists tremendous operational flexibility. When extremist Web sites have been identified, hacked, or shut down by Internet service providers (ISPs), the terrorists have turned to chat rooms and message boards for communication. Their Web sites commonly disappear from and return to the Web. Al-Qaeda operatives post their messages and videos on Islamist forums. They wage “electronic jihad,” attacking “enemy” Web sites to harm the enemy’s morale and economic and military infrastructure. Many Islamist Web sites host discussion forums that discuss how to conduct such Web-based offensives.

Mike Theis, Chief, Cyber-Counterintelligence at the National Reconnaissance Office, sees a different form of non-governmental actor as the greatest potential cybersecurity threat—organized criminal syndicates.

Ira Winkler, founder and president of Internet Security Advisors Group, echoes Theis’s concern. He points to organized-crime groups’ sophistication and motivation, including their “performing intelligence and counterintelligence collection of their own to see what governments are doing to stop their efforts.”

Lone individuals are cited by several sources as posing the greatest cybersecurity danger. Futurologist Ian D. Pearson states “The increased power of smart individuals is more of a problem, especially in NBIC [nanotech, biotech, infotech, cognitive science] areas.”

Pearson adds that “Unabomber-style activity from inconspicuous people within a community is more of a danger than hostile states or terrorist groups.”