The cyber ecosystem is under relentless attack increasing in intensity, volume, severity and sophistication. Everyone thinks they have a plan against this threat, but the reality is that security is never 100 percent and attackers always have the advantage—no technology, system, solution, or plan can give peace of mind. When a vital means of communication is jeopardized, when the government can’t even protect itself, and the very fabric of our society is threatened, it’s time for drastic action – an offensive mindset, a cyber counterinsurgency.
Fragile Ecosystem, Insufficient Capabilities
Information Security Forum (ISF), a risk management advisory, predicts a bleak threat landscape over the next two years, driven by over reliance on fragile connectivity, loss of trust in the integrity of information, and the erosion of controls by regulations and technology.[1] The impact of cyber threats is alarming:
- Malicious cyber activity will cost businesses at least $400 billion globally;[2]
- The FBI estimates cyber extortion threat ransomware will cost businesses and consumers $ 1 billion;
- Companies discover breaches 146 days after being compromised—more than enough time for attackers to steal, exfiltrate sensitive data, do damage to network systems, or worse.[3]
While very capable institutions exist, they are primarily the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the British Government Communications Headquarters (GCHQ), and Sweden’s Forsvarets Radioanstalt (FRA), all of which have advanced cyber-surveillance capability.[4] These and other agencies share information:[5]
- Computer Emergency Response Teams in the US and UK cooperate to address cyber threats, manage cyber incidents, and collaborate to protect critical infrastructure;
- The FBI and NSA work with GCHQ and the British Security Service (MI5);
- Five Eyes, in existence since World War 2, is a collaboration between Australia, Canada, New Zealand, Great Britain and the USA, and now includes other countries in an alliance focused on terror surveillance;
- J-CAT, the Joint Cybercrime Action Taskforce, focuses on cybercrime in the EU and beyond – composition includes the EU Member States (Germany, France, others) and non-EU law enforcement partners in Australia, Canada, Colombia and the United States, which is represented by the Federal Bureau of Investigation and the Secret Service;
- Japan since late 2014 has been cooperating with Europe on cybersecurity matters focused on critical infrastructure and cyber threats in preparation for the Tokyo 2020 Olympics.[6]
Yet businesses and consumers continue to be outmaneuvered by more adept cyber criminals. Last year, in the largest bank heist in history, hackers linked to North Korea used poached credentials to steal $81 million (U.S.) from the Bangladesh Central Bank.[7] In May that year, 100 thieves stole ¥1.8 billion (U.S. $18 million) from 1,400 ATMs in Japan during a three-hour coordinated crime spree.[8] Cyber issues are most severe in the Asia region, where a lack of awareness and a legacy of underinvestment persist. But cyber threats are geographically agnostic and lack of awareness is commonplace, leaving public and private institutions globally unprotected. Exploits are becoming ever more sophisticated with actors often indistinguishable between criminals and nation-states. Witness the ransomware variant WannaCry which wreaked havoc last May and hit 200,000 computers worldwide. North Korean sleeper cells are suspected, in which hackers, employed as legitimate software programmers in neighboring countries, take cyber assault instructions from Pyongyang. This revelation shouldn’t come as a surprise as North Korea has a history of engaging in state-sponsored criminal activity—last year the U.S. Treasury blacklisted North Korea for money laundering.
PricewaterhouseCoopers, a business consultancy, states cybercrime is the second most reported economic crime experienced.[9] Banks are spending a lot of money on protection—J.P. Morgan’s cybersecurity budget going into 2016 was $500 million and Bank of America states its cybersecurity budget is unconstrained.[10] But large budgets don’t equate to cybersecurity. An intrusion last year at Verizon exposed 1.5 million customer records.
Hackers, How Many?
Up to 1 percent of internet users may be involved in malicious cyber activities. Cybersecurity provider Akamai states that two-thirds of distributed denial of service (DDoS) cyberattacks originate in ten countries.[11] Symantec, another provider, says these and 13 more countries for a total of 23 countries are home to the worst cyber offenders responsible for two-thirds of all malicious Internet activity.[12] The motives and targets of malicious activity are most closely aligned to organized crime and hacktivists (groups who seek political or social change). The damage hacktivists perpetrate makes them legally indistinguishable from profit-seeking criminals. This collective group and their criminal activity are responsible for most malicious cyber activity—malware, phishing, and extortion schemes using ransomware and DDoS[13].
The FBI states the odds of a criminal getting caught in the United States are approximately 1 in 5.[14] Applied to the 0.7 percent incarceration rate in the US, 693 per 100,000 people, the second highest global incarceration rate, the criminal population may be five times higher, or up to 3.5 percent of the US population. [15] Since FBI crime statistics are credible, represent crime in ethnically and racially diverse geographical areas, and every country has a criminal element (either incarcerated or inclined to commit crimes), it is not a stretch to say up to 3.5 percent of the global population are either criminals or have criminal tendencies.
Since malicious/criminal behavior is no less prevalent online, up to 3.5 percent of Internet users may be engaged in cyber-enabled crime such as malicious hacking, fraud, the purchasing of illegal drugs, and child sexual exploitation. Britain’s National Crime Agency states that the average hacker age is 17[16]. This age falls in the 15-24 age group, which represents 26.5 percent of internet users.[17] By extrapolation, malicious hackers may account up to 0.9 percent of internet users.
According to the Diagnostic and Statistical Manual of Mental Disorders (DSM-5), the definitive diagnostic reference for mental health practitioners, antisocial personality disorder is “a pervasive pattern of disregard for and violation of the rights of others…as indicated by repeated lying, use of aliases, or conning others for personal profit or pleasure…lack of remorse, as indicated by being indifferent to or rationalizing having hurt, mistreated, or stolen from another.”[18] Malicious or criminal behavior fits the DSM-5 antisocial personality disorder profile (ASPD). ASPD may run as high as 5.8 percent in men and 1.9 percent in women.[19] With men and women representing 53 percent and 47 percent respectively of global internet users, it is estimated that up to 4 percent of internet users have ASPD. Considering the average hacker age, it is estimated that up to one percent of internet users may be malicious hackers, a finding which approximates the previous 0.9 percent. [20] Consequently, approximately 24 million internet users may be causing two-thirds of all malicious hacking.
Malicious internet activity is a global problem. What sets malicious internet activity apart from usual criminal activity, why we need a global call for action, is that hacking undermines trust and how society communicates with digital communication is now foundational to a functioning society. What then is the path forward? What can be done?
Cyber Counterinsurgency – A Path forward
Insurgents and malicious hackers share common characteristics: their actions are that of the weak against the strong and advancement through subversion. While most insurgencies fail, they have been growing more successful since 1945, partly because insurgents have learned how to control the narrative and play on public opinion.
Barely a day goes by without some hacking headline, giving nervous pause to businesses and individuals if they are the next target. As evident by present conflicts in Syria, Iraq, Libya, and Yemen, nationalist opposition movements are no longer cohesive, fragmented by competition among multiple groups, weak organizational structures, and the sharing of power. As a direct consequence, conflicts have become more violent and complicated because groups are pitted not only against the state, but also against each other. The cyber space is fragmented as well—it is estimated there are over 6,000 hacking groups, loosely but non-cohesively associated on the Dark Web. Ransomware strikes one in five businesses, yet one in four who pay ransomware never get their data back. Those hackers who don’t return data when paid undermine fellow hackers who stick to the business model. This unpredictability is why the FBI tells individuals and businesses not to pay ransom. The similarities also suggest why a counterinsurgency campaign would be effective against malicious hackers and the best way forward to restore stability in cyberspace.
Insurgency operations in the last 70 years, particularly lessons learned from the Malayan Emergency (1948-1960) and most recently the US involvement in Iraq and Afghanistan, suggest that the solution is more than just about security operations. Purely security measures will not work as this approach requires the willingness to apply extreme measures, which would be viewed as repressive on a 17-year-old hacker. A more circumspect approach is needed to reestablish lasting stability and trust between Internet parties, a comprehensive approach to marginalize and ultimately coopt the ability of hackers to subvert the internet. The strategy is a combination of security, political, social, and economic measures:
- Establish and maintain internet security;
- Coordinate judicial, business and civil resources and institutions against malicious hackers;
- Foster political and social change;
- Promote effective governance;
- Provide essential services;
- Aggregate and disseminate unified intelligence;
- Achieve legitimacy.
The framework for increased government cooperation already exists with J-CAT, the Joint Cybercrime Action Taskforce, which currently focuses on:
- High-tech crimes including malware, botnets and intrusion;
- The facilitation and enablement of crimes (bulletproof hosting, counter-antivirus services, infrastructure leasing and rental, money laundering, including virtual currencies);
- Online fraud (online payment systems, carding, social engineering);
- Online child sexual exploitation.
J-CAT’s revised objectives would focus on cyber counterinsurgency with capability to infiltrate the 6,000+ hacker groups thought to be in existence. Coordinating White Hat hackers, computer experts who specialize in network penetration testing to protect an organization’s information systems, J-CAT would surveille malicious hackers online, on the Dark Web, and in chat forums. Surveillance raises privacy issues in some countries, but abuse can be minimized by an effective and independent governance body with representation from EU’s GDPR, the U.S. Federal Communications Commission (FCC) and the equivalents of other countries as necessary.
The size of the counterinsurgency force is debatable, but there is precedence. One counterinsurgent per 357 in a population in a peaceful situation and one per 40 in hostile environments is generally accepted as the minimum.[21] The most recent U.S. lesson in Iraq provides guidance, particularly what not to do. Despite quickly defeating Iraqi military forces, the United States never adequately planned for the occupation of Iraq and its presence was never large enough to maintain civil order. Decisions to disband the Iraqi Army and the de-Baathification of the government were incredibly misguided and contributed to subsequent chaos. U.S. forces never approached a 40 to 1 counterinsurgent to population ratio. With loyalties divided along ethnic lines and despite sizeable numbers, Iraqi Security Forces were never a competent or cohesive force under the divisive leadership of Prime Minister Nouri al-Maliki (2006-2014). These issues, as well as lack of governance and nepotism, continue to negate the effectiveness of Iraqi Security Forces.
In direct contrast, Winston Churchill was quick to grasp the counterinsurgency challenges Britain faced during the Malayan Emergency (1948-1960). In one of his first actions as Prime Minister (1951-1955, his second time), he appointed General Sir Gerald Templer with greatly expanded command and control authority to defeat the Chinese Communist guerrillas. Recognizing that outside assistance was one of the most important factors in the success of the Chinese insurgency, Templer systematically cut off their lines of supply by creating security zones around population centers, denying the guerrillas food and support, and through isolation starved the guerrillas into surrender. Templer recognized that a scorched-earth policy, particularly chasing insurgents in “search and destroy” missions, could breed resentment and create sympathies even within the greater non-Chinese population. Instead, Templer deployed “clear and hold” operations and population-centric (“winning the hearts and minds”) tactics, the basis which remains a successful counterinsurgency strategy. In contrast to the US involvement in Iraq, security forces were very visible during the Malayan Emergency and amounted to one member for every 16 civilians (Figure 6). It also helped that Chinese guerrillas had limited support among the Malay population (55 percent Malay, 35 percent Chinese, 10 percent Indian in 1957[22]) and Malays firmly supported the government including heavily enlisting in the security forces.[23]
Would a ratio of 1 to 357 J-CAT vs. malicious hackers be necessary? Likely not, since surveillance automation and data aggregation tools can be effectively employed requiring less people for surveillance operations.
J-CAT would closely work with country governing courts to prosecute offenders. The International Court of Justice in The Haag, the principal judicial body of the United Nations, would provide the framework for prosecution and sentences. First-time offenders with an otherwise clean record might be required to perform communal service and/or be subject to social services intervention and outreach services. Repeat offenders would be subject to proactive policing including some or all elements of identification, monitoring, loss of privacy and freedom of movement. Humans are social animals and ostracism (accompanied with a corrective path forward) has a powerful impact on modifying behavior. Ostracism includes public shame and the revocation of civil privileges such as driver’s license, voting, and access to public services. Since outside assistance remains one of the most important determinants to a successful insurgency, isolation or removal of outside assistance has been shown to be extremely effective in waging a counterinsurgency.
In co-opting malicious hackers, J-CAT should work with authorities to mandate businesses abide minimum standards for information security. WannaCry ransomware, a weaponized exploit hacked from the US National Security Agency, infected over 200,000 computers in 150 countries on May 12, 2017. Since email is the primary delivery mechanism for these type of exploits, email filtering services should be prescribed with costs off-set by giving businesses tax credits for compliance. More importantly, every business should have an end-user awareness program to promote safe behavior online. Stop-Think-Connect (www.stopthinkconnect.org) is a global online safety awareness resource which already provides guidance to organizations how employees can become vigilant online.
In combination with proactive policing, J-CAT would work with outreach and intervention programs such as Health and Human Services. Civic institutions as community anchors should be included—churches, synagogues, and mosques. That the WanaCry exploit was hacked from the NSA in 2016 and the NSA did nothing to disclose its release, is a political debacle of the first order. At the very least J-CAT would be informed of such incidents when they occur. Its resources might be able to track down the hackers. Counterinsurgencies need to change the status quo, otherwise they rarely succeed.
Legitimacy, the right and acceptance of authority and of exercising power, is critical to achieving a successful counterinsurgency. Consequently, J-CAT and authorities need to carefully manage public opinion, and reinforce the belief that its actions against malicious hackers are appropriate uses of power vested by legally established governments. Excessive use of power can undermine legitimacy, as was the case when British troops burned 30,000 Boer farms and slaughtered 3.8 million sheep during the South African Boer War (1899-1902). Britain’s subsequent public embarrassment was not lost on Churchill, who covered the Boer War as a correspondent. Fifty years later as Prime Minister he would not make the same mistake during the Malayan Emergency.
Closing Thoughts
Cyber professionals are fighting a losing battle against a relentless cyber onslaught. More alarmingly, malicious hackers are threatening society by subverting of a critical means of communication. While the role of government can be debated, unequivocal is its responsibility as a protector, to provide for safety of law and order. By any assessment, the fabric of society is under cyber siege. The path forward is clear—an offensive mindset, a global cyber counterinsurgency, a call for action to regain control.
[1] Threat Horizon 2019, ISF
[2] “The Hackers”, Time Magazine, December 19, 2016
[3] “Intelligence-Led Security”, presentation by Mandiant at RSA Conference 2017
[4] “The Swedish Kings of Cyberwar,” Hugh Eakin, The New York Review, January 19, 2017
[5] “The War Without Borders: Cyber Warfare,” Diana West, AUSN, Fall 2016
[6] “Japan and Europe Step Up Cooperation in Cyberspace,” The Diplomat, January 13, 2015.
[7] Internet Security Threat Report, Symantec, April 2017
[8] “Japan sleeps while cybercriminals get smarter,” Philip Brasor, The Japan Times, June 18, 2016.
[9] PWC Global Economic Crime Survey 2016 http://www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf
[10] “Bank of America’s Unlimited Cybersecurity Budget Sums Up Spending Plans In A War Against Hackers,” Steve Morgan, Forbes, January 27, 2016 http://www.forbes.com/sites/stevemorgan/2016/01/27/bank-of-americas-unlimited-cybersecurity-budget-sums-up-spending-plans-in-a-war-against-hackers/#e52366b434b7
[11] Q4 2016 State of the Internet / Security Report, Akamai
[12] Symantec Internet Security Report, April 2016
[13] “Cyber Risk – a threat to energy security,” PWC, October 2014
[14] FBI Uniform Crime Reporting, Crime in the United States 2012, https://ucr.fbi.gov/
[15] Countries with the largest number of prisoners per 100,000 of the national population, 2016, statistica, https://www.statista.com/statistics/262962/countries-with-the-most-prisoners-per-100-000-inhabitants/. World Prison Brief, http://www.prisonstudies.org
[16] “Campaign targets UK’s youngest cyber criminals,” National Crime Agency, 8 December 2015
[17] Internet use by age group worldwide 2014, Statista, https://www.statista.com/statistics/272365/age-distribution-of-internet-users-worldwide/
[18] DSM-5, American Psychiatric Association
[19] “Antisocial personality disorder in incarcerated offenders: Psychiatric comorbidity and quality of life,” Donald W. Black, MD et al, ANNALS OF CLINICAL PSYCHIATRY, May 2010. http://www.antoniocasella.eu/archipsy/Black_aspd_2010.pdf
[20] Distribution of the global internet population in 2012, statista, https://www.statista.com/statistics/272993/gender-distibution-of-the-global-internet-population/
[21] Boot, Max, Invisible Armies, Liveright Publishing Corporation, New York/London, 2013
[22] World and Its Peoples: Eastern and Southern Asia, Volume 9, Marshall Cavendish, 2007
[23] Hack, Karl (2009). The Malayan Emergency as counter-insurgency paradigm. Journal of Strategic Studies, 32(3) pp. 383–414.
