I'm delighted that Robi Sen has volunteered another article for Standing Well Back. In the future, his posts will be under his own account name.

In the last few months, we have seen some interesting developments in Iran. Setting aside the moral and political dilemmas created by Iran’s extreme response to popular protests, I wanted to make a few comments about the Internet and emerging arenas of conflict. These new arenas encompass a large number of doctrinal systems including information operations, cyber war (a term I dislike but will use because it is commonly understood), and counter insurgency. However, with few exceptions, most Western governments see these threats, and their perpetrators, as one nebulous threat and thus miss potential methods of mitigation or exploitation.

Internet Vigilantes

The first item I want to look at is the increase in cyber vigilantes who, driven by a desire to correct some real or perceived wrong, uses various tools to cause mischief on the Internet. Generally, their actions take the place of some sort of Denial of Service attack (DoS or DDoS ). This is where a target’s network is flooded with requests, causing it to crash or become unavailable to its users. We have seen these sorts of politically or socially motivated attacks a number of times over the last couple of years as various states have either gone to war or had political conflict. However, now various groups of citizens on both sides of any controversy, such as rages in Iran, have started to make use of simple, open source or easily built tools to perform DoS attacks. The problem with cyber vigilantes is that they are not always technologically savvy and are often naively eager for some sort of impact on the world, and therefore, with a little social engineering, can be duped into actually assisting the very same forces that they were hoping to fight against. What is even worse is that these vigilantes may provide ammunition to oppressive elements in a regime, since many of these attacks are perceived as the actions of a government that is allowing its citizens to perpetrate them, but we will get to that in more depth shortly.

I think a telling example of why cyber vigilantism is a bad idea is explained in this excerpt from Mathew Burton’s blog post entitled, “On the Weaponization of the Collaborative Web.”

“UPDATE, just to elaborate: When people want to attack someone or something, they usually can't do it immediately. It takes time to prepare. And during that preparation, they are repeatedly forced to reconsider their actions before going [through] with it. Each step--buying/building a weapon, choosing a time and place of attack, traveling to the location of the attack and finally seeing their potential victims--forces the sane mind to pass through "moral checkpoints" that force them to think twice. Carrying out the plan is both physically and psychologically difficult. Even heat-of-passion criminals are forced to deal with seeing their victims. I am sure these two factors weed out lots of would-be criminals who didn't have the heart or the means to go through with it.

The DDoS tool does away with these barriers. Nothing forces us to think through the act before we click Start. And we remain safe from the threat of retaliation. The thing about war is that you can’t do it without exposing yourself to danger, thus discouraging you from starting it in the first place. But that is no longer the case. Scary. “

I think Mathew, who initially partook in some of these DoS attacks, sums up the concerns pretty well. I for one applaud individuals and groups that are trying to provide proxies and assistance to allow Iranians to gain access to information, especially the Internet, but I think the overall potential of crowd sourcing DoS attacks is too dangerous and will lead to many unintended consequences. We have already seen politically motivated DoS attacks and can expect even more of them as the tools become simpler and easier to use. It is not that hard to imagine terrorist sympathizers or even political zealots make use of these approaches; indeed, they already have with escalating frequency.

A much more intelligent approach than cyber vigilantism is using established and emerging networks of influence, perhaps through social networking sites, to enable and disseminate information. This allows dissidents and individuals in places like Iran to equip themselves with the necessary skills and tools to circumnavigate or defeat the obstacles to free expression and communication. This sort of cyber-irregular warfare does happen and is usually ad-hoc in nature and performed by special interests groups or a few individuals, who unlike the vigilantes, are often dedicated for the long term.

The Rise of the Militia

Another area of interest is the emergence of self-organized cyber militias. These are groups, usually within the geographic boundary of a state, who, for a variety of reasons, decide to perform coordinated and broad range attacks. These attacks are usually against another state, often without direct orders from the host government but with its tacit consent. We have seen these sorts of ad-hoc Internet militias develop in Russia to help attack Estonia, and later Georgia. Sometimes the attacks appear to be government assisted, or at least prodded, and at other times, just the aforementioned tacitly approved. Some cyber militias have spontaneously formed in the US, for example, when the Chinese downed a US EP-3. More illustrative though was the response of Chinese hacking group, Honker Union (‘red user’), which was extremely well organized and public.

Generally, cyber militias differ from vigilantes in that they are not out to deface a few websites or support some single cause, but rather focus on critical infrastructure and systems with the goal of causing real damage or reducing a target’s ability to react against physical threats. Cyber militias know very well what they are doing, why, and how, and unlike the vigilantes, are capable of performing more sophisticated attacks without the need for automated tools. Cyber militias are often far more dangerous than loose collations of cyber vigilantes who flock to a cause short term and often do little more than assist with DoS attacks. Cyber militias tend to be fueled by nationalism and often are long-term threats to the targets of their attention.

Cyber Militias do not seem though to have formed very often in the US and do seem to form more in countries where said country benefits from a deniable and non-attributable cyber-warfare capability. This has led many to question if such groups are not really government organized and some certainly have been. Regardless, they stand apart from the traditional hacker independent loners who perform hacks solely for the pleasure they derive from the technical or social exploits they are able to perform.

Privateers on an Ocean of Information

A much more interesting and troubling phenomenon are governments and organizations turning to criminal networks to perform not only IO and cyber war but also cyber espionage. An excellent example of this is China’s relationships with hackers and criminal networks that perform consistent attacks against Western systems. The Chinese, who have disturbingly deep control and surveillance of the Internet within their borders, routinely allow hackers to perform these attacks in exchange for information and methods of attack. This also provides China’s own security and military apparatus insight on the usefulness of particular exploits or attacks. In exchange, Chinese attackers get free rein to pillage software and intellectual property, and take part in things like credit card scams. Chinese hackers even get national recognition when they exploit foreign systems making them something akin to privateers with letters of marquee. For this reason, cyber privateers are significantly different from cyber militias in that they are not necessarily focused on debilitating the target, and their main motivations are profit and prestige.

The Chinese strategy of using criminal networks and hacker groups as privateers is actually a brilliant strategy that, although not without precedent, is being adopted by more and more nations because it allows them to project an odd sort of force, collect information, put pressure on their opposition, and prepare their ground while maintaining a high level of non-attribution at very little to no cost. Really, China’s use of cyber privateers is classic “Tao guang yang hui,” or concealing one’s capacity and abilities to make an opponent unaware of your abilities while they learn and develop their cyber-war capabilities.

Response – There is no perimeter

The increase in electronic threats have given rise to rhetoric on policy that expounds the odd idea that some sort of ‘Digital Maginot Line’ can be developed to protect the United States and its allies from these sorts of threats as well committed nation states waging cyber war. Electronic warfare, information warfare, irregular warfare and the like, when extended to the Internet, transcends typical concepts of boundaries, walls, and bastions since, by the very nature of the Internet, our opposition is already inside our perimeter and we are in theirs. While not impossible, it is generally impractical for most major nation’s states to separate themselves, totally, from the Internet. Even attempting total regulation and control of the Internet is essentially impossible for a liberal democracy or state, although some countries with the help of willing companies looking to maintain business relationships are certainly trying. For this reason, looking at cyber war solely from a defensive point of view will always fail since other countries will always be able to gain access to your systems and continue to probe them to find exploitable weaknesses.

Recently, the leadership in the US and the UK has decided that cyber threats are significant enough to warrant serious attention. These nations seem to have moved beyond the simple idea of a solely defensive stance to one where offense will be used, when appropriate. The only problem is no one seems to be able to figure out what, when, or how one would response:

“But those efforts could be fruitless because Washington appears to already have a vicious bureaucratic circle that stymies U.S. cyber warriors. There is yet no process to approve their use in wartime, peacetime or even in tactical situations that depend on a speedy response to be useful, according to remarks by Deputy Defense Secretary William Lynn early this week.”

There is a simple way around this, at least in the case of everything but a real war, which is to start looking at cyber war as a part of unconventional, irregular warfare, counter insurgency, and other such doctrines instead of as a new branch of conventional conflict requiring a conventional response. Perhaps, instead of looking at how we can hack the Chinese hackers attacking US infrastructure, we should look at how we can sway their opinions. Maybe instead of investing solely in defenses, we should look at using the same tactics* that unconventional warfare practitioners have used to effectively co-opt irregular forces and develop popular support.

* Authors Note: For a variety of reason I will not go into what those approaches might be but I will reserve the right to introduce some of them in a later post if I believe it makes sense.