Monday, June 05, 2006

C3: Cybercrime, cyberterrorism and cyberwarfare

I've written a lot about cybercrime and have done at least one post on cyber terrorism.

Today, I want to talk not about cybercrime or cyberterrorism as such, but about the three categories of online malefaction: cybercrime, cyberterrorism and cyberwarfare.

More specifically, I want to focus on the clear and not-so-clear distinctions between the categories.

Let's begin with some basic definitions:
  • Cybercrime is, essentially, using computer technology to commmit unlawful acts, or crimes. As I explained in an earlier post here, and as I have explained elsewhere, the activity we refer to as cybercrime often consists of nothing more than using a computer to commit a crime that is probably as old, or almost as old, as humanity. So, if someone uses a computer and the Internet to siphon funds from a bank account belonging to someone else, it is simply theft (taking property from someone else without their consent) as far as the law is concerned. There are, however, good reasons to consider the perpetrator's use of computer technology in the commission of this and other technological crimes; aside from anything else, they let the perpetrator commit the crime remotely (the perpetrator is in, say, Brazil, the bank account is in the United States), which can make it difficult for law enforcement to "solve" the crime. Also, the use of computer technology can increase the scale on which crime is committed; so, an online fraudstater using computer technology can defraud many more people in a given space of time than she would be able to do if she had to deal with each of them face-to-face. Cybercrime, like all crime, is committed by civilians whose motives are purely their own. (There is an exception to this, which I will note below.)
  • Cyberterrorism essentially consists of using computer technology to engage in terrorism. Terrorism consists of acts that are committed for political, versus economic, motives. Much of crime is committed for economic reasons, as in the examples I gave above. Terrorism is committed to further certain political goals. It is usually intended to demoralize a civilian population (which differentiates it from warfare, which is not supposed to target civilians), and usually accomplishes that, in the real-world, by destroying property and injuring or killing as many civilians as possible. The 911 attacks on the World Trade Center are a perfect example of real-world terrorism; they were intended to destroy a premier symbol of capitalism and, in so doing, undermine the morale and confidence of U.S. citizens. As I explained in an earlier post, we have not, as yet, seen cyberterrorism, but I am confident we will. I do not think, as I said in my earlier post, that cyberterrorism is an effective way to destroy property and human life on the scale and with the shocking simultaneity one can achieve by using bombs, airplanes and similar real-world methods. I do think, though, that computer technology can be used to erode citizen confidence in the security and stability of the internal systems upon which they rely. As I noted in my earlier post, one way to do this would be to launch sequenced, synchronized attacks shutting down ATM systems and other financial mechanisms in carefully selected cities around the United States. As the attacks progressed from city to city, it would become increasingly apparent that they were not random, were not the product of software bugs, were not otherwise explainabel but were, instead, the product of terrorist activity. Attacks such as these would not inflinct the sheer horror of the 911 attacks, but they could further terrorist goals by creating a climate of insecurity and anger at the government, something analogous to what we saw with the Katrina fiasco. Like terrorism, cyberterrorism is carried out by individuals who are part of a group that is held together by a commitment to a specific political ethos.
  • Cyberwarfare is using computer technology to wage war. The distinguishing characteristic of war is that it is a struggle between nation-states; it is, like all human activity, physically carried out by individuals, but those individuals are acting for a particular nation-state. Like terrorism, warfare tends to result in the destruction of property (often on a massive scale) and in the injury and deaths of individuals (often many, many individuals). Unlike terrorism, war is supposed to be limited to clashes between the aggregations of individuals (armies) who respectively act for the warring nation-states, their armies. Injuring and killing civilians (those who are not serving in one of the combatant nation-states' armies) occurs, but it, like most property damage/destruction, is supposed to be a collateral event. The primary focus of war in general and of particular wars in specific is to "triumph" over the adversarial nation-state(s) (whatever that means in a given context). Inflicting injury/death on civilians and destroying property is not the primary focus of warfare. Cyberwarfare (also known as "information warfare") is a logical consequence of migrating much of human activity into cyberspace. Several years ago, the Department of Defense defined cyberwarfare as "actions taken to achieve information superiority by affecting adversary information, information-based processes, information systems, and computer-based networks while defending one's own" computer systems, information, etc. More simply, cyberwarfare consists of using cyberspace to achieve the same general ends nation-states pursue via the use of conventional military force; that is, the use of cyberspace to achieve certain advantages over a competing nation-state or to prevent a competing nation-state from achieving advantages over another state. As I write this, it is clear that many nation-states are already engaging in cyberwarfare, though on what I think is a relatively small scale. Some countries are training/have already trained "hacker warriors" and are using them to mount attacks on other countries, many of which are developing their own cyberwarfare capabilities. From what I can tell, most of the attacks so far resemble skirmishes rather than full-scale "cyber-battles" (whatever a full-scale cyber-battle would look like . . . . )
That's a pretty concise explanation of what each category comprises and of how each category differs from the others. That, however, is not my primary concern in writing this post. What I really want to focus on is how the use of cyber-techniques to implement any or all of these three types of real-world activity can, for lack of a better word, challenge a government's ability to respond to online-based crime, terrorism and/or warfare.

In the real-world, we know who deals with what:
  • Law enforcement officers (in the U.S. local police, state police and, sometimes, federal agents) deal with crime.
  • Law enforcement officers plus, perhaps, specialized law enforcement officers (the FBI in the U.S., specialized police units in other countries) deal with terrorism. Usually, you tend to see a mix of "regular" and "specialized" police responding to terrorism because the local police are likely to be the first responders to a terrorist incident . . . as we saw with the 911 attacks on the World Trade Center. There, the NY police and fire departments were the first to deal with the attacks, though the FBI and related federal agencies quickly became involved, as well.
  • The military deals exclusively with warfare.
That's a tidy division of responsibilty, one that has been with us for at least a century and a half. It assumes, of course, that we can tell the difference between (i) crime, (ii) terrorism and (iii) war.
  • It's generally not difficult to do that when we are dealing with real-world activity: Crime is pretty easy to spot, especially since much of it tends to be one-on-one crime, e.g., one person robs another, one person kills another, etc. And crime falls into identifiable categories: theft, robbery, rape, murder, fraud, arson, etc.
  • Real-world terrorism is generally easy to spot, even though it involves activity that can also fall within the definition of crime, i.e., harming/killing people and destroying property. Real-world terrorism is usually easy to distinguish from crime because (i) it is irrational and (ii) the scale on which it is committed vastly exceeds what one usually encounters with crime.
  • Take the attacks on the World Trade Center, for example: They are irrational in the sense that they produced no financial gains (unlike, say, bombing party of one of the WTC towers and using that to rob a bank or a jewelry store, say). Much of crime, as I have said before, is committed for financial gain.
  • There are, however, crimes that are not committed for financial gain; in any city in the U.S. (or elsewhere) one can read daily about murders that were committed for no rational reason, for no purpose relating to financial gain or the achievement of other rational ends (like ridding oneself of an unwanted spouse). But those crimes tend to be limited in scale, and tend to involve people who know each other. Husbands kill wives, wives kill husbands, employees "go postal" and kill people in their workplace. In crimes such as these, there is a link, a factual nexus between the perpetrator and the victims. They also tend to be limited in scale: The perpetrator kills only the person(s) he/she knows and is angry/frustrated with.
  • In real-world terrorism, the activity is not rational -- why would anyone fly a plane into the World Trade Center? There is no ostensibly rational motive; the motivations of the Al Qaeda members who actually did that are, of course, quite rational if one accepts the ideological premises from which they operate. To the uninitiated, however, the conduct seems irrational. So, there is a clue that we are dealing with terrorism . . . just as the apparent irrationality of the conduct is clear when a suicide bomber blows up himself/herself and whoever happens to be in the area. That second factor is another differentiating factor, another clue, that we are dealing with terrorism in the real-world: The scale is inexact -- there is no clear link between the act and the result; the suicide bomber blows up some random number of people, none of whom he/she knows, none of whom he/she has any personal grudge against.
  • I could go on, but I think (hope) my point is clear -- it is relatively easy to identify terrorism in the real-world.
  • Finally, it is very easy to identify warfare in the real-world. When the Japanese bombed Pearl Harbor or when the U.S. began bombing in Iraq in 2003, no one who heard about/witnessed the attacks could have the slightest doubt that this was warfare . . . not crime, not terrorism. Both were conducted by specialized cadres of individuals associated with the attacking nation-state, all of whom wore distinctive attire and distinctive insignia.
Now, think about how these activities manifest themselves in the cyber-world. it will, in some instances, be relatively easy to identify the type of activity at issue. This is true, generally, for cybercrime: Most of the emails send out to implement 419 and other fraud scams, for example, are the result of activity by cybercriminals (or aspiring cybercriminals). Like fraudsters in the real-world, they are trying to enrich themselves by convincing deluded victims to send them money or transfer other property to them.

Even here, though, the categorization does not always hold: Al Qaeda and other terrorist groups have been known to use online fraud (especially credit card fraud) as a way to raise money for their terrorist activity. If terrorists are engaging in what would otherwise be cybercrime, is the activity still cybercrime or does it become cyberterrorism? I'd say it's still cybercrime because while it is being perpetrated by those who style themselves as terrorist, it is, at bottom, still just fraud.

I want, though, to focus on the problem I noted above: the challenge of initially identifying what type of cyberactivity is at issue and ensuring that the proper agencies/personnel respond to it.

Imagine, say, that a series of sequenced attacks occur on financial systems scattered around the U.S. We will simplify the example by assuming that each of the attacks takes the same form. (It would, of course, be relatively easy to structure the attacks so they differ in varying degrees.)

So, keeping things simple, let us assume that all/many/most ATM machines are taken off line (i) in Des Moines on April 1; (ii) in Portland on April 2; (iii) in Reno on April 3; (iv) in Cincinnati on April 5; (v) in Nashville on April 6; (vi) in Miami on April 7; and so on. The scenario might involve keeping the ATMs offline or it might involve shutting them down, bringing them back up and then shutting them down again (which I think might be more effective). This basis pattern could be coupled with other attacks on banking systems . . . online banking might be shut down, data might be scrambled, etc. etc.

Take that basic scenario: Who would respond (initially -- we'll get to escalating responses in a minute)? The local police would respond. It would presumably be regarded as a cybercrime -- maybe the stereotypical teenage hacker shutting down the system for fun, maybe a prelude to an extortion effort by professional hackers.

Assume, now, that the attack is not a cybercrime, that it is being perpetrated by those "hacker warriors" I mentioned earlier -- cyberwarriors trained and recruited by a nation-state, one that is hostile to the U.S. and that is using cyberspace in an effort to gain certain tactical advantages. Here, the tactical advantage might be an initial step toward destabilizing the financial system in the U.S.

How long would it take for us to realize we were under such an attack? How long would it take for us to realize that this was cyberwarfare, not cybercrime? How would that realization come to pass . . . if at all?

For that realization to occur, someone, somehow would have to be able to see the big picture, would have to know that these attacks were occuring, would have to see the sequencing in the attacks, would have to know about the similarity in the attacks. How would that come to pass?

What if the local police in each of the cities in which an attack occurred simply believed it was a cybercrime? What if the local police, assisted, maybe, by the state police, sought to deal with it on their own? I think this is the most likely scenario, at least for a considerable period of time.

I hope, but doubt, that we have procedures, personnel, and data-gathering processes in place that allow us to track incidents such as these at a global level . . . that, in other words, let us (one or more of us, official one or more of us, somewhere) grasp what is occuring on a larger scale.

Otherwise, we could become the target of cyberwarfare and not even know it. In the 1970s there was, I think, a slogan -- something like "What if they gave a war and no one came?" Maybe the slogan for the 21st century should be something like "What if they started a war and we didn't know it until they won?"

No comments: