Don Mathis of Kinetic Social explores the growing nexus between cybercrime and cyber terrorism, and what can be done about it
By Don Mathis
Imagine the cybercriminal and what comes to mind? Do you think of a disaffected hacker with an ax to grind? A tech geek with a sociopathic streak, getting a thrill from outsmarting unwitting victims with his computer exploits? You wouldn’t necessarily be wrong, according to cybercrime and criminal justice experts.
Now imagine the committed cyber terrorist, operating under the justification of a violent ideology or misbegotten crusade. This hypothetical person may look a lot like the first… with perhaps a black banner of jihad unfurled behind him.
The evidence for a link between cybercrime and cyber terrorism is growing. The common element is, in substantial part, the kind of technology skills required to plan, coordinate and launch a cyber attack; the techniques are similar no matter the intent, whether an attack is launched as part of a criminal enterprise or as an effort to bring down a key component of a nation’s critical infrastructure. Examples of cybercriminal / terrorist cross-pollination include (but are certainly not limited to):
- Phishing (and spear fishing) attacks can be used to dupe an unwitting consumer into surrendering personally identifiable information, which in turn can be used to clean out a bank account … or to create an effective false identity to enable cross-border movement. According to identity fraud expert Judith Collins, “All acts of terrorism enacted against the United States have been facilitated with the use of a fake or stolen identity,” with 5% of all identity thieves connected to terrorism and 2% specifically to Al-Qaeda.
- Malware can be used to siphon traffic and data for illicit internet advertising … or to affect a devastating attack on critical infrastructure like a power grid.
- Bot-nets can be used to disseminate that malware … and/or for extortion, a Distributed Denial Of Service Attack (DDoS), or other destructive behavior.
- Hacking into protected computer systems can serve multiple objectives from criminal to terroristic.
Nor is the issue limited to cyber terrorist exploits specifically: cybercrime can be used to generate financing for terrorist activity in the same way that drug smuggling or human trafficking does. And as detailed by the IMF, it offers terrorist organizations a means of transferring and laundering funds.
As the links between criminals driven by greed and terrorists driven by violent ideology grows, the question for those charged with fighting both – indeed, for all of us – is, how do we stop it? And the first step in stopping it is, do we even recognize that these links exist?
Does law enforcement recognize the link between cybercrime and cyber terrorism?
The general approach to policing and/or combating most forms of illicit activity has its roots in an earlier, pre-internet era. Indeed, much earlier: the modern police philosophy that we recognize today grew out of efforts in the 18th and 19th centuries to explicitly separate the spheres of military and law enforcement activity, concurrent with the evolution of Enlightenment notions of citizenship versus subject.* As a result of the evolution of modern criminal justice / law enforcement doctrine and philosophy, we entered the post-9/11 period with a fragmented approach to the cyber threat. Counter terrorism agencies were trained to look for and disrupt violent jihadist networks … not digital fraud. Agencies like the Federal Trade Commission or State Attorney Generals on the other hand were created to protect consumer rights … not to stop terrorism.
Unfortunately, today’s cyber bad guys do not necessarily observe the niceties of such boundaries between the realms of war, crime and fraud.
“The problems of organized crime and terrorism were often considered separate phenomena prior to the September 11th attacks,” writes lawyer and criminology researcher Frank Perri. “Security studies, military and law enforcement seminars discussed the emerging threat of transnational organized crime or terrorism, but the important links between the two were rarely made…” (Frank S. Perri and Richard G. Brody in the Journal of Money Laundering Control, emphasis added).
Cyber Broken Windows
Can a cyber “Broken Windows” approach help cope with the blurring line between cybercrime and cyber terrorism? Most people are familiar with the “Broken Windows” theory of criminology (James Q. Wilson and George L. Kelling). Greatly simplified, the theory suggests that by maintaining law and order and prosecuting minor offenses such as vandalism, more serious crime might be headed off or prevented entirely as a result.
In the cyber version of Broken Windows, the theory could be interpreted to mean that cyber fraud begets cybercrime, and cybercrime facilitates cyber (and real world) terrorism. From a security services and law enforcement perspective, this approach would only work if there is coordination of effort to combat this spectrum of illicit cyber activity.
There is evidence that this is precisely the approach that is being increasingly adopted by key government agencies – i.e., the development of a more sophisticated understanding of the nexus between cybercrime and terrorism. As a result, the patchwork of enforcement and prevention efforts is (slowly) being knitted together. In the U.S., this increasingly integrated approach is being spearheaded by the Departments of Justice and Homeland Security, leveraging organizational structures such as the National Cyber Investigative Joint Task Force and the National Counterterrorism Center.
In particular, the Federal Bureau of Investigation (FBI) stands as a powerful example of an agency that is working to reduce the “silo-effect”. I had the opportunity to see elements of this first hand, as part of a cybersecurity company called Online Intelligence that worked to combat cyber fraud. Facilitated by a colleague who is a former FBI Special Agent and cybercrime specialist – as well as my own anti-terrorism background in the U.S. Navy – we first met with the FBI about five years ago, providing an opportunity to observe an inter agency and public-private approach, one that better takes a holistic approach to the multi-headed cyber threat. FBI Director Robert Mueller pioneered this revolutionary shift in strategy and operations at the nation’s leading law enforcement agency shortly after the 9/11 attacks, and Director James Comely has continued it. Under their leadership, the FBI has transformed from a nearly exclusive crime fighting footing into an integrated counter-terrorism agency which also facilitates cyber attack prevention – no matter the intent.
This concept of preventing attacks and safeguarding people and assets has required the adoption of a different mind-set, a substantial paradigm and cultural shift at the Agency: one that looks to disrupt and interdict attacks as well as to solve crimes that have already occurred. And today, after over a decade of effort to reorient itself, the FBI is perhaps the best positioned federal agency in the United States to break down the silos and connect the dots between cyber fraud, cybercrime and terrorism.
The cyber realm: borderless opportunity for good … and evil
The cyber realm is characterized by a perceived sense of statelessness, of few or no rules regulating a growing transnational digital society. There are clear benefits that flow from the openness and borderless nature of the Internet. But there are costs as well; the cyber world is one where criminals and terrorists can interact more easily than in the physical world, sharing techniques and exploits. Like an unlit alley in a dangerous urban landscape, black hat forums and dark internet meeting hubs provide effective environments for the bad guys to “meet” and learn from each other, often with impunity.
The increasing prevalence of cybercrime should raise red flags around the risks of cyber terrorism. According to Peter W. Singer of the Brookings Institution, 97% of the Fortune 500 companies having been hacked. FBI Director James Comey has said, “there are two kinds of big companies in America: those who have been hacked…and those who don’t know they’ve been hacked.” And as the United Nations put it in its report Cybersecurity: A global issue demanding a global approach: “cybercrime has now become a business which exceeds a trillion dollars a year in online fraud, identity theft, and lost intellectual property, affecting millions of people around the world, as well as countless businesses and the Governments of every nation.”
This phenomenon will become more, not less pronounced over time: the motivation for both terror and crime are not going away, and the opportunity to exploit a common tool set to engage in both increases as technology (exponentially) develops. Our best and most effective defense is recognizing the convergence of cybercrime and terrorism; protecting ourselves from its effects; and interdicting it where we can. Policing systems developed over generations must continue to evolve to effectively meet the threat. A collective, integrated and coordinated approach is required across a range of players, public and private – one that involves collaborative efforts at the law enforcement and counter terrorism level, and one that involves the private sector stepping up to safeguard our systems and networks from attack.
Recognizing this growing and converging threat is unsettling. Mitigating it will be costly in terms of effort and resources. But the consequences if we fail to do so will be far worse.
* The topic of policing theory and development is a separate one, worthy of much more attention than can be provided by the scope of this blog. I had the extraordinary opportunity to write my thesis with Hsi-Huey Liang, Professor at Vassar College, shortly before his retirement; Dr. Liang was the author of The Rise of Modern Police and the European State System, and his historical analysis of the subject is an excellent treatment among other things of the connection between domestic order, security, the concept of citizenship and social progress.