Don Mathis of Kinetic Social explores the growing nexus between cybercrime and cyber terrorism, and what can be done about it
By Don Mathis
Imagine the cybercriminal and what comes to mind? Do you think of a disaffected hacker with an ax to grind? A tech geek with a sociopathic streak, getting a thrill from outsmarting unwitting victims with his computer exploits? You wouldn’t necessarily be wrong, according to cybercrime and criminal justice experts.
Now imagine the committed cyber terrorist, operating under the justification of a violent ideology or misbegotten crusade. This hypothetical person may look a lot like the first… with perhaps a black banner of jihad unfurled behind him.
The evidence for a link between cybercrime and cyber terrorism is growing. The common element is, in substantial part, the kind of technology skills required to plan, coordinate and launch a cyber attack; the techniques are similar no matter the intent, whether an attack is launched as part of a criminal enterprise or as an effort to bring down a key component of a nation’s critical infrastructure. Examples of cybercriminal / terrorist cross-pollination include (but are certainly not limited to):
- Phishing (and spear fishing) attacks can be used to dupe an unwitting consumer into surrendering personally identifiable information, which in turn can be used to clean out a bank account … or to create an effective false identity to enable cross-border movement. According to identity fraud expert Judith Collins, “All acts of terrorism enacted against the United States have been facilitated with the use of a fake or stolen identity,” with 5% of all identity thieves connected to terrorism and 2% specifically to Al-Qaeda.
- Malware can be used to siphon traffic and data for illicit internet advertising … or to affect a devastating attack on critical infrastructure like a power grid.
- Bot-nets can be used to disseminate that malware … and/or for extortion, a Distributed Denial Of Service Attack (DDoS), or other destructive behavior.
- Hacking into protected computer systems can serve multiple objectives from criminal to terroristic.
Nor is the issue limited to cyber terrorist exploits specifically: cybercrime can be used to generate financing for terrorist activity in the same way that drug smuggling or human trafficking does. And as detailed by the IMF, it offers terrorist organizations a means of transferring and laundering funds.
As the links between criminals driven by greed and terrorists driven by violent ideology grows, the question for those charged with fighting both – indeed, for all of us – is, how do we stop it? And the first step in stopping it is, do we even recognize that these links exist?
Does law enforcement recognize the link between cybercrime and cyber terrorism?
The general approach to policing and/or combating most forms of illicit activity has its roots in an earlier, pre-internet era. Indeed, much earlier: the modern police philosophy that we recognize today grew out of efforts in the 18th and 19th centuries to explicitly separate the spheres of military and law enforcement activity, concurrent with the evolution of Enlightenment notions of citizenship versus subject.* As a result of the evolution of modern criminal justice / law enforcement doctrine and philosophy, we entered the post-9/11 period with a fragmented approach to the cyber threat. Counter terrorism agencies were trained to look for and disrupt violent jihadist networks … not digital fraud. Agencies like the Federal Trade Commission or State Attorney Generals on the other hand were created to protect consumer rights … not to stop terrorism.
Unfortunately, today’s cyber bad guys do not necessarily observe the niceties of such boundaries between the realms of war, crime and fraud.
“The problems of organized crime and terrorism were often considered separate phenomena prior to the September 11th attacks,” writes lawyer and criminology researcher Frank Perri. “Security studies, military and law enforcement seminars discussed the emerging threat of transnational organized crime or terrorism, but the important links between the two were rarely made…” (Frank S. Perri and Richard G. Brody in the Journal of Money Laundering Control, emphasis added).
Cyber Broken Windows
Can a cyber “Broken Windows” approach help cope with the blurring line between cybercrime and cyber terrorism? Most people are familiar with the “Broken Windows” theory of criminology (James Q. Wilson and George L. Kelling). Greatly simplified, the theory suggests that by maintaining law and order and prosecuting minor offenses such as vandalism, more serious crime might be headed off or prevented entirely as a result.
In the cyber version of Broken Windows, the theory could be interpreted to mean that cyber fraud begets cybercrime, and cybercrime facilitates cyber (and real world) terrorism. From a security services and law enforcement perspective, this approach would only work if there is coordination of effort to combat this spectrum of illicit cyber activity.
There is evidence that this is precisely the approach that is being increasingly adopted by key government agencies – i.e., the development of a more sophisticated understanding of the nexus between cybercrime and terrorism. As a result, the patchwork of enforcement and prevention efforts is (slowly) being knitted together. In the U.S., this increasingly integrated approach is being spearheaded by the Departments of Justice and Homeland Security, leveraging organizational structures such as the National Cyber Investigative Joint Task Force and the National Counterterrorism Center.
In particular, the Federal Bureau of Investigation (FBI) stands as a powerful example of an agency that is working to reduce the “silo-effect”. I had the opportunity to see elements of this first hand, as part of a cybersecurity company called Online Intelligence that worked to combat cyber fraud. Facilitated by a colleague who is a former FBI Special Agent and cybercrime specialist – as well as my own anti-terrorism background in the U.S. Navy – we first met with the FBI about five years ago, providing an opportunity to observe an inter agency and public-private approach, one that better takes a holistic approach to the multi-headed cyber threat. FBI Director Robert Mueller pioneered this revolutionary shift in strategy and operations at the nation’s leading law enforcement agency shortly after the 9/11 attacks, and Director James Comely has continued it. Under their leadership, the FBI has transformed from a nearly exclusive crime fighting footing into an integrated counter-terrorism agency which also facilitates cyber attack prevention – no matter the intent.
This concept of preventing attacks and safeguarding people and assets has required the adoption of a different mind-set, a substantial paradigm and cultural shift at the Agency: one that looks to disrupt and interdict attacks as well as to solve crimes that have already occurred. And today, after over a decade of effort to reorient itself, the FBI is perhaps the best positioned federal agency in the United States to break down the silos and connect the dots between cyber fraud, cybercrime and terrorism.
The cyber realm: borderless opportunity for good … and evil
The cyber realm is characterized by a perceived sense of statelessness, of few or no rules regulating a growing transnational digital society. There are clear benefits that flow from the openness and borderless nature of the Internet. But there are costs as well; the cyber world is one where criminals and terrorists can interact more easily than in the physical world, sharing techniques and exploits. Like an unlit alley in a dangerous urban landscape, black hat forums and dark internet meeting hubs provide effective environments for the bad guys to “meet” and learn from each other, often with impunity.
The increasing prevalence of cybercrime should raise red flags around the risks of cyber terrorism. According to Peter W. Singer of the Brookings Institution, 97% of the Fortune 500 companies having been hacked. FBI Director James Comey has said, “there are two kinds of big companies in America: those who have been hacked…and those who don’t know they’ve been hacked.” And as the United Nations put it in its report Cybersecurity: A global issue demanding a global approach: “cybercrime has now become a business which exceeds a trillion dollars a year in online fraud, identity theft, and lost intellectual property, affecting millions of people around the world, as well as countless businesses and the Governments of every nation.”
This phenomenon will become more, not less pronounced over time: the motivation for both terror and crime are not going away, and the opportunity to exploit a common tool set to engage in both increases as technology (exponentially) develops. Our best and most effective defense is recognizing the convergence of cybercrime and terrorism; protecting ourselves from its effects; and interdicting it where we can. Policing systems developed over generations must continue to evolve to effectively meet the threat. A collective, integrated and coordinated approach is required across a range of players, public and private – one that involves collaborative efforts at the law enforcement and counter terrorism level, and one that involves the private sector stepping up to safeguard our systems and networks from attack.
Recognizing this growing and converging threat is unsettling. Mitigating it will be costly in terms of effort and resources. But the consequences if we fail to do so will be far worse.
* The topic of policing theory and development is a separate one, worthy of much more attention than can be provided by the scope of this blog. I had the extraordinary opportunity to write my thesis with Hsi-Huey Liang, Professor at Vassar College, shortly before his retirement; Dr. Liang was the author of The Rise of Modern Police and the European State System, and his historical analysis of the subject is an excellent treatment among other things of the connection between domestic order, security, the concept of citizenship and social progress.
Self-confident leadership: “Not the chest-thumping, strutting egotism we see and read about all the time. Rather, the quiet self-assurance that allows a leader to give others both real responsibility and real credit for success.” So said Robert M. Gates at the U.S. Naval Academy on Friday, May 27, 2011, not long before he left office as America’s 22nd Secretary of Defense (SECDEF).
This sentiment speaks to what really matters for effectively running an organization: confident leadership that puts the team first and empowers them to accomplish the mission. It is also a telling comment on the character of one of the nation’s very best SECDEFs.
Robert Gates’ style of managing organizations has lessons for anyone in a leadership position or aspiring to hold one. While Secretary Gates was in the news earlier this year due to some of criticism of his memoirs, Duty: Memoirs of a Secretary at War, that isn’t what this post is about. The criticism focused on the perceived tell-all nature of a book that was critical of much of official Washington. But this shouldn’t obscure his brilliant career culminating as Secretary of Defense – the first to serve under two presidents of opposing parties. Whether you like his book or not, there is no disputing that his tenure as Secretary of Defense was historic, and that he has been a deeply committed public servant.
And let’s face it, much of the book was spot-on in its observations.
What I do what to focus on is the extraordinary leadership Gates has demonstrated. His style – especially, his empowerment of his teams – has resonance not just for public service, but for leadership of any sort of organization. For me, that includes my civilian work as the CEO of Kinetic Social, a start-up in the social media and technology world. It has also been influential for me as a leader in uniform, during my service as a Naval Officer (both on active duty and in the reserve).
In that same speech at Annapolis, Gates said:
“(Leadership includes) the ability to stand in the shadow and let others receive attention and accolades. A leader is able to make decisions but then delegate and trust others to make things happen. This doesn’t mean turning your back after making a decision and hoping for the best. It does mean trusting in people at the same time you hold them accountable. The bottom line: a self-confident leader doesn’t cast such a large shadow that no one else can grow.”
I met a senior Pentagon officer who worked for Secretary Gates for part of his tenure, and he spoke about this quality of having a constructive relationship with a boss who empowered and trusted his subordinates. And he emphasized that this was perfectly consistent with discipline and accountability. “Gates understood that you don’t need to be dick to be an effective and decisive leader,” he said. “This is what so many managers – especially the toxic sort – get wrong.”
Gates’ style, alas, is the exception rather than the rule.
Serving under Secretary Gates as an officer in the Navy, I watched his leadership style closely. While I did not serve in the Pentagon or directly for him, I became a Commanding Officer during his tenure. And I learned a great deal from his tone of management, from the way he motivated by empowering, and from the way he genuinely cared for his subordinates – especially the troops in the field.
I came to summarize and distill Robert Gates’ core approach into a four point guide for running my Navy unit, a guide that I have also used in my civilian career at Kinetic:
- Set a vision: one that inspires and stretches the team towards an important achievement, a disruptive innovation, a major strategic objective;
- Hire / retain / train a great team that can operate together. Not just a group of “A players” (who often struggle with operating together as a team). A group of strong players where you learn their strengths and weaknesses, and you help them focus and contribute the former in a collaborative setting while controlling for the latter;
- Empower that team: get out of their way and let them execute (i.e., don’t micromanage);
- Hold them accountable: for the results you expect, around the vision you set. A good subordinate manager will welcome the accountability; it will help them reach their potential and grow as leaders in their own right.
Few will have the honor of serving their country in the same way that Secretary Robert Gates did. But we all can learn from his leadership example, and implement the lessons learned of how he successfully ran the Department of Defense in a period of enormous and tumultuous challenge for the country.
Don Mathis is the CEO and Co-Founder of Kinetic Social, a social data and technology company focused on making sense of the world’s social signal. He also serves in the US Navy on reserve duty, where he is an Expeditionary Combat Logistics & Anti-Terrorism Officer.