Don Mathis of Kinetic Social explores the growing nexus between cybercrime and cyber terrorism, and what can be done about it
By Don Mathis
Imagine the cybercriminal and what comes to mind? Do you think of a disaffected hacker with an ax to grind? A tech geek with a sociopathic streak, getting a thrill from outsmarting unwitting victims with his computer exploits? You wouldn’t necessarily be wrong, according to cybercrime and criminal justice experts.
Now imagine the committed cyber terrorist, operating under the justification of a violent ideology or misbegotten crusade. This hypothetical person may look a lot like the first… with perhaps a black banner of jihad unfurled behind him.
The evidence for a link between cybercrime and cyber terrorism is growing. The common element is, in substantial part, the kind of technology skills required to plan, coordinate and launch a cyber attack; the techniques are similar no matter the intent, whether an attack is launched as part of a criminal enterprise or as an effort to bring down a key component of a nation’s critical infrastructure. Examples of cybercriminal / terrorist cross-pollination include (but are certainly not limited to):
- Phishing (and spear fishing) attacks can be used to dupe an unwitting consumer into surrendering personally identifiable information, which in turn can be used to clean out a bank account … or to create an effective false identity to enable cross-border movement. According to identity fraud expert Judith Collins, “All acts of terrorism enacted against the United States have been facilitated with the use of a fake or stolen identity,” with 5% of all identity thieves connected to terrorism and 2% specifically to Al-Qaeda.
- Malware can be used to siphon traffic and data for illicit internet advertising … or to affect a devastating attack on critical infrastructure like a power grid.
- Bot-nets can be used to disseminate that malware … and/or for extortion, a Distributed Denial Of Service Attack (DDoS), or other destructive behavior.
- Hacking into protected computer systems can serve multiple objectives from criminal to terroristic.
Nor is the issue limited to cyber terrorist exploits specifically: cybercrime can be used to generate financing for terrorist activity in the same way that drug smuggling or human trafficking does. And as detailed by the IMF, it offers terrorist organizations a means of transferring and laundering funds.
As the links between criminals driven by greed and terrorists driven by violent ideology grows, the question for those charged with fighting both – indeed, for all of us – is, how do we stop it? And the first step in stopping it is, do we even recognize that these links exist?
Does law enforcement recognize the link between cybercrime and cyber terrorism?
The general approach to policing and/or combating most forms of illicit activity has its roots in an earlier, pre-internet era. Indeed, much earlier: the modern police philosophy that we recognize today grew out of efforts in the 18th and 19th centuries to explicitly separate the spheres of military and law enforcement activity, concurrent with the evolution of Enlightenment notions of citizenship versus subject.* As a result of the evolution of modern criminal justice / law enforcement doctrine and philosophy, we entered the post-9/11 period with a fragmented approach to the cyber threat. Counter terrorism agencies were trained to look for and disrupt violent jihadist networks … not digital fraud. Agencies like the Federal Trade Commission or State Attorney Generals on the other hand were created to protect consumer rights … not to stop terrorism.
Unfortunately, today’s cyber bad guys do not necessarily observe the niceties of such boundaries between the realms of war, crime and fraud.
“The problems of organized crime and terrorism were often considered separate phenomena prior to the September 11th attacks,” writes lawyer and criminology researcher Frank Perri. “Security studies, military and law enforcement seminars discussed the emerging threat of transnational organized crime or terrorism, but the important links between the two were rarely made…” (Frank S. Perri and Richard G. Brody in the Journal of Money Laundering Control, emphasis added).
Cyber Broken Windows
Can a cyber “Broken Windows” approach help cope with the blurring line between cybercrime and cyber terrorism? Most people are familiar with the “Broken Windows” theory of criminology (James Q. Wilson and George L. Kelling). Greatly simplified, the theory suggests that by maintaining law and order and prosecuting minor offenses such as vandalism, more serious crime might be headed off or prevented entirely as a result.
In the cyber version of Broken Windows, the theory could be interpreted to mean that cyber fraud begets cybercrime, and cybercrime facilitates cyber (and real world) terrorism. From a security services and law enforcement perspective, this approach would only work if there is coordination of effort to combat this spectrum of illicit cyber activity.
There is evidence that this is precisely the approach that is being increasingly adopted by key government agencies – i.e., the development of a more sophisticated understanding of the nexus between cybercrime and terrorism. As a result, the patchwork of enforcement and prevention efforts is (slowly) being knitted together. In the U.S., this increasingly integrated approach is being spearheaded by the Departments of Justice and Homeland Security, leveraging organizational structures such as the National Cyber Investigative Joint Task Force and the National Counterterrorism Center.
In particular, the Federal Bureau of Investigation (FBI) stands as a powerful example of an agency that is working to reduce the “silo-effect”. I had the opportunity to see elements of this first hand, as part of a cybersecurity company called Online Intelligence that worked to combat cyber fraud. Facilitated by a colleague who is a former FBI Special Agent and cybercrime specialist – as well as my own anti-terrorism background in the U.S. Navy – we first met with the FBI about five years ago, providing an opportunity to observe an inter agency and public-private approach, one that better takes a holistic approach to the multi-headed cyber threat. FBI Director Robert Mueller pioneered this revolutionary shift in strategy and operations at the nation’s leading law enforcement agency shortly after the 9/11 attacks, and Director James Comely has continued it. Under their leadership, the FBI has transformed from a nearly exclusive crime fighting footing into an integrated counter-terrorism agency which also facilitates cyber attack prevention – no matter the intent.
This concept of preventing attacks and safeguarding people and assets has required the adoption of a different mind-set, a substantial paradigm and cultural shift at the Agency: one that looks to disrupt and interdict attacks as well as to solve crimes that have already occurred. And today, after over a decade of effort to reorient itself, the FBI is perhaps the best positioned federal agency in the United States to break down the silos and connect the dots between cyber fraud, cybercrime and terrorism.
The cyber realm: borderless opportunity for good … and evil
The cyber realm is characterized by a perceived sense of statelessness, of few or no rules regulating a growing transnational digital society. There are clear benefits that flow from the openness and borderless nature of the Internet. But there are costs as well; the cyber world is one where criminals and terrorists can interact more easily than in the physical world, sharing techniques and exploits. Like an unlit alley in a dangerous urban landscape, black hat forums and dark internet meeting hubs provide effective environments for the bad guys to “meet” and learn from each other, often with impunity.
The increasing prevalence of cybercrime should raise red flags around the risks of cyber terrorism. According to Peter W. Singer of the Brookings Institution, 97% of the Fortune 500 companies having been hacked. FBI Director James Comey has said, “there are two kinds of big companies in America: those who have been hacked…and those who don’t know they’ve been hacked.” And as the United Nations put it in its report Cybersecurity: A global issue demanding a global approach: “cybercrime has now become a business which exceeds a trillion dollars a year in online fraud, identity theft, and lost intellectual property, affecting millions of people around the world, as well as countless businesses and the Governments of every nation.”
This phenomenon will become more, not less pronounced over time: the motivation for both terror and crime are not going away, and the opportunity to exploit a common tool set to engage in both increases as technology (exponentially) develops. Our best and most effective defense is recognizing the convergence of cybercrime and terrorism; protecting ourselves from its effects; and interdicting it where we can. Policing systems developed over generations must continue to evolve to effectively meet the threat. A collective, integrated and coordinated approach is required across a range of players, public and private – one that involves collaborative efforts at the law enforcement and counter terrorism level, and one that involves the private sector stepping up to safeguard our systems and networks from attack.
Recognizing this growing and converging threat is unsettling. Mitigating it will be costly in terms of effort and resources. But the consequences if we fail to do so will be far worse.
* The topic of policing theory and development is a separate one, worthy of much more attention than can be provided by the scope of this blog. I had the extraordinary opportunity to write my thesis with Hsi-Huey Liang, Professor at Vassar College, shortly before his retirement; Dr. Liang was the author of The Rise of Modern Police and the European State System, and his historical analysis of the subject is an excellent treatment among other things of the connection between domestic order, security, the concept of citizenship and social progress.
By Don Mathis, Kinetic Social CEO
Continued from my last week’s post, Double, double toil and trouble Part #1
My last post described a crisis situation my command faced in Bahrain. It was 2002, and we had been warned that tens of thousands of angry demonstrators were heading our way, with the objective apparently of overrunning us.
The subject of the post was about how the Navy has taught me, among other things, to manage through a crisis. As I wrote last week, “it’s a skill that has come in handy in my civilian career. From swiftly changing market conditions to frivolous lawsuits, from irrational competitors to even less rational bloggers whose journalistic integrity would make Rita Skeeter blush … operating in an entrepreneurial environment sometimes feels like brief moments of sanity in an otherwise ultra-manic universe.”
But back to that day in 2002… in my last post I broke off just as, at the time, I was beginning to think we were in a true no-win scenario, that we might not actually get out of it unscathed. Or as we say in the service, we were on the verge of being in “a world of hurt.”
Watching how people reacted to all this was very interesting (I mean, in retrospect). Some folks fared badly. I remember one officer – not from my command (nor my branch of service I’ll add), and I won’t describe him further lest he someday read this – who was on the verge of real panic. He was planning to “commandeer” a vehicle and make a dash for it. He asked me if I wanted to come, as I caught him rifling through a cabinet for truck keys. And I’ll admit, it was tempting – staying where we were was beginning to feel like a death sentence. But I declined. Whatever the outcome, I understood that it was my duty to be there. It may have sucked, but I had volunteered for serving in the first place … abandoning that commitment wasn’t an option.
It was pretty much precisely at this moment that my Commanding Officer (CO) arrived on the scene. He didn’t need to come; he had left the safety of the main base to get there, and with the evacuation order in place and the Marines already deployed, he could very much have justified staying where he was. But he didn’t. Moreover, he would not have stayed away in a million years – we were “his people”, and he would have moved heaven and earth to be there and share the consequences with us.
This represents a phenomenon that I find is rarely understood by the “outside world” (i.e., those who haven’t served). When you have the privilege and responsibility to be a leader in the military, you learn quickly that it is all about your team, about your people. As a (different) Commanding Officer I once had used to say frequently, “take care of your people, and they will take care of you.” The bond you develop with your team, the sense of commitment to their safety and well being, goes far, far beyond what occurs in nearly any civilian counterpart scenario.
Back to my CO in Bahrain: not only did he come to join us at that moment, but he projected a vision of calm despite the overwhelming tension and impending violence. I’ll never forget the easy command he seemed to have of the situation … how he got the specwar commander to stand down his defensive perimeter and put away his heavy weapons, and yield the force protection mandate to the Fleet Anti-terrorism Security Team Marines with their non-lethal gear. How he got everyone aligned to complete the lock-down with order and discipline. How he ensured that we had at least a fighting chance to egress the area once our work was done and the violence had commenced.
It is a fair statement that without his leadership, people would have still been running about like headless chickens as the demonstrators crashed the gates. But this was a group that knew how to function as a team, and the CO had spent many months getting them to operate as such. He brought the team back to that level in a matter of moments. His transformation of the scene was almost breathtaking.
Long after, I asked him about that time. He admitted to me that he was as frightened as the rest of us. “But Junior,” he said to me, using the nickname that he had begun calling me on my first day reporting to him, “always, always keep your game face on.”
So what lessons can be drawn from this experience, lessons that transcend service in a war zone? A few, I think:
- First and foremost and always: the team matters, and it matters above all. The CO saved the day in Bahrain, but only because he had a good team in place already with mutual respect shared between leader and led. Note to the business leader: if you ever think that the story is more about you than your people, you are in real trouble
- Second: keep your game face on. Not because you are trying to present a false sense of security in the face of adversity, but because situations are influenced by people as often as the other way around. Psychology is a part of every issue. Embody confidence because you find the reasons to be confident, and give that confidence to your team. If the guy or gal in charge loses their cool, you can bet that the team will too.
- Finally: act. Action solves problems, and “analysis-paralysis” rarely adds value beyond a certain point. Too many business leaders get shell-shocked when facing a crisis. Personally, when things seem challenging I find it helpful to remember that history is filled with people who have faced situations far harder than my own. Determine a solution and execute … even if it doesn’t work, at least you are engaged, and perhaps you’ve generated new options as a result. The CO that day immediately commenced giving direction to his command, and that eliminated much of the hand-wringing and doubt around the viability of our situation.
My Grandfather, who was a Captain in the Merchant Marine, used to say “God damn it, do something.” Be proactive, make a decision and – as we were only half-jokingly taught in Officer’s Candidate School – if that decision happens to be right, so much the better. A bias to action will overcome many obstacles in and of itself.
How one manages when times are good is no indicator of competence… it is when the challenges are extreme that we see who we really are. I got to see that in Bahrain. I’ve seen it at other times during my military service. And I’ve seen it in my civilian work (albeit with less dramatic consequences).
In a future post, I’ll talk about a time when I put that learning to a pretty serious test in my civilian job.
Oh, by the way, as to the situation that day in Bahrain? It culminated in anti-climax (for the US military, at least) … but this message about crisis management wouldn’t have resonated as well if I told you that upfront, would it have?
In fact, what makes it possible to focus on general learnings from a tale like this, for me anyway, is precisely because it ended benignly. Most of us in the military have had experiences post-9/11 that were also, perhaps, great “lessons learned” events, but that are far too painful to openly discuss. Or to debase by translating them into a business lesson.
The demonstration that day occurred at the Pearl Roundabout, and the protestors did try to march to the military air terminal. But the demonstration was smaller than the intel folks had forecast, and the marchers never got to us. The Bahrain anti-terrorism police stopped the protesters on the way, in much the same way they have stopped protesters in the last few years of the Arab Spring: with bone-breaking tactics.
And while this is not a political post or blog, it merits noting: these strong-armed tactics may have worked to stop the protests in their tracks. But the sense of hopelessness that drove them in the first place remains as palpable as ever across the Middle East. It is hard to see how there is a happy ending under such circumstances.
Don Mathis is the CEO and Co-Founder of Kinetic Social, a company launched in 2011 with a core focus of marrying “Big Data” to social media on behalf of large brand advertisers. He also serves in the active reserve of the US Navy, where he is the Commanding Officer of a highly deployable, selectively staffed, joint-service combat logistics unit that supports forward deployed war-fighters.