In the early days of the internet, criminals quickly saw the new technology as an avenue for data theft, extortion, and uninhibited global reach. These criminals found safe haven behind anonymizing technology and governments slow or unwilling to solve the puzzle presented by borderless technology.
The intersection of national security and digital technologies quickly rose to the level of great power politics between established governments in Russia, China, France, the UK, and the United States, where adversaries seek to steal military, political, and sometimes economic secrets from one another. Countries like Iran and North Korea have also turned to cyberspace for its asymmetric utility and escalatory ambiguity.
With the pervasive growth of internet activity around the world and readymade cyber capabilities prevalent online, the barrier for entry into the virtual battlefield is lower than ever. Developing countries, petty criminals, and hacktivist groups are the emerging hackers of tomorrow. Does a changing attacker profile require a different defense?
At the most recent meeting of The Cipher Brief’s Cyber Advisory Board, prominent experts from government, industry, and academia discussed the future of the cyber threat landscape. Chaired by General Michael Hayden, the former director of both the NSA and CIA, the Advisory Board questioned whether the decentralization of hacking capabilities might change how companies and governments anticipate and defend against cybercrime, cyber espionage, and even cyber warfare.
If one were to look at a “heat map of connections to the worldwide web,” said Hayden, they would see that “the world is powerfully connected now where the rule of law is strongest.” But this is changing, and in “those parts of the world where the web has not yet migrated, the rule of law is weak to non-existent,” he noted.
Already, we are seeing inklings of governments and criminal actors in developing countries – particularly in Southeast Asia, Latin America, and the Middle East – turn to cyber capabilities for profit and espionage. Much like the disorder and corruption prevalent in Eastern Europe have fostered enormous growth in cybercriminal networks, the progression of connectivity in these developing regions could do the same – multiplying the scale of security threats in cyberspace.
Furthermore, some Eastern European criminal networks and hacktivists even act as proxies for Russian intelligence services seeking to sow discord in Estonia, Georgia, and Ukraine – the blatant test bed for cyber disruption of infrastructure coupled with physical attacks. The rest of Europe and the United States are just now awakening to the Russian cyber-enabled disinformation machine and could soon find themselves targeted by attacks as those seen in Ukraine.
The distinction between threat actors such as states, criminals, and hacktivists, is already blurred, in General Hayden’s view. “It is hard technically to distinguish the actors,” he said, “but I also think the actors are becoming less distinguishable. Criminal gangs are working on behalf of states and the perpetually angry are now subletting their activity for ISIS and other causes to which they want to attach themselves at the moment.”
What does this mean for the private sector? According to a Cipher Brief cyber advisor from the private sector, “defense is becoming increasingly futile.” Instead, in his mind, success will be marked by resiliency and the ability to recover and return to operations quickly, post-breach.
In the past experts have been able to gauge cyber threats based on motive – profit, disruption, or intelligence collection. “The motivation of what the emerging hacker is,” one cyber advisor from industry argued, “is really going to define what the emerging hacker looks like, because it is a different set of skills and different drivers.” But, as another industry advisor noted, “we have an increasingly important issue of control on the nation-state side, where we are seeing actors that are by day working for the nation-state, and by night using the national signals intelligence platform for their own benefits.”
This has been observed not only in Russia and China, where intelligence officers often use their cyber capabilities to moonlight, but also with North Korean actors during the WannaCry ransomware campaign. This means that “on the attribution side, you are increasingly needing to determine if this is really truly government-sponsored activity, or hackers just using government resources for personal benefit,” said an industry leader with a background in the U.S. intelligence community.
And, while the line between government and criminal activity blurs, so does the line between law enforcement and national security services. Is criminal activity a national security threat? “There is kind of a death of a thousand cuts to this,” noted one advisor. “Is any one hack existential? No, but what about a billion?”
The consequences can add up, particularly if companies retaliate. “Another class of emerging hackers could be not the ‘angry other,’ but the ‘frustrated victim’,” said a leading academic. Companies are already turn to “hacking back,” regardless of its illegality, which could further destabilize an already shaky foundation of international cyber norms.
One of the bodies seeking to foster stronger international norms in cyberspace is a United Nations Group of Governmental Experts. In addition to the permanent members of Russia, China, France, the UK, and the U.S., less-developed countries are coming to the negotiating table, making consensus more and more difficult. And, in the eyes of another prominent academic in the conversation, these less-developed countries “are not following the same rule book.”
The need for U.S. leadership in this area, in the minds of the Cyber Advisory Board, is stark. The changing nature of the UN discussions revolve on the applicability of the UN Charter in cyberspace, yet China and Russia argue that the Law of Armed Conflict – particularly provisions over self-defense – do not apply in the virtual domain.
The U.S. initially found itself in the majority advocating for certain norms of an open and free internet, but developing countries are increasingly aligning with China and Russia. For example, India already appears to be moving to align with Russia and China on major issues of internet governance by focusing on the control over information rather than securing the flow of that information. “We are now in the minority,” said one participant. “That is bad for the rule of law, that is bad for developing norms, and it is going to be bad for the private sector.”
“I think we still have opportunities though,” said an industry advisor. “There are developing countries where cultural norms around online behavior has not been completely set.” He suggested investment in training and awareness programs in those regions to establish what “good behavior in cyberspace” looks like.
At the same time, corruption remains entrenched – and resilient – in many nations, and this pervades across sectors, including cyber activity.
“When you have a lack of rule of law and norms in a region or country, with corruption, human trafficking, and enormous amounts of power being shifted to individuals engaging in anti-social behaviors through cyber means,” an advisor said, “will the traditional control mechanisms, such as deterrence, be effective in those instances?”
“We know the answer is no,” he said. “We are not going to deter fraud and corruption.”
Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.
