7
Non-state threats: From cybercrime to terrorism

Although states inspire the greatest fear in cyberspace, they are not the most prolific malfeasant actor category or the most pervasive threat to the average netizen. Three other categories of actors, each of which falls under the overarching designation of non-state actor, generate the majority of havoc that occurs in cyberspace. Criminals, hacktivists and terrorists in combination far exceed states in volume and variety of daily attacks and thefts that occur in and through cyberspace. Criminal actors constitute the largest and most substantial threat to cybersecurity, trailed at a substantial distance by hacktivists and terrorists.

The low barriers to entry and the wide reach and impact of cyberspace enable these non-state actors to pose security threats. For criminals, hacktivists and terrorists, the continued expansion of cyberspace and its associated technologies provides ample fertile ground for the development of capabilities within an environment that poses little risk to their physical safety. When asked why he robbed banks, the famous bank robber Willy Sutton responded: “because that’s where the money is.”1 If criminals, hacktivists or terrorists were asked the same about their use of cyberspace, they would no doubt provide a similar response. For criminals, cyberspace is where the majority of the wealth and information of the world resides and transits each day. For hacktivists, it is the new public square, with moderate amounts of anonymity, allowing them to form robust groups able to work together with low costs for communications and organization. Lastly, for terrorists, cyberspace is where many potential recruits can be reached, and a medium through which they can elevate their power relative to states at a low cost and potentially high return on investment. This chapter examines each of these categories of actor and emphasizes their motivations and the threats they pose.

Cyberspace is ripe for exploitation by non-state actors in most, but not all, states. In states where cyberspace is open and accessible, non-state actors have substantial room to maneuver both legally and illegally. By contrast, in states where cyberspace is not friendly to non-state actors, such actors are often mobilized as quasi-deniable proxies to enhance the cyber power of a state. The threats posed by non-state actors in and through cyberspace are substantial and, while unlikely to result in catastrophic attacks rising to the scale and complexity of a state-sponsored act of cyber war, the volume of non-state attacks can substantially overwhelm and challenge a state’s capacity to respond to specific incidents. Addressing non-state threats in cyberspace requires resources. The broad categories of non-state actors are examined independently below to highlight their unique utilization of cyberspace and the challenges they present to states, from criminological to national security threats.

Criminals

Cybercrime is by far the most prolific and arguably impactful threat in cyberspace. The proliferation of malware combined with its relative ease of use and online anonymity enable a panoply of criminal endeavors. The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center, in its 2017 report on Internet crime, documented $1.4 billion in losses based on approximately 300,000 reports over the course of one year. Internet security firm McAfee estimates that total global cybercrime cost companies, individuals and governments between $445 and $608 billion dollars in 2017.² This equates to a global GDP loss of between 0.59 and 0.80 percent.³ The impact of cybercrime varies widely by country, with North America, Europe and Central Asia, and East Asia and the Pacific, suffering the greatest financial losses.

Most conversations on cybercrime emphasize the financial losses incurred by victims. Cybercrime, however, encompasses multiple classes and categories of behavior. Early definitions of cybercrime focused on four categories of crime originating in, or occurring through, cyberspace or computers. These included cybertrespassing, deception and theft, cyber pornography and finally cyber violence.⁴ For the purposes of this section, we examine cybertrespassing, deception/fraud/extortion, theft, violence, illicit commerce and a variety of sexual crimes. Cybercrimes involve criminal acts conducted on or with a computer, or within cyberspace. As this section illustrates, the expansion of cyberspace parallels a rise in criminal behavior online.

Cybertrespassing is the intentional unauthorized access to, or alteration, deletion, damage or destruction, or disruption of a computer, network, program or data. Trespassing in cyberspace is one of the most common criminal offenses and occurs across a variety of criminal contexts. One of the most famous examples of cybertrespassing was briefly examined in previous chapters when Mathew Broderick’s character in the movie WarGames hacks into his school’s computers to change grades, hacks into software vendors to steal games, and breaks into NORAD’s computer systems. While WarGames was a work of fiction, there are regular attempts globally by students to hack into and alter grades, steal tests, or a variety of other acts that constitute cybertrespassing. For instance, in April 2018, hackers attempted to hack a Fairfax County, Virginia, high school to alter grades from Fs to As.⁵ The perpetrators were caught and have been charged by local police.

Cyber deception/fraud/extortion is the deliberate obfuscation and manipulation of intent, characteristics (physical, logical or human persona) and behaviors in cyberspace for the purposes of gaining access to or altering the intended functioning of a computer, network, program or user. Deception is the primary means by which criminals manipulate human users. Deception in cyberspace is often referred to as social engineering and can enable cybertrespassing or other criminal activities. The most famous form of cyber deception is that of the Nigerian Prince email scam, which attempted to prey upon unsuspecting recipients who might willingly transfer money to an unverified third party. Cyber deception resulting in fraud or extortion can take the form of email system compromises, the theft of personal data for use in identify theft, denials of service to reorient users to other services or networks, malware or scareware that falsely present users with warnings of system compromise, phishing and spoofing – the use of fake documents, emails or text messages to enable access to computers or networks.

An increasingly prolific form of cyber extortion is the use of malware that, when installed on a target, encrypts all files on that system. Known as ransomware, these attacks require a system’s owner to pay a fee in bitcoin or another cryptocurrency to unlock their files. Ransomware attacks have been targeted at a wide array of institutions, businesses and individuals. Targets unwilling to pay a ransom run the risk of total data loss. Such attacks are increasing in number and diverse in their targets. One widely publicized attack occurred in 2016 when a hacker encrypted portions of the San Francisco Municipal Transportation Agency including its ticket purchasing terminals and requested a $70,000 ransom. The transportation agency never considered paying the ransom and instead reinstalled the the software on impacted systems. The payment of a ransom is not a guarantee that files will be decrypted as some implementations of ransomware are poorly written and fail to decrypt data even when the ransom is paid, as was the case of WannaCry in 2017. As with most cyberattacks, ransomware nearly always begins with deception or fraud, often in the form of social engineering.

Deception for fraud and extortion is the most common method criminal actors use to violate computers and networks. Metadata spoofing, the alteration of sender information, and the replication of common visual identifiers within emails, text messages or other communications media are common tactics. Figure 7.1 is an example of a spoofed email using both metadata (the sender poses as Amazon) and visual replication (the Amazon logos) to deceive the recipient. Typosquatting is another common form of deception used by criminals to replicate the look of a known website and registers a similar domain name accessed through the accidental misspelling of an intended website (e.g. typing foogle.com instead of google.com).⁶ Criminals often use broad deception techniques that work well against large numbers of individuals. This approach seeks to maximize return on investment for the criminal. In certain instances, criminals leverage specific techniques or information to “spear phish” or “whale” a single (individual) target who might prove to be a lucrative mark. However, more time and effort are required for tailored deception for fraud and extortion, with limited increases in the probability for success.

Figure 7.1 Phishing email example

Source: Radius https://radius.ie/amazon-scam-alert/amazon-customers-tricked-with-ticket-verfication-number-phishing-email-473445-2/

Cyber theft is the theft of data or resources from a computer or network. The most commonly considered form of cyber theft is that of data theft for use in fraud. Theft can be achieved through a variety of means but is most commonly instigated via the human persona layer. One of the largest incidents of cyber theft occurred in 2013 when hackers breached the point-of-sale systems of Target Corporation, the second-largest department store retailing in the United States, via the heating, ventilation and air conditioning units installed in stores. The hack resulted in the theft of 40 million debit and credit card numbers and 70 million records of personal information.⁷ The theft of credit card information and personal data is a common occurrence. However, the Target hack led to a temporary multi-billion dollar decrease in Target’s market capitalization, hundreds of millions of dollars in lost sales during the 2013 holiday season, $200 million in credit and debit card reissuance costs for banks, and an $18.5 million settlement with 47 states. The incident itself was not isolated and was followed several months later by an equally large data breach of American home improvement supplies company Home Depot in 2014.⁸

The Target and Home Depot hacks are part of a larger trend in criminal activities online. These activities seek the centralized accumulation of data in repositories. Attacks against corporate databases, email servers, point-of-sale systems often emphasize the theft of personally identifiable information (PII) that results in financial damage well beyond the initial corporate victim of an attack. The loss of PII, which is subsequently sold online in dark markets, leads to identity theft and results in substantial harm to individuals least able to address such challenges.

Data theft by cyber criminals is rampant, and the intersection of theft and organized criminal activities is growing and rapidly becoming a multi-billion-dollar industry.⁹ A relatively new form of cyber theft seeks to exploit the victim’s computational power. The theft of resources for the creation of botnets, collections of enslaved computers, has been around for quite some time and was used in the 2007 Distributed Denial of Service (DDoS) attacks against Estonia and the 2008 attacks against the Republic of Georgia.¹⁰ The purchase of enslaved machines in botnets is a readily available service on the dark web. Figure 7.2 is an image of the logo of the Tech service of the Islamic State, who provided information-technical solutions to avoid intelligence and law enforcement agencies. There are documented cases of members of the Islamic State purchasing DDoS capabilities via the dark web. The use of DDoS as a criminal tool to degrade or hold to ransom the websites of businesses, and the terrorist usage of the same tool to achieve political effects, highlight both the linkages between criminal and terror networks and the diffusion of tools and tactics across actor categories.

Figure 7.2 Logo of the Tech of the Islamic State

The utilization of botnets to create increasingly powerful DDoS attacks has begun to shift toward the creation of wealth through the theft of computational resources beyond extortion and political effects. Botnets stealing the computational resources of unsuspecting victims are available for sale in various time and scale increments.¹¹ While the theft of computer resources for botnets is not new, the rise of cryptocurrencies – virtual currencies representing monetary values equivalent to fiat currencies such as the US dollar – such as Bitcoin and Ethereum have resulted in the theft of computer resources for the purposes of mining for potential profits.¹² The theft of computer resources for cryptocurrency mining, a practice known as cryptojacking, steals the computer cycle resources, slowing down the functional operation of computers and increasing the energy consumption of those computers substantially.

Cyber theft for criminal ends is distinguishable from espionage in its profit-seeking motive. The breadth and depth of examples of cyber theft are far too numerous to list here. However, it is safe to say that, in line with the FBI statistics presented in the introduction to this chapter, the problem of cyber theft is growing.

Cyber violence is the utilization of cyberspace to achieve physical or psychological effects against target users or their systems. Unlike in the Bruce Willis action film Live Free or Die Hard, it is unlikely that hackers are going to cause remote computers to explode and kill their users anytime soon. This is not to say that hackers have not achieved physical violence against computers or their associated systems in recent years. One of the earliest incidents of physical criminal violence achieved through hacking occurred a decade ago, when a 14-year-old modified a TV remote and used it to maneuver and derail trams in the city of Lodz, Poland, injuring 12 people.¹³ Hacks that induce physical violence have been rare, but hackers have demonstrated the possibility for criminals to achieve physical violence.

The more pernicious and common forms of criminal violence in cyberspace have been cyberbullying and cyberstalking. Cyberbullying is “the willful and repeated harm inflicted through the use of computers, cell phones, and other electronic devices.”¹⁴ Cyberbullying is a more modern take on conventional bullying that has resulted in suicides and murders, and has been indicated as a contributing factor in mass shootings.¹⁵ Some studies indicate that up to 28 percent of all students experience cyberbullying during their secondary school education.¹⁶ While often overlooked in discussions on cybercrime, cyberbullying is a criminal offense that has resulted in numerous criminal convictions.

Closely related to cyberbullying, cyberstalking is the “repeated use of the Internet, e-mail, or related digital electronic communication devices to annoy, alarm, or threaten a specific individual or group of individuals.”¹⁷ All 50 states in the United States and most nations have enacted laws pertaining to stalking. Cyberstalking extends criminal acts of stalking into cyberspace and creates a pervasive and damaging set of conditions that harms victims.¹⁸ In 2013, three members of the Matusiewicz family were sentenced to life in prison for cyberstalking resulting in death, when the family members engaged in physical and online surveillance and abuse of their victims, the ex-wife of one of the defendants and one of her children, in the US state of Delaware.¹⁹ Criminal cyberstalking can be both technical and nontechnical – however, the common linking factor is the use of computers and associated technologies to threaten and harass victims. Criminal violence in cyberspace is complex and often extends violent acts found in traditional criminal activities to the new domain. Although cyberstalking and cyberbullying are often beyond the scope of broad cybercriminal analyses, they are unfortunately very common and result in substantial harm to victims.

Illicit marketplaces are commerce sites commonly hosted in dark web services, such as I2P and Tor, which provide customers with access to drugs, guns, credit and debit cards, hacking tools, pornography or a range of other illegal wares. The most famous illicit market, also referred to as a dark market, was Silk Road. Silk Road was a one-stop shop for a variety of drugs and illegal goods, run by an American, Ross William Ulbricht, also known as the “Dread Pirate Roberts.” On February 4, 2014, the FBI indicted Ulbricht for narcotics trafficking conspiracy.²⁰ Dread Pirate Roberts ran what was, at the time, one of the largest dark markets, with thousands of users engaged in illicit sales using cryptocurrencies.²¹ Dark markets account for more than $100 million in yearly drug sales and leverage transnational shipping and postal services as couriers.²² Despite repeated takedowns by government authorities around the world, these markets continue to redeploy and sell illicit items. Figure 7.3 is an image from a weapons site that has since been taken down, but which purported to sell everything from landmines to rockets. The use of hidden services within Tor to host dark markets is extremely controversial as the technical construction and operation of Tor is partially funded by the United States government and is the result of a naval research laboratory’s project. The challenge of halting dark markets is ongoing and will probably expand as cryptocurrencies become more common and encryption technologies make anonymous commerce increasingly feasible.

Figure 7.3 A dark net weapons market

Sexual crimes via cyberspace include the transmission of images of child pornography, rape, mutilation, bestiality, enslavement and a variety of other associated crimes facilitated by cyberspace. Among all forms of crime, US law enforcement considers child pornography to be the most serious and damaging form of criminal behavior in cyberspace.²³ The FBI estimated that its analysts reviewed more than 26 million images and videos of abuse in 2015 alone.²⁴ The National Center for Missing and Exploited Children (NCMEC) reported locating more than 10,500 victims of child pornography, with more than 4.4 million reports submitted.²⁵ One FBI investigation found a single website hosted within Tor had 200,000 registered users.²⁶ One man, Matthew Falder, leveraged cyberspace to blackmail 46 victims into sending increasingly explicit sexual images.²⁷ Three of his victims attempted to commit suicide.²⁸ The use of cyberspace for the facilitation of, transmission of images and video for, and blackmail of victims for the purposes of sexual crime, are unfortunately among the most common criminal activities within cyberspace. Very often, the investigation and subsequent prosecution of sex crimes facilitated in and through cyberspace require transnational cooperation among law-enforcement and intelligence agencies.

Although the impacts of economic cybercrime are often at the forefront of national and international discussions, the multitude of other criminal acts perpetrated in and through cyberspace is substantial and challenges all levels of jurisdictions from local communities to transnational bodies. Closely related, and often within the scope of cybercrime, is hacktivism. However, because the intentions of these individuals often – although not always – differ from “the purely criminal” intent, they are analyzed separately below.

Hacktivists

The term “hacktivist” combines “computer hacker” and “activist.”²⁹ Hacktivism, while commonly associated with the collective known as Anonymous, has roots dating back to the early days of the Internet. Early hacktivists engaged in “digital sit-ins” by visiting sites or engaging in acts to consume the computer resources of an entity, to signal moral, ethical or political disfavor with the activities of an organization or entity.³⁰ Hacktivism commonly revolves around a variety of techniques meant to disrupt, or degrade, the operational status of servers or computers, through the use of Denial of Service (DoS) or DDoS attacks, social engineering, Cross-site scripting (XSS),³¹ SQL injections³² or other minimally to moderately technical attacks.

Although originally a means to engage in activism online for political, moral or ethical signaling, hacktivism expanded substantially when, in 2008, “anons” (anonymous users) of the popular site 4Chan formed an organic effort in response to a leaked video of actor Tom Cruise promoting the Church of Scientology.³³ Anons began coordinating efforts to attack the organization via various internet fora and chatrooms. Prior to the 2008 attacks on the Church of Scientology, many anons hacked or engineered targets for the lulz (a pluralization of the term “LOL”: “Laugh Out Loud”).³⁴ Much of the early lulz-inspired hacking targeted individuals engaged in child pornography, businesses or organizations that could be easily spoofed for “fun,” and gave hackers a sense of power over their victims as well as amusement. Most of these hacks are criminal in nature, but distinguished from the profit-seeking, violent and sexually exploitative acts discussed in the previous section.

Individuals with a wide range of skills populate the ranks of hacktivist communities. The distribution of skills skews toward those with limited technical hacking abilities, but this does not limit their participation in the operations – or #Ops – that their community plans. Tools such as the Low Orbit Ion Cannon (LOIC) – a DoS application – enable any user to engage in coordinated operations established by Anonymous. However, the impact of LOIC is relatively small compared to that of botnets managed by some of the collective’s more talented hackers.

Anonymous is famous for its creed:

We are Anonymous.

We are Legion.

We do not forgive.

We do not forget.

Expect us.

Anonymous is made up of members from nearly every country in the world. The collective functions as a decentralized and loosely coordinated group that plans and executes operations against various targets. Sometimes these operations are motivated politically, and sometimes they are for lulz. One of their most famous operations, Operation Avenge Assange, included attacking banking and credit card systems in response to the blocking of donations to file-sharing site Wikileaks, following the release of Chelsea Manning’s documents. Operation Payback was a response to Bollywood companies attacking the popular peering site The Pirate Bay. Anonymous participants planned to attack Aiplex Software, the firm hired to DDoS The Pirate Bay, only to find it had already been DDoSed by an unknown hacktivist, and instead turned their attention to the Motion Picture Association of America (MPAA), the International Federation of the Phonographic Industry, the Recording Industry Association of America (RIAA) and the British Phonographic Industry.³⁵ In 2015, Anonymous famously declared “war” on the Islamic State in the aptly named “OPISIS.”³⁶ #OPISIS arose following the attacks on Charlie Hebdo in Paris and sought to identify and take down ISIS-affiliated Twitter accounts and websites around the world. Experts have found the impact of #OPISIS on the operational capacity of the Islamic State was negligible.³⁷

Although the most famous grouping of hacktivists is Anonymous, they are probably not the most impactful. “Patriotic” hackers generally fall under the same rubric of hacktivism. Members of Anonymous have been instrumental in signaling displeasure to states following a variety of diplomatic incidents. Alex Klimburg writes that states can motivate, and often work in tandem with, non-state hackers to signal intentions to other states.³⁸ There have been numerous incidents of “patriotic hackers” coming to the “aid” of states in times of perceived crisis. In 2001, following the mid-air collision of a US surveillance plane and a Chinese fighter aircraft, Chinese hackers defaced a number of prominent websites in the United States. In 2007 and 2008, Russian “patriotic hackers” closely timed DDoS, XSS, SQL injections and a variety of other attacks against both Estonia and the Republic of Georgia, when international relations between these states and Russia hit new lows.³⁹

Criminal cyber activities – such as financial crimes, and violent, harassing and sexual acts online – are often motivated for a variety of nefarious reasons. Similarly, the motivations of hacktivists are equally diverse, and complex. Simply hacking for lulz would not constitute hacktivism, and instead is more akin to low-level criminal deviance. Hacktivism spans a gambit of motivations, from libertarian ideals of freedom of information and anarchic tendencies, on one side, to highly motivated patriotic or nationalistic tendencies on the other side of the spectrum. Despite the alignment of the state and hacktivists’ motivations on the patriotic side of the spectrum in some instances, the position of hacktivists is not static. Today’s patriotic hacker can be tomorrow’s anarchist or libertarian, following changes in laws or government policies. Slightly outside of the spectrum of hacktivism, which ranges from libertarian–anarchistic to patriotic–nationalistic ideas, is yet another category, best described as nihilistic, which focuses on the absence of belief.

Hacktivism and hacktivists have found a prominent home within popular culture, yet the overarching difficulty in engaging in highly complex cyber capability development at the individual level, or even through decentralized collectives, remains one of the largest impediments to making this category of hackers a substantial threat. Over the last two decades, many organizations have learned to deal with the techniques employed by hacktivists, such as XSS, SQL injection and even DDoS, thus impairing their impact. Hacktivists often reuse tools and resources and attack 1-day or 1-day+ exploits – meaning that they leverage exploits that have previously been discovered and might have been patched. The resources available to hacktivists are substantial within deep and dark websites. By pooling their efforts, hacktivists are increasingly able to access capabilities and resources that exceed those of any one individual. Yet their ability to coordinate and undertake large-scale operations remains limited by a number of costs – for instance, those associated with surveillance and reconnaissance. While the threat hacktivists present to states is limited, they are still able to cause some damage and can embarrass or even harm individuals, corporations and governments through doxing (the search for and publishing of private or identifying information about an individual on the Internet for malicious intent) or social engineering, among a variety of other potential exploits.

Cyberterrorists

Since 9/11, an overwhelming amount of resources and research has been devoted to cyberterrorism. There have been many prognostications of forthcoming doom due to the terrorist use of cyberspace. Despite the multitude of articles written on the subject, both in the academic and the popular press, and the large number of successful cyberattacks conducted by “cyberterrorists,” relatively few have resulted in meaningful consequences. Most terrorist- perpetrated cyberattacks have come in the form of XSS, SQL injection or the release of documents already publicly available. While the impact of terrorist cyberattacks has centered mainly on website defacement and document dumps of quasi-private information, terrorist use of cyberspace has changed the way in which terrorists organize, recruit and plan operations in the physical world. Early debates put a great deal of emphasis on understanding and preventing potential terrorist attacks in and through cyberspace. In the last few years, experts have increasingly emphasized the use of cyberspace for the organization and planning of terrorist incidents.

Cyberterrorists differ from both cyber criminals and hacktivists primarily in their motives. Differentiating between the motives of some cyberterrorists and some hacktivists requires walking a very thin line. At its most basic, cyberterrorism is the use of cyberspace to commit terrorism.⁴⁰ This definition begs the question of what constitutes terrorism. Terrorism, according to Bruce Hoffman, “is violence – or, equally important, the threat of violence – used and directed in pursuit of, or in service of, a political aim.”⁴¹ This definition, though it is debatable, reveals the greatest impediment to terrorism in cyberspace: the ability to commit or credibly threaten violence. Few violent cyber incidents have occurred in the young history of cyber conflict, other than accidental hacking and the use of a reprogrammed remote control in Poland by a teenager to crash streetcars. These incidents do not fit with common definitions of terrorism because they were apolitical. Achieving political violence through cyberspace is extremely difficult and requires a complex set of skills that can often only be provided by multiple individuals working together within a stable environment. Creating politically violent effects in cyberspace often requires advanced persistent presence within a remote system, which necessitates intelligence, surveillance and reconnaissance, and often command and control (C2) capabilities. The costs associated with developing a violent cyberattack are comparatively low for state actors, relative to other weapon systems, yet they are high for non-state actors such as terrorists, absent third-party funding. Storybox 7.1 discusses some of the hackers and hacks of the Islamic State in Iraq and Syria (ISIS).

Storybox 7.1 The ISIS hackers

Throughout late 2014 and into 2015, a group of ISIS-affiliated hackers known as teaMp0ison claimed credit for a variety of hacks, including the hacking of the Twitter and YouTube accounts of US Central Command (CENTCOM) on the same day that US President Barack Obama gave a speech on cybersecurity.⁴² Hackers posted a variety of Tweets with missives against the United States and the coalition battling ISIS. One post said “In the name of Allah, the Most Gracious, the Most Merciful, the CyberCaliphate continues its CyberJihad,” while another said: “American soldiers, we are coming, watch your back.”⁴³ While briefly in control of CENTCOM’s accounts, the hackers also posted what they claimed were classified documents stolen from CENTCOM and other US military and intelligence agencies. These claims were subsequently debunked.⁴⁴

Analysis from the University of Toronto’s Citizen Lab found evidence that ISIS-affiliated groups also probably engaged in targeting of human rights activists and others in Syria through social engineering and spyware.⁴⁵ Analyses from multiple sources indicate that the level of hacking skill within the various hacking teams in ISIS was relatively low. The cyber jihadis used a variety of readily available social engineering techniques and malware.

The most prominent ISIS hacker on teaMp0ison was a British Pakistani man named Junaid Hussain. Hussain had a previous criminal record, including an arrest for hacking into the email account of former British Prime Minister Tony Blair in 2012.⁴⁶ Junaid, other hackers from teaMp0ison, and other groups including Lizard Squad attempted to form what they referred to as the “Cyber Caliphate.”⁴⁷ The Cyber Caliphate engaged in low- to moderate-level hacking and extensive social engineering. In addition to their hacking prowess, members including Hussain became well-known ISIS propagandists.

Junaid Hussain is thought to have been added to the Disposition Matrix, a US government “kill list” for high-level targets, primarily because of his propaganda efforts and ability to inspire “lone-wolf” terrorism, rather than his hacking skills. Hussain was killed in a drone strike on August 24, 2015, according to US government sources.⁴⁸ He is the only known hacker to have been deliberately targeted by a drone strike.

Although cyberterrorists have attracted much attention, their skill levels tend to be low to moderate. Those few terrorists who do possess substantial hacking skills have so far been unable to regroup and achieve a level of coordination comparable to large criminal enterprises, hacker collectives such as Anonymous, or states. Yet, despite a lack of numbers, members of Al-Qaeda and ISIS, among other terrorist groups, have made substantial headway into cyberspace in a variety of contexts. Most notably, hacker groups such as the “Cyber Caliphate” and others are responsible for a variety of website defacements and doxing.⁴⁹

Cyberterrorists to date have almost exclusively gone after low-level targets, generally websites with known vulnerabilities. However, with state assistance from sponsoring regimes such as Iran, cyberterrorists might be able to substantially increase their capabilities. Although cyberterrorists are not presently a major threat to states, their attacks do impose costs and challenge a variety of smaller actors. Cyberterrorist doxing efforts have proven particularly disturbing and have led to the release of personal information on public officials around the world – most notably on members of the US military. Often the release of documents is accompanied by calls within terrorist propaganda channels to target the individuals named in the documents. To date, there are no known instances in which individuals named within such documents were subsequently killed by terrorists.

Terrorists most commonly use cyberspace to organize and coordinate their activities, communicate propaganda and recruit new members.⁵⁰ In November 2008, terrorists from Lashkar-e-Taiba (LeT) killed more than 172 people in an attack on hotels and streets in Mumbai, India. Subsequent investigations found that the terrorists had leveraged mobile communications, online groups and Google Earth mapping to plan and organize the resources for the attack. Since then, dozens of physical attacks have similarly relied on cyberspace to plan and coordinate terror in the physical world. One of the most notable attacks occurred in 2015 when ISIS-inspired attacks on Paris led to the deaths of 137.

The reach and messaging of terrorist organizations are both extended and amplified within cyberspace. Services such as Twitter and Facebook provide a readily available and accessible platform for group organization and mobilization.⁵¹ While the use of these platforms by terrorists is widespread, it is not without challenges. Intelligence and law-enforcement agencies have long sought to use the open distribution of information on these platforms to identify, interdict, or capture terrorists in advance of, or following, attacks. Their efforts have forced terrorists to adopt new tactics to avoid being caught, using encryption and software or protocols that enable or facilitate anonymity.⁵² Terrorists have also shown a moderate level of interest in the utilization of cryptocurrencies such as bitcoin, to evade restrictions on money laundering and financial transfers for criminal or illicit purposes.⁵³

Starting in 2015, the US Army Cyber Command (ARCYBER) began directly targeting ISIS and Al-Qaeda networks in what has become known as Joint Task Force (JTF) Ares. This effort has sought to identify and neutralize the online presence of various terrorist organizations.⁵⁴ Some US policy-makers have criticized this initiative, feeling that JTF Ares did not accomplish enough.⁵⁵ US military efforts to engage and counter online terrorist organization and coordination has been frustrated by the speed with which terrorists have been able to quickly and effectively reconstitute their online networks. Attempts to remove terrorists from cyberspace have been frequently referred to as a “whack-a-mole” concept, after the famous carnival game where a player attempts to bonk one mole on the head, only to have others quickly rise to take its place in nearby locations. For the foreseeable future, the challenge of combatting terrorists online is likely to remain. New reports indicate an increased effort by transnational terrorist organizations to leverage the dark net to recruit and organize out of sight of intelligence and law-enforcement agencies.⁵⁶ Given the trend towards more online coordination, it is likely that future terrorists will organize and generate effects that challenge states, leading to attacks or exploits that are comparable to those orchestrated by larger hacker collectives and criminal organizations.

The non-state actor(s)

Although the biggest threats to national security in cyberspace originate at the state level, non-state actors pose substantial challenges across a variety of interest areas central to the functioning of stable societies. Malicious non-state actors cost individuals, businesses and states vast sums of money on an annual basis, and their use of the Internet for criminal or terrorist activities harms the reputations, and degrades the digital and physical safety, of the average netizen. Curtailing malicious activities in cyberspace is time-consuming and costly.

To date, state efforts to do so have been unsuccessful, even in repressive countries such as China and Russia. China, through its use of the Great Firewall and domestic surveillance mechanisms, has one of the most censored and controlled domestic cyberspaces in the world. Yet, despite all these controls, China remains home to a substantial number of bots, cyber criminals and hacktivists who actively seek to avoid censorship and surveillance.⁵⁷ Since the 1980s, Russia has used a variety of means to control its growing domestic cyberspace. Most notably, Russia has employed intercept devices that monitor all traffic on domestic networks and can engage in deep-packet inspection of that traffic.⁵⁸ Russia, too, remains one of the most prolific points of origin for cybercrime.

The use of control, censorship and surveillance in domestic cyberspaces tends to affect the civil liberties of citizens, in direct contravention of many of the goals originally promoted by early users and developers of the Internet. And while these controls often limit domestic cyber criminals targeting domestic actors – for instance, Russian cyber criminals are less likely to hack other Russians or the Russian government, and Chinese cyber criminals are less likely to hack other Chinese – these measures are unlikely to apply beyond the state’s borders. Hacktivists from repressive countries are also more likely to target their ire outside of their domestic cyberspaces.

The proliferation of cybercrime is likely to continue and intensify as more and more users and their computers come online. Cyberspace is a target-rich environment. The saying goes that there are two types of people or companies in cyberspace: those who have been hacked and know it, and those who have been hacked and don’t know it. Statistically, the probability of being hacked in cyberspace in a given year is greater than 100 percent. These hacks are almost always the result of criminals attempting to steal information or data to generate a profit.

At the international level, states banded together as early as November 23, 2001 to sign the Budapest Convention on Cybercrime. More than 56 countries are signatories of the convention, which seeks to harmonize laws relating to cybercrime and facilitate multilateral legal assistance (MLAT) to investigate and prosecute cyber criminals. Although the Budapest Convention has a broad base of adoption, it does not cover a number of important countries, including Russia and China.

Since the signing of the Budapest Convention, the volume of cybercrime has increased substantially and shows no signs of abatement. There is rarely a week that passes in which there is not a news story detailing a large cyber breach of a major company, hospital or organization. What these articles often overlook is the heavy toll that the cybercrime can have on individuals, in the form of identity theft or stolen financial resources. Non-state actors who actively seek to violate the laws of states – whether for profit, lulz or terrorist objectives – challenge law-enforcement and intelligence agencies at all levels. At the lowest levels of criminal jurisdiction, most police departments simply do not have qualified staff to assess or investigate cybercrime. In higher jurisdictions, the volume of cases is overwhelming. In the near term, the challenges faced by states in addressing non-state cyber threat actors are likely to grow.

Discussion questions

1. Who are non-state actors in cyberspace and why do they create so many problems for states?

2. Why is cyberterrorism so difficult to accomplish?

3. What is the impact of cybercrime on individuals within different societies?

Further reading

Marc Goodman, Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It (New York: Doubleday, 2015).

Parmy Olson, We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency (New York: Back Bay Books, 2013).

Gabriel Weimann, Terrorism in Cyberspace: The Next Generation (New York: Columbia University Press, 2015).

Notes

  1  Federal Bureau of Investigation, “Willie Sutton,” www.fbi.gov/history/famous-cases/willie-sutton.

  2  James Lewis, Economic Impact of Cybercrime: No Slowing Down (Washington, DC: McAfee, 2018).

  3  Lewis, Economic Impact of Cybercrime.

  4  Thomas J. Holt, George W. Burruss and Adam M. Bossler, Policing Cybercrime and Cyberterror (Durham: Carolina Academic Press, 2015), 8–9.

  5  Justin Jouvenal, “Hackers Tried to Change Grades at Virginia High School, Police Say,” Washington Post, April 4, 2018, www.washingtonpost.com/local/public-safety/hackers-tried-to-change-grades-at-virginia-high-school-police-say/2018/04/03/924ecf82-3765-11e8-acd5-35eac230e514_story.html.

  6  Claes Bell, “Typosquatting: Identity Theft Built on Spelling Errors,” Bankrate, August 15, 2015, www.bankrate.com/finance/credit/typosquatting-identity-theft.aspx.

  7  Shu et al., “Breaking the Target.”

  8  Brett Hawkins, “Case Study: The Home Depot Data Breach,” SANS Institute, January 2015, www.sans.org/reading-room/whitepapers/breaches/case-study-home-depot-data-breach-36367.

  9  Goodman, Future Crimes.

10  Beehner et al., A Contemporary Battlefield Assessment.

11  Brett Stone-Gross, Marco Cova, Bob Gilbert, Richard Kemmerer, Christopher Kruegel and Giovanni Vigna, “Analysis of a Botnet Tracker,” IEEE Security & Privacy 9/1 (1,710): 64–72.

12  Shayan Eskandari, Andreas Leoutsarakos, Troy Mursch and Jeremy Clark, “A First Look at Browser-Based Cryptojacking,” arXiv (March 2018), https://arxiv.org/pdf/1803.02887.

13  John Leyden, “Polish Teen Derails Tram after Hacking Train Network,” Register, January 11, 2008, at www.theregister.co.uk/2008/01/11/tram_hack.

14  Sameer Hinduja and Justin W. Patchin, “Bullying, Cyberbullying, and Suicide,” Archives of Suicide Research 14 (2010): 206–21.

15  James H. Price and Jagdish Khubchandani, “Adolescent Homicides, Suicides, and the Role of Firearms: A Narrative Review,” American Journal of Health Education 48/2 (2017): 67–79.

16  Justin W. Patchin, “Summary of Our Cyberbullying Research (2004–2016),” Cyberbullying Research Center, November 26, 2016, https://cyberbullying.org/summary-of-our-cyberbullying-research.

17  Robert D’Ovidio and James Doyle, “Study on Cyberstalking: Understanding Investigative Hurdles,” FBI Law Enforcement Bulletin 72/3 (2003): 10–17.

18  Brian H. Spitzberg and Gregory Hoobler, “Cyberstalking and the Technologies of Interpersonal Terrorism,” New Media and Society 4/1 (2002): 67–88.

19  Lauren Walker, “Three Family Members Received Life Sentences for the First-Ever Cyberstalking-to-Death Conviction,” Newsweek, February 26, 2016, www.newsweek.com/family-receives-life-prison-first-ever-cyberstalking-conviction-430833.

20  US District Court, Southern District of New York, United States of America v. Ross William Ulbricht, Indictment, February 4, 2014.

21  Kim Zetter, “How the Feds Took Down the Silk Road Drug Wonderland,” Wired, November 18, 2013, www.wired.com/2013/11/silk-road.

22  Kyle Soska and Nicolas Christin, “Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem,” Proceedings of USENIX Security Symposium, August 12–14, 2015, Washington, DC.

23  Holt, Burruss and Bossler, Policing Cybercrime and Terror.

24  Federal Bureau of Investigation, “The Scourge of Child Pornography: Working to Stop the Sexual Exploitation of Children,” April 25, 2017, www.fbi.gov/news/stories/the-scourge-of-child-pornography.

25  Federal Bureau of Investigation, “The Scourge of Child Pornography.”

26  Federal Bureau of Investigation, “The Scourge of Child Pornography.”

27  Lizzie Dearden, “Sadistic Paedophile Jailed for 32 Years after Blackmail Campaign on the Dark Web,” Independent, February 20, 2018, 18–19.

28  Dearden, “’Sadistic paedophile jailed.”

29  Luke Goode, “Anonymous and the Political Ethos of Hacktivism,” Popular Communication 13/1 (2015): 74–86.

30  Marco Deseriis, “Hacktivism: On the Use of Botnets in Cyberattacks,” Theory, Culture & Society 34/4 (2017): 131–52.

31  Cross-site scripting is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.

32  SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

33  Parmy Olson, We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency (New York: Back Bay Books, 2013).

34  Olson, We Are Anonymous.

35  Burcu S. Bakioǧlu, “The Gray Zone: Networks of Piracy, Control, and Resistance,” The Information Society 32/1 (2015): 40–50.

36  Keely Lockhard and Myles Burke, “Video: #OpISIS: Why Anonymous Has Declared an Online War Against Isil – in 90 Seconds – Telegraph,” Telegraph, December 11, 2015, www.telegraph.co.uk/news/worldnews/islamic-state/12003242/OpISIS-Why-Anonymous-has-declared-an-online-war-against-Isil-in-90-seconds.html.

37  Emerson T. Brooking, “Anonymous vs. the Islamic State,” Foreign Policy, November 13, 2015, https://foreignpolicy.com/2015/11/13/anonymous-hackers-islamic-state-isis-chan-online-war.

38  Alexander Klimburg, “Mobilising Cyber Power,” Survival 53/1 (2011): 41–60.

39  Beehner et al., A Contemporary Battlefield Assessment.

40  Gabriel Weimann, Terrorism in Cyberspace: The Next Generation (New York: Columbia University Press, 2015), 6.

41  Bruce Hoffman, Inside Terrorism (New York: Columbia University Press, 2006), 2.

42  Helene Cooper, “U.S. Military Social Media Feeds Are Seized by ISIS Sympathizers,” New York Times, January 13, 2015, A4.

43  Cooper, “U.S. Military Social Media Feeds Are Seized by ISIS Sympathizers.”

44  David C. Gompert and Martin C. Libicki, “Decoding the Breach: The Truth About the CENTCOM Hack,” The RAND Blog, February 3, 2015, www.rand.org/blog/2015/02/decoding-the-breach-the-truth-about-the-centcom-hack.html.

45  John Scott-Railton and Seth Hardy, “Malware Attacks Targeting Syrian ISIS Critics,” Citizen Lab, December 18, 2014, https://citizenlab.ca/2014/12/malware-attack-targeting-syrian-isis-critics.

46  RFSID, “Cyber Caliphate: ISIS Plays Offense on the Web,” Recorded Future, April 2, 2015, www.recordedfuture.com/cyber-caliphate-analysis.

47  RFSID, “Cyber Caliphate.”

48  Editor, “UK Jihadist ‘Killed in Drone Strike,’” BBC News, August 27, 2015, www.bbc.co.uk/news/uk-34078900.

49  Christopher Heffelfinger, “The Risks Posed by Jihadist Hackers,” CTC Sentinel 6/7 (2013): 1–5.

50  Jytte Klausen, “Tweeting the Jihad: Social Media Networks of Western Foreign Fighters in Syria and Iraq,” Studies in Conflict & Terrorism 38/1 (2014): 1–22; Gabriel Weimann, “Cyberterrorism: The Sum of All Fears?” Studies in Conflict & Terrorism 28/2 (2005): 129–49.

51  J. M. Berger and Jonathon Morgan, The ISIS Twitter Census: Defining and Describing the Population of ISIS Supporters on Twitter (Washington, DC: Center for Middle East Policy at Brookings, 2015).

52  Brantly, “Innovation and Adaptation in Jihadist Digital Security.”

53  Aaron F. Brantly, “Financing Terror Bit by Bit,” CTC Sentinel 7/10 (2014): 1–5; Joshua Baron, Angela O’Mahony, David Manheim and Cynthia Dion-Schwarz, National Security Implications of Virtual Currency (Santa Monica, CA: RAND, 2015).

54  Sanger, The Perfect Weapon.

55  Sanger, The Perfect Weapon.

56  Hsinchun Chen et al., “Uncovering the Dark Web: A Case Study of Jihad on the Web,” Journal of the American Society for Information Science and Technology 59/8 (2008): 1347–59; Gabriel Weimann, Going Darker? The Challenge of Dark Net Terrorism (Washington, DC: Wilson Center, 2018).

57  Jon R. Lindsay, “The Impact of China on Cybersecurity: Fiction and Friction,” International Security 39/3 (2015): 7–47.

58  Soldatov and Borogan, The Red Web.