Do governments enlist cybergangs in their war efforts?

John Robb, the author of Brave New War, is one of those really innovative thinkers whose writings I always follow with great interest. His excellent blog  – Global Guerillas – has been in my RSS reader for a few years now – and I always find it full of contrarian insights on how technology, networks and globalization reshapes military strategies.

Robb has just posted an interesting analysis of the recent concerns over the security of the critical infrastructure in America, particularly under the pressure from Chinese and Russian spies (a recent Wall Street Journal story on how “cyberspies” have penetrated parts of the US electrical grid is the one to blame here).

Robb’s analysis of the threat – along with the policy prescriptions – are unusually sober given how easy the topic of cybersecurity gives itself to overblown metaphors and paranoia.

Offensive cyber warfare is an asymmetric threat.  It’s impossible to build an institutional capability in this realm.  If it is needed during a time of extreme danger, it can be quickly outsourced to individuals and corporations with the requisite capability (we likely have more and better capability to conduct cyber warfare in the US than anywhere in the world if needed) with nearly zero ramp-up time.  Since the opposition is using individuals and small groups to conduct offensive operations, every effort should be made to identify the hubs (people) of these networks to defuse, interdict, and counter-attack when necessary (piercing the cyber veil and getting to the actual person involved).

The part about the “cyberveil” I think is very important and probably crucial to solving the cyberwarfare problem. However, we also have to be realistic – it’s probably unachievable without having drastic tradeoffs in terms of anonimity and privacy – and  I am not sure that an Internet without anonimity would be much better than an Internet without an occasional cyberwar (as a sidenote, during my stay in Estonia last week almost every single official I interviewed about cybersecurity mentioned the inevitable de-anonimization of cyberspace as the only means of cracking down on cybercrime; I am still not sure if it was just the Estonians or there is a growing pressure to make our online activities more visible).

However, the most interesting bit in Robb’s post comes at the very end of his post :

Since Russia and China don’t control their open source cyber capability, we may see an offensive event that causes mass disruption in the US/Europe.  If it is large and deep enough, it could result in a cascade of events that result in war (and potentially even MAD) if we continue to think in terms of legacy notions of terrorism and cyber warfare (in that it can only be state sponsored or controlled).  

I should warn you that this is contentious stuff. There are many animated debates about the degree to which governments like Russia’s are actually in control over what various cyber-gangs – who make their living mostly independent of the government by engaging in practices like cyber-extortion and just happen to have a Russian zipcode – are doing. Here is what Jeff Carr, who’s emerged as one of the leading proponents of what I call the “intermediary layer theory of cyberwarfare”, had to say about Robb’s post on his own very interesting blog, IntelFusion:

Russia and China DO exercise a degree of control over the actions of their nationalistic hackers. There is a middle tier of leadership that connects government officials at one end with Non-state hackers at the other. This middle tier is typically represented by nationalistic youth organizations in Russia and nationalistic hacker unions in China. With all due respect for John’s innovative thinking, in this case he’s missed a key component in how contemporary cyber warfare is being conducted.

Personally, I side with Robb, as I don’t believe in the goverments’ ability to fully control what legions of their cyberwarriors are doing on the side (and also, as I tried to document in my last summer’s very experimental piece in Slate, the numbers of cyberwarriors are growing exponentially and this process is for sure out of government controll). This doesn’t mean that the governments themselves are not building their own internal cyberwarfare units; why shouldn’t they?

Similarly, I don’t buy into IntelFusion’s theory that “Nashi organized the cyberwar on Estonia”. Anyone who has followed Russian politics over the last few years would know that Nashi – just like any other “made in Kremlin” party or entity – is so ineffective, useless, boring, and staffed by mediocre careerists – that are probably unable to organize their Christmas party, not to mention a full-fledged “cyberwar”. The hint at Nashi’s involvement that analysts like Jeff Carr are trying to find alomst everywhere sound (to me at least) a bit overstretched. Here’s an example from IntelFusion’s blog:

The Nashi summer camp Innovation Forum was held on the same weekend as the first cyber attack was launched against Georgian President Saakashvili’s Web site. Sergei Markov attended. Connect the dots.

The myth of a mid-range Kremlin apparatchik (Sergei Markov is the favorite of the Western media) ringing up some Nashi party boss who then conducts his message to his shady cyber-underworld companions is very powerful – but given what we know, I’d say it’s still a myth (or, may be, I’ve followed Russian politics for too long to have much faith in the technological prowess of its bureacrats – not to mention aspiring bureacrats who join organizations like Nashi).

How about we try to build another theory – this time about Nashi’s non-involvement? It can go like this: “The Nashi summer camp Innovation Forum was held on the same weekend as the first cyber attack was launched against Georgian President Saakashvili’s Web site. Sergei Markov attended. Both Nashi and Markov were in the middle of a forest, unable to connect to the Internet. Connect the dots”. 

The fact that some poor chap has recently been singled out by his boss for participating in cyber-attacks (after publicly owning up to the same charge two years ago – a fact which wasn’t mentioned in most recent media reports) – and his boss, Sergei Markov, mind you, has nothing to do with cybersecurity and is one of Russia’s many talking heads with dubious connections to actual policy-making – does not really imply that there is some tier between the Russian government and the cyber-gangs organizing attacks on whole countries. It only implies that cyberwarfare makes for great publicity for all parties involved.

All in all, I do agree with Robb that no matter what the governments are cooking in their own cyber-kitchens, they have no absolute – if any –  control over open-source cyberwarfare: as it gets cheaper to wage, more and more players would engage in it. Thinking about these issues in the old “government vs government” paradigm of classical warfare is not going to be of much help; we need an entirely new theory of cyberwarfare, which would factor in all the assymetries. 

Photo by Jvoss/Flickr