Cyber-Gang Warfare

On February 11, the Washington Post reported that a forthcoming National Intelligence Estimate has concluded that the United States is the target of "massive, sustained" cyber-espionage campaigns that threaten its economic future.

The new NIE has not been publically released, so it is not clear specifically which attacks or threats it documents, but the most visible recent attack comes from a cyber-militia labeling itself Iz a-Din al-Qassam Cyber Fighters. In September of last year, this group announced that it had launched an attack on a collection of U.S. banks in retaliation for the "Innocence of the Muslims" (the video that ignited violent protests across the Middle East on September 11, 2012). Al-Qassam’s attack is one of the largest and most persistent distributed denial of service (DDOS) attacks on record, dwarfing the 2007 Russian cyber-militia attack that crippled Estonia. Authorities have described al-Qassam’s capabilities as military-grade and speculated about the organization’s ability to disrupt the already ailing U.S. economy. This month, after nearly six months of persistent attacks, cybersecurity experts have largely concluded that al-Qassam is a front organization created to screen an Iranian cyberassault on the U.S. financial system.

Whether or not the new NIE references the al-Qassam-Iran campaign, the attack is representative of a technique countries are increasingly using to strike at the United States and other countries — one that has so far proven nearly impossible to defend against or deter. The stratagem involves surreptitiously building autonomous citizen hacker groups and using them to deflect responsibility for attacks originating directly or indirectly from the state sponsor. While it may seem implausible that this simple technique would work, over the last decade states have regularly used it to shield a variety of aggressive acts from legal or diplomatic reprisal, and it is becoming clear that this approach to cyberwarfare is harming the U.S. economy just as the Post reported.

Although seldom discussed, state use of cyber-militias has become a significant dynamic in international relations. As the cyber revolution has matured, cyber-militias have become the key to the most lucrative piratical strategy in history. Over the last decade, a large proportion of global commerce and military infrastructure has moved into cyberspace. Commercially, the developed world has transferred a large proportion of its physical industry offshore and refocused on developing intellectual property, almost all of which is stored online; at the same time, financial transfers have moved from paper to computer networks. Militarily, the plans for major weapon systems are developed on computers, and when fielded, the weapons are controlled by chips linked directly or indirectly to cyberspace. Strategically, electric grids, gas pipelines and other critical infrastructures are now controlled from cyberspace. In recent years, states that have been able to tap into this cyber trove have substantially improved their financial and military positions.

As states have attempted to seize and manipulate the wealth and weapons stored online, the reason so many have turned to cyber-militias is that they muddle attribution. The basic problem for countries hoping to use cyberweapons for profit and influence is the same one that prevents them from using conventional weapons: Other states frown on nations that use force or fraud against their neighbors. While it is more difficult to determine the source of a cyber-raid than a conventional attack, attribution is often still possible. Even when victims cannot trace attacks using cyber-forensics, there is a good chance they can do so using more traditional methods. For states hoping to steal or destroy their opponents’ online property, attribution creates a bothersome deterrent. Indeed, there are few acknowledged cases of state-backed cyber-raids against other countries.

As the cyber universe expanded, cyber-militias became a key instrument of some states’ foreign policy. Throughout the 2000s, nations connected key financial, military, and civil capabilities to the Internet, creating vulnerabilities to cyberweapons. In 2007, during a dramatic diplomatic dispute between Estonia and Russia, Russian cyber-militias launched a denial of service attack on Estonia that paralyzed the nation’s banking system and civil services. As the attack progressed, Estonia invoked Article 5 of the NATO charter — which states that an armed attack against one member of NATO is an attack against all — and called on the alliance for support. Russia, of course, denied responsibility — and Estonia was unable to attribute the attack to Moscow — but it reaped the same coercive benefits it would have if its military had launched the attack, without any of the legal or diplomatic costs. For all practical purposes, Moscow had found a way to punish Estonia without being held to account.

In 2008, in its war with Georgia, Russia found a more bellicose use for cyber-militias. Before and during the war, Russian cyber-militias disabled key portions of Georgia’s communications systems in a way that facilitated Russian military operations. In light of its overt conventional military operations, it may seem odd that Russia used militias rather than its vastly more sophisticated state-run cyber organizations. Yet it had good reasons for doing so. In order to affect Georgia’s cyber systems, militias had to attack some civilian systems in third-party states. Had the military been involved, the attacks would have violated tenets of the law of armed conflict. Instead, Russia was able to restrict Georgia’s access to the outside world, while using militias to circumvent accountability.

While Russia’s use of cyber-militias against small nations is interesting, from a U.S. perspective the main geostrategic relevance of cyber-militias lies elsewhere. Over the last decade, both China and Russia have nurtured militias dedicated to crime. In Russia’s case, the organizations are tied to mafias loosely connected to the government through a web of corruption, graft, and indirect and intermittent ties to military and intelligence agencies. Russia’s cyber-mafia operations allow organizations to coordinate criminal activity and exploit cyber-wealth around the globe in operations worth billions of dollars each year. The cost to the state is minimal, generally little more than allowing law enforcement to turn a blind eye to theft involving victims outside the country, while harshly punishing criminals that attack Russian political targets. The overall effect is to increase Russia’s GNP and to provide a cloud of cyberattacks emanating from Russia and Eastern Europe large enough to obscure and create plausible deniability for state-launched cyber operations. For instance, while a number of U.S. officials, including President Obama, have denounced countries for planting logic bombs in U.S. critical infrastructure that could knock it offline, the existence of massive criminal cyber operations makes it difficult to blame Russia — even for war-like acts like taking down an electric grid.

Like Russia, China’s use of militias to conduct cyber-crime also muddies the cyber-waters and protects the government. In China, however, the connection between militias and the state is more overt. Either because it does not possess the technical capability to do so, or because it does not believe it is worth the bother, China has done a poor job of disguising the ways it empowers its militias to attack other countries. Currently, more observed attacks on U.S. commercial and military systems emanate from China than all other countries combined.

From a geostrategic perspective, the increasing use of cyber-militias is having three main effects on global politics. The first is economic. Over the last two decades, the United States and other advanced nations have outsourced much of their physical industry to developing nations while refocusing on developing intellectual property at home. Yet today, Chinese cyber penetration of firms developing intellectual property has become so pervasive that former White House advisor Richard Clarke warned that every major company in the United States has been hacked. Gen. Keith Alexander, director the National Security Agency, has called this pervasive intellectual property (IP) theft the largest illegal transfer of wealth in history.

One example of how this type of IP theft affects U.S. industry involves the F-35 stealth fighter (the most expensive military procurement program in history). According to Rep. Michael McCaul, several years ago Chinese hackers stole the plans for the F-35. Then, in November, China released video of their new J-31 stealth fighter, which appears, on the surface at least, to be a duplicate of the F-35 fighter from the stolen designs. Semi-autonomous Chinese hackers were able to radically advance a top secret program — a skill they bring to commercial ventures as well. Chinese hackers often steal the designs for products, then build and sell them before the original U.S. designers can begin production.

It is difficult to calculate how much damage cyber IP theft is causing the U.S. economy. In a 2009 speech, President Obama warned that cyber-criminals cost the economy over a trillion dollars each year. That is more than the base U.S. and Chinese defense budgets combined. It is enough to hire 30 million Americans at median salary at a time when U.S. unemployment stands at 12 million individuals. Even if the real figure is half that, over time cyber IP theft will change the world’s economic balance of power. Given the scale of the theft, it is not clear that the developed world’s current economic model can succeed. While cyber-militias are not responsible for all cyber-theft, they and the systems states have set up to allow them to function are responsible for most of it.

The second geostrategic effect cyber-militias have is to empower militarily weak states in two ways. First, they provide a screen behind which states can implant malware into other states’ critical military and civilian infrastructure. Second, they allow attacking states to deflect legal and diplomatic accountability. While Russia pioneered this approach during its conflict with Estonia, smaller states that cannot afford to project conventional military power have vastly more to gain from using it. For example, cyber-militias in Estonia, Latvia, Lithuania, Georgia, and Kyrgyzstan have threatened to attack infrastructure in Russia if it deploys cyber or kinetic weapons against them. While none of these states could really harm Russia with conventional weapons, a successful attack on Russia’s energy infrastructure could devastate the economy and undermine the ruling party. Meanwhile, the governments in the attacking nations can plausibly, and perhaps honestly, deny involvement.

In a similar vein, Iran’s current campaign against U.S. banks has the potential to inflict much greater costs than the Iranian military could extract in a conventional war. If Iran is willing and able to replicate in the United States a scaled-up version of North Korea’s successful May 2011 three-day takedown of South Korea’s largest bank, the cost would be on par with a small war. If it took down the U.S. electric grid, the costs could outstrip the trillion dollars the United States has spent in Iraq and Afghanistan. Whether or not Iran or other weak states are willing and able to inflict this type of damage on large states, their ability to do so increases their geopolitical influence. If the current Iranian attack on the United States eventually demonstrates the ability of a small state to cause, with impunity, significant harm to a large state, it will empower Iran and, by extension, other small states with offensive cyber-militias.

The third way cyber-militias affect geopolitics follows from the second, and is particularly worrisome. In order to empower cyber-militias, states must facilitate their ability to obtain cyberweapons and create institutions that reduce evidence of state control. Because reducing evidence of state control generally requires reducing actual state control, militias usually have some real level of autonomy. In an earlier age, when the worst damage cyber-militias could do involved defacing webpages and conducting minor denial of service attacks, this had limited implications for international security. In the post-Stuxnet era, however, it is conceivable that organized and empowered non-state actors could damage nuclear power plants, air traffic control systems, gas pipelines, banking systems, or electric grids.

Whether current-day militias could carry out such attacks is questionable — though a 2008 National Journal article argued that various blackouts in the United States were caused by Chinese cyber-militias — but with the rapid proliferation of cyber-weapons, they will likely have such a capability in the near future. The likelihood that a country’s militia might attempt to autonomously carry out a massive life-threatening attack during an emotionally intense future crisis is a risk state-sponsors must accept when they deploy militias. How the United States, Russia, or other major powers might react to such an attack is anybody’s guess.

This state use of militias is not historically unique. In the 16th century, England made extensive use of semi-autonomous pirates to raid Spanish seagoing commerce and colonial port cities. English piracy served the dual purpose of weakening a hegemonic opponent while enhancing England’s national wealth. Like modern cyber-militia states, the British were able to plausibly deny they were behind the attacks while they bled their opponent nearly to death. The problem was, the attacks caused deep tensions between the two powers and led to two decades of ruinous military competition. In the end, England was forced to capture and execute its own pirates, international commerce was set back 20 years, and both the English and Spanish governments were bankrupted. Let’s hope we can resolve the threat from cyber-militias before they do quite so much damage.