How Well Do You Understand Your Cyber Adversary? – Part 3


This is the third and final installment of my blog series differentiating the various kinds of cyber adversaries who are looking to gain access to enterprise and government networks. Follow these links to get to Part 1 and Part 2.

Cyber Terrorism

Cyber terrorists use the Internet as a weapon as they pursue their agenda. In a way, they are an extreme form of a hacktivist. The curious thing is that we have not really seen a cyber terrorist event. The press and pundits have labeled some hacktivist activities as terrorism, but as far as I know, we have yet to see a cyber terrorist hack that causes people to fear for their safety or caused physical injury or death.

Cyber terrorism is not just a little bit to the right of extreme hacktivism, it is far to the right of extreme hacktivism. But the reason I put this into a category by itself and not just lump in into the hacktivism category, is that cyber terrorism is the boogeyman that a lot of us cybersecurity community pundits use to push the fear, uncertainty and doubt agenda.

One way the commercial space can sell cybersecurity wares is to scare people into thinking that they need the solution. One way for government officials to get resources for their pet projects is to frighten Congress about all sorts of scary contingencies. I am not saying that there is not danger out there. We all have our favorite doomsday cyber terrorism scenarios and some are quite possible. It is just that we have not seen any to date that have manifested in the world.

If you would like to read a page-turner story about a classic cyber terrorism scenario (attacking the power grid), read Richard Clarke’s Breakpoint.

Cyber Warfare

Out of all the motivational categories I've discussed, cyber warfare is the hardest to define. Military officials and government lawyers have been trying to define it for over a decade and nobody can agree. It’s like the obscenity debate the US had in the 1970s: "We do not know how to define it, but we know it when we see it." I have read a lot of the literature on cyber warfare and this is the best definition I could cobble together: cyber warfare involves one or more nation states using cyber weapons to destroy each other’s national treasures to achieve a political purpose.

This narrow definition is important as it specifically deals with attacks on Internet systems with the intent of causing death and/or destruction by a nation state. Criminals cannot conduct cyber warfare, and neither can hacktivists, terrorists or spies. The confusing part is that a lot of what a nation’s cyber warfare defense teams do to protect against cyber warfare (recon and staging) looks like cyber espionage. The lines between cyber espionage and cyber warfare can be blurry.

Old cybersecurity community pundits like me have pointed to the cyber attacks against Estonia and Georgia as examples of cyber warfare.  But even these don’t really match my cyber warfare definition as they were just proof of concept attacks demonstrating what might be possible. It wasn’t until the Stuxnet attack in 2010 that an act of cyber warfare occurred that meets my definition.

For a better understanding of the policy issues surrounding the US use of cyber weapons against Iran, read David Sanger’s Confront and Conceal.

Ankle Biters

This is a catch-all category designed to label hacking activity that doesn’t neatly fit into my previous categories. Typical examples of this are new hackers or hacker wannabes practicing their craft. They’re not trying to steal anything, spy on anybody or support a cause. They are just experimenting with the tools of the trade to see what works and what doesn’t. They can cause damage but it’s usually unintentional.

From hacktivists to cyber warfare, the point of all of this discussion is that the cybersecurity community has to be more precise when we talk about adversaries. If we can’t do it, how can we expect the press and the layman to?

Have anything to add? Leave a comment below and let me know what you think.