Cyber Militias in the US: Feasibility, Structure, and Purpose

Tuesday, August 21, 2012



0ff0a77035f9569943049ed3e980bb0d

Article by Jake Mihevc

As the frequency and severity of cyber attacks grow, nations must take advantage of all of the resources at their disposal to compete in the cyber arms race. 

Information Technology (IT) and cyber security talent is expensive to develop and has become a precious resource.

Most nations of means incorporate information warfare into their traditional military structure.  This approach concentrates a nation’s rare IT talent in the government sector.  IT talent is also required in the private sector to spur innovation and economic growth. 

Nations, especially those with few IT resources, have begun to experiment with alternative models for utilizing IT talent in international cyber warfare.  The use of cyber militias has emerged as a viable alternative model. 

This paper explores the feasibility of the cyber militia model in the United States (US).  The paper examines possible structures and roles of cyber militias as these factors are critical to an effective feasibility assessment.           

Offensive and Defensive Roles

Cyber militias will likely be most effective in offensive roles.  The defense of our national technology and critical infrastructures requires the close coordination of our public and private sectors and the implementation of executive authority. 

The US Cyber Command and Department of Homeland Security (DHS) fill this role, and operate on authority granted by elected representatives.  Rulemaking that sacrifices profits from our private sector for the defense of our critical infrastructure must originate from public officials who can be held accountable for their decisions. A cyber militia simply cannot provide the form and accountability required for a defensive role.   

Offensive operations are not bound by these requirements.  Offensive cyber attacks often benefit from their lack of structure and diversity of attack vectors, features cyber militias readily provide.  Cyber militias can be assigned a target or objective and given the ability to freelance and choose their methods based on their group capabilities.  The absence of formal rules of engagement allows the cyber militia to exercise creativity and innovation in developing attack methods. 

This new knowledge of possible attack methods can then be transferred to the national cyber defense complex.  The benefits of a diverse attack profile are described by Rain Otis (2011), “The source addresses are likely distributed globally (black listing will be inefficient) and the different skills and resources ensure heterogeneous attack traffic (no easy patterns). In addition, experienced attackers can use this to conceal precise strikes against critical services and systems.”

It should be noted that in cyber warfare the distinction between offensive and defensive operations can be less than clear.  One method of mitigating a denial of service attack is to “return fire” with a denial of service attack targeting the attacker (given an attack from a static source and correct attribution).  This counter-attack is a behavior normally associated with offensive cyber warfare.   

Structure

Ottis (2011) categorizes the structure of cyber militias into three general forms: forum, cell, and hierarchy.  His work breaks down each form based on attributes, strengths and weaknesses.  These descriptive features are more instructive than the forms themselves.  Cyber militias are likely to be hybrids, assuming the features most beneficial to the mission.  Two clear distinctions stand out.

The first important feature is the membership type.  Future militias can be distinct based on whether the members know each other personally and are aware of their true identities.  Cyber militias of this nature can be very difficult to identify, as they use traditional communications methods less likely to be monitored by cyber personnel. 

For example, if six members of a cyber militia perform all of their planning at quarterly sales meetings held by their mutual employer there will be no digital record to find.  A known weakness of a cyber militia that is closely acquainted is geographical concentration.  Professionals who periodically gather but are geographically distinct avoid this challenge.  Groups with a personal connection also are able to practice better operational security and vetting for future members. 

Cyber militias that are associated only by alias or avatar have different characteristics.  They are seldom geographically concentrated, and vetting new members and operational security will be a challenge.  Law enforcement and agents of the adversary commonly assume false identities, and effective vetting techniques are impossible when a prospective member’s name, profession, and history are unknown. 

The second important feature is motivation.  Motivations for cyber militia membership can be based on issues, patriotism, or professional development.  Issue based members can be passionate about a concern and work hard to achieve a goal or mission in its furtherance.  For example, many who oppose abortion rights do so with vigor that translates into conviction to complete the mission, such as the defacement of an abortion provider’s webpage. 

A professional given the same task may not be as motivated.  Issue based militias can be intermittent in their activity levels based on the current state of their concern.  Professional or patriotic militia members are more likely to be consistent participants, and their motivations are more easily understood. 

Feasibility

The primary challenge to the feasibility of a US cyber militia is legal.  The US has provided global leadership in cybersecurity law, and aggressively pursues agreements to establish international law and extradition agreements in cyber-oriented cases.  The partnership between the US and the United Kingdom has provided a framework from which the rest of the world can work towards thwarting international cybercrime.  It is very much in the interest of the US that international cybercrime be curtailed. 

Intellectual property is the target of the majority of cyber-oriented theft and espionage.  The United States possesses more intellectual property than any other nation, and thus must expend tremendous resources in its defense.  Establishing one or more cyber militias could jeopardize its efforts to secure more international cooperation in fighting cybercrime.  The cost would likely outweigh the benefits. 

The risks of a cyber militia stem from a lack of control over the membership.  Even in a hierarchy, the most formal of the forms described by Otis (2011), little effective control can be exercised by its leadership.  The are many opportunities for a cyber militia member, or entire cyber militia for that matter, going “rogue” and exhibiting behavior the US is attempting to establish as internationally prohibited.   It is difficult to see how a formally recognized and endorsed cyber militia would be beneficial to the US.

The US may benefit from informally promoting or clandestinely enlisting cyber militias.  Issue based cyber militias could be used to promote US interests.  For example, a democracy movement that develops cyber warfare capabilities could be very effective.  The US could discretely provide information on oppressive regimes and lead the militia towards targets of opportunity.  This cyber militia could be based outside of the US but largely consist of US members, and would establish plausible deniability of a relationship with the US federal government. 

The US could also benefit from using the Central Intelligence Agency (CIA) to enlist foreign cyber militias to do their bidding.  Public information reveals that elite cybercriminals are poorly compensated for their work.  Even when successful, there are few effective models for lucrative compensation for cybercrime.  The tremendous resources of the US federal government could be leveraged to pursue international goal without jeopardizing diplomatic stature. 

Williams and Arreymbi (2007) suggest that the online gaming community could provide pre-packaged cyber militias with the capabilities desired.  These gaming “clans” are already closely knit and are likely to be skilled computer operators.  The CIA could recruit, train, and fund these pre-made militias.  It is highly preferable, however, to ensure that cyber militias of this sort consist of foreign members. 

Cyber attacks have grown in stature and may be interpreted as acts of war in the near future.  It is against international law and grounds for war to allow national territory to be used by non-state actors as a safe-haven from which to attack another nation. The most recent US invasion of Afghanistan was largely based on this premise. 

The US held the Taliban accountable for failing to stop attacks on the US based on their soil.  The same reasoning could legally justify an attack on the United States if a government endorsed cyber militia caused loss of life in a foreign country.  Russia appears to be ready to test this concern.  According to Brenner (2008), “Russia’s attitude toward cybercrime-prosecute individuals who strike domestic targets, and ignore the ones who attack foreign targets-raises the specter of cyber crime havens.”

Contemporary Cyber Militias

Cyber militias as described above are not prevalent or public-facing.  Two public-facing examples of cyber militias appear to be reserve elements of military information warfare units.  The US created a Reserve Information Operations Command utilizing 400 Army reservists.  This group is hierarchical and involves current reservists, so vetting is not a problem.  Estonia is largely viewed as the pioneer of the cyber militia.  Hans-Inge Lango describes their unique situation and their response:

“In 2007, Estonia was the first country to be the target of a cyber attack when unknown assailants, most likely hackers in Russia, paralyzed government, financial, and media networks in the Baltic state. The attack prompted Estonian authorities to think long and hard about how to defend against such attacks, and in 2011 the Cyber Defense League was established as part of the national Total Defense League, a paramilitary force dedicated to protecting Estonia. The cyber volunteer group consists of programmers, computer scientists, and lawyers, and during wartime the group will function under a unified military command” (Lango, 2011).

Estonia’s experience with cyber warfare in the context of a traditional conflict places them in a leadership position as cyber militias are defined for the future.  According to Tom Gjelten (2012), “Estonia now has the opportunity to serve as a model, and NATO has recognized Estonia's efforts: The alliance's new Cyber Defense Center for Excellence has its headquarters there.”

Conclusion

With or without government sanction, cyber militias will emerge as players on the international cybercrime arena in the near future.  They will take different forms based on motivations and how closely the membership is acquainted. 

It is not advisable for a nation to be affiliated with a cyber militia unless there is a hierarchical structure and military oriented vetting procedures.  Without such safeguards, a militia may provoke conflict or take actions averse to the nation’s interest. 

The creation of a cyber militia in the US faces additional challenges due to its international leadership role.  Because the US must defend so much vulnerable intellectual property, the risks of endorsing a cyber militia outside of the military structure likely outweigh the risks.  

References

Possibly Related Articles:
13635
Network->General
Military
Government Cyberwar Cyber Security Attacks U.S. Cyber Command Cyber Militia Asymmetric Warfare Cyber Espionage Offensive Security
Post Rating I Like this!
296634767383f056e82787fcb3b94864
Jeffrey Carr If U.S. citizens are eager to engage in cyber network operations, the solution isn't to form a cyber militia because that's never going to happen here unless it's done illegally. Rather than advocating for a cyber militia, those individuals have established channels in which to pursue their desired profession: enlist in the U.S. military or be hired by DHS or one of the agencies of the IC.
1345747525
7915fce77d8ad81d6283c6a08c274f3e
aleph We already have a cyber-militia, it's called Anonymous.
1345756310
0ff0a77035f9569943049ed3e980bb0d
I didn't realize that there was a law that outlaws cyber militias. What law and section of the law would cover cyber militias? Be specific so I can reference this quickly.


1345757151
296634767383f056e82787fcb3b94864
Jeffrey Carr You missed the point. A cyber militia with the authority to act offensively must be sanctioned by the state because there are laws in place now that make cyber attacks illegal. Some, like Jester, don't care about the illegality and perform their attacks anyway; hence my phrase "unless it's done illegally".
1345761001
0ff0a77035f9569943049ed3e980bb0d
No, I didn't miss the point. What laws are their in place that a state sanctions cyber militia activity? And, what laws are in place where that make cyber attacks illegal.
1345819541
296634767383f056e82787fcb3b94864
Jeffrey Carr Wait. You claim to sit on the board of Boston's Infraguard and to teach a course in computer crime and you don't know what the law is regarding cyber attacks?
1345820491
0ff0a77035f9569943049ed3e980bb0d
Nice hedge Jeff. It is obvious you do not know however you choose to make statements that are not evidenced based but just off the cuff. I claim nothing. I make statements of fact. I could keep asking but your answer is evident.
I know my laws, MLATs, letters rogatory, Title 10 US Code Armed Forces, etc., and use them in classes and beyond.
1345821003
296634767383f056e82787fcb3b94864
Jeffrey Carr If you know the law, then tell me the legality of a private U.S. citizen hacking into a computer without official gov't authorization - legal or illegal?
1345821391
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked