A basic taxonomy of cyber-actors
By David Perry
In the beginning, there were hackers. They sat alone, playing online games, hanging out in BBS systems closed to the outside world, reading the technical reference manual and Peter Norton’s Inside the IBM PC. They had handles, like Count Zero in the William Gibson novel of the same name. They played pranks. They believed that information wanted to be free.
The powers that be reacted just as you might expect them to. Some of these kids went to prison, (for the tiniest of infractions: for hijacking the telephone with an oscillator box or a toy whistle, for digging reams of paper out of corporate dumpsters, for downloading emergency manuals.) Compared to what we see today, these are minor league crimes. They went to prison.
So who breaks our security today? Who is taking away our privacy? What do they want? We could start by dividing the world of cyber-actors into five groups, but there is plenty of overlap between them. I have ranked these in the order of how dangerous I think they are, starting with the least harmful.
Individual hackers engage in a wide range of activities from public service to fiendish plots. But they are only individuals, (despite what amounts to contempt for ordinary computer users, in fact, USER is quite the insult in hacker circles). There are many kinds and many levels of skill, from a hardware hacker (solder jockey, wire-head) to the so-called script kiddies that rely on commercial toolkits to accomplish a hack.
Of course, not all hackers are evil, (a matter of perspective) There are hackers who hack for research, for education, and for some it is a job. We frequently hear reference to White Hats, Black Hats and Gray Hats, about the ethical or moral stance of the person involved. A CERTIFIED ETHICAL HACKER (CEH) works to disclose the weakness of a given system by breaking into it. Inside the hacker communities, it is considered immoral to leave any failure of a security system unexposed. Hackers think of a hack as a service to humanity and a blow against the MAN. Hacking is the rock and roll of computer programming. It is rebellious at its very core.
2. POLITICAL ACTIVISTS (Hacktivists)
This batch is dangerous for two specific reasons. Firstly, they are willing to disrupt or damage valuable assets in the name of political sabotage or political protest. History shows us that believers in a cause can easily rationalize actions. Second, they make a perfect COVER for government or criminal activities. Take the case of Anonymous. They have shown up any number of times, protesting the actions of religions or governments that engage in actions that they do not approve of. The truth is, there were core hackers that initiated the Anonymous name and logo (the familiar Guy Fawkes mask from the movie V for Vendetta) and originally set up blind communications channels with one another. Others have appropriated the name and style. The very fact that the group actually was anonymous helped other people to appropriate the name and logo and do whatever they damn well pleased. How can you tell the real anonymous from all the other anonymity? You can’t.
Who plants adware on your system? Who is tracking your every move to sell you as a metadata analysis to advertisers? Who invades your privacy in search of profits? The answer is corporations. When we first saw the rise of adware and spyware, in the early 21st century, we in the security industry faced many dilemmas. Our customers did not want to be tagged or tracked or spied upon, and if we removed these grayware programs, we would be sued by the corporations that had produced them.
And that’s only the tip of the iceberg. Much of the malware that we see today is produced by rogue corporations in the third world that work in the employ of criminal enterprises in other countries. There are corporations engaged in cyber espionage, and, possibly cyber sabotage. Sometimes legitimate business is used in the execution of a crime. For example, many FAKE AV malware scams collected pay via major credit cards (long after they were known to be criminal enterprises) and malware can hijack your computer or phone and put it to use mining Bitcoin (which is used for all manner of criminal exchanges, including ransomware). Legitimate money transfer agencies are used to launder money stolen by cybercrime.
Cybercrime isn’t a single issue, like identity theft or denial of service. Criminal activity online is vast and diverse, like everything online. There is a black market in stolen credentials, credit cards, control over botnets of zombie computers, and thousands of other things. Criminal gangs ransom your data, pick your digital pocket and get you to send them voluntary money thinking they are major league software companies from Redmond, Washington. Other cybercrimes are more dramatic, such as bank and brokerage robbery, theft of intellectual property (as trade secrets, source code and operating systems) and other things too numerous to count. Cybercriminals come in all shapes and sizes. This is now the largest category of crime in the world, bigger than drugs.
We save this for the most dangerous position. We have all seen disclosures that the NSA is reading our private email, listening in on our phones and tracking our every encounter on the web. Think about this: If the NSA can do it, then other governments can do it just as easily. There is concern about Chinese and Russian hackers launching cyber attacks on our Critical Infrastructure. There is a possibility that cyber weapons will be used in the next major conflict. The danger of creating a surveillance state has been shown to us in very stark relief by Bradley Manning, Julian Assange and Edward Snowden. Some people think of them as heroes, some as villains. I think of them as inevitable. All of my friends in the computer security business were not surprised by any of it.
This is only the beginning of such things. I do not think that this genie goes back into the bottle. Governmental online activities are not limited to spying. Sabotage of an Iranian nuclear research facility (by the malware called STUXNET), and many other things are rumored. We know only a little of the real depth of what happens. The potential for abuse is almost unlimited. The NSA does not scare me nearly as much as the precedent involved.
It’s all a matter of perspective… My generation is freaking out over the loss of privacy and security on their computers. But the blessings of the internet come tied to these problems. Eventually, our behavior will match the environment. Are government agents the bad guys? Well, are we talking about MY government or YOUR government? Is this freeware program a modern and well developed product or is it an invasion of my privacy? The lines are very blurry out there right now, and, as I always say: