The Formation of Cyber Militias in the United States: Feasibility, Structure, and Purpose - Michael Mihevc

The Formation of Cyber Militias in the United States:

Feasibility, Structure, and Purpose

Michael Mihevc

jake.mihevc@gmail.com

7/28/2012

Utica College - http://programs.online.utica.edu/programs/masters-cybersecurity.asp [1]

As the frequency and severity of cyber attacks grow, nations must take advantage of all of the resources at their disposal to compete in the cyber arms race.  Information Technology (IT) and cyber security talent is expensive to develop and has become a precious resource.  Most nations of means incorporate information warfare into their traditional military structure.  This approach concentrates a nation’s rare IT talent in the government sector.  IT talent is also required in the private sector to spur innovation and economic growth.  Nations, especially those with few IT resources, have begun to experiment with alternative models for utilizing IT talent in international cyber warfare.  The use of cyber militias has emerged as a viable alternative model.  This paper explores the feasibility of the cyber militia model in the United States (US).  The paper examines possible structures and roles of cyber militias as these factors are critical to an effective feasibility assessment.            

Offensive and Defensive Roles

            Cyber militias will likely be most effective in offensive roles.  The defense of our national technology and critical infrastructures requires the close coordination of our public and private sectors and the implementation of executive authority.  The US cyber command and Department of Homeland Security (DHS) fill this role, and operate on authority granted by elected representatives.  Rulemaking that sacrifices profits from our private sector for the defense of our critical infrastructure must originate from public officials who can be held accountable for their decisions.  A cyber militia simply cannot provide the form and accountability required for a defensive role.    Offensive operations are not bound by these requirements.  Offensive cyber attacks often benefit from their lack of structure and diversity of attack vectors, features cyber militias readily provide.  Cyber militias can be assigned a target or objective and given the ability to freelance and choose their methods based on their group capabilities.  The absence of formal rules of engagement allows the cyber militia to exercise creativity and innovation in developing attack methods.  This new knowledge of possible attack methods can then be transferred to the national cyber defense complex.  The benefits of a diverse attack profile are described by Rain Otis (2011), “The source addresses are likely distributed globally (black listing will be inefficient) and the different skills and resources ensure heterogeneous attack traffic (no easy patterns).  In addition, experienced attackers can use this to conceal precise strikes against critical services and systems.”  It should be noted that in cyber warfare the distinction between offensive and defensive operations can be less than clear.  One method of mitigating a denial of service attack is to “return fire” with a denial of service attack targeting the attacker (given an attack from a static source and correct attribution).  This counter-attack is a behavior normally associated with offensive cyber warfare.   

Structure

            Ottis (2011) categorizes the structure of cyber militias into three general forms: forum, cell, and hierarchy.  His work breaks down each form based on attributes, strengths and weaknesses.  These descriptive features are more instructive than the forms themselves.  Cyber militias are likely to be hybrids, assuming the features most beneficial to the mission.  Two clear distinctions stand out.

            The first important feature is the membership type.  Future militias can be distinct based on whether the members know each other personally and are aware of their true identities.  Cyber militias of this nature can be very difficult to identify, as they use traditional communications methods less likely to be monitored by cyber personnel.  For example, if six members of a cyber militia perform all of their planning at quarterly sales meetings held by their mutual employer there will be no digital record to find.  A known weakness of a cyber militia that is closely acquainted is geographical concentration.  Professionals who periodically gather but are geographically distinct avoid this challenge.  Groups with a personal connection also are able to practice better operational security and vetting for future members.  Cyber militias that are associated only by alias or avatar have different characteristics.  They are seldom geographically concentrated, and vetting new members and operational security will be a challenge.  Law enforcement and agents of the adversary commonly assume false identities, and effective vetting techniques are impossible when a prospective member’s name, profession, and history are unknown. 

            The second important feature is motivation.  Motivations for cyber militia membership can be based on issues, patriotism, or professional development.  Issue based members can be passionate about a concern and work hard to achieve a goal or mission in its furtherance.  For example, many who oppose abortion rights do so with vigor that translates into conviction to complete the mission, such as the defacement of an abortion provider’s webpage.  A professional given the same task may not be as motivated.  Issue based militias can be intermittent in their activity levels based on the current state of their concern.  Professional or patriotic militia members are more likely to be consistent participants, and their motivations are more easily understood. 

Feasibility

            The primary challenge to the feasibility of a US cyber militia is legal.  The US has provided global leadership in cybersecurity law, and aggressively pursues agreements to establish international law and extradition agreements in cyber-oriented cases.  The partnership between the US and the United Kingdom has provided a framework from which the rest of the world can work towards thwarting international cybercrime.  It is very much in the interest of the US that international cybercrime be curtailed.  Intellectual property is the target of the majority of cyber-oriented theft and espionage.  The United States possesses more intellectual property than any other nation, and thus must expend tremendous resources in its defense.    Establishing one or more cyber militias could jeopardize its efforts to secure more international cooperation in fighting cybercrime.  The cost would likely outweigh the benefits.  The risks of a cyber militia stem from a lack of control over the membership.  Even in a hierarchy, the most formal of the forms described by Otis (2011), little effective control can be exercised by its leadership.  The are many opportunities for a cyber militia member, or entire cyber militia for that matter, going “rogue” and exhibiting behavior the US is attempting to establish as internationally prohibited.    It is difficult to see how a formally recognized and endorsed cyber militia would be beneficial to the US.

            The US may benefit from informally promoting or clandestinely enlisting cyber militias.  Issue based cyber militias could be used to promote US interests.  For example, a democracy movement that develops cyber warfare capabilities could be very effective.  The US could discretely provide information on oppressive regimes and lead the militia towards targets of opportunity.  This cyber militia could be based outside of the US but largely consist of US members, and would establish plausible deniability of a relationship with the US federal government.  The US could also benefit from using the Central Intelligence Agency (CIA) to enlist foreign cyber militias to do their bidding.  Public information reveals that elite cyber criminals are poorly compensated for their work.  Even when successful, there are few effective models for lucrative compensation for cybercrime.  The tremendous resources of the US federal government could be leveraged to pursue international goal without jeopardizing diplomatic stature.  Williams and Arreymbi (2007) suggest that the online gaming community could provide pre-packaged cyber militias with the capabilities desired.  These gaming “clans” are already closely knit and are likely to be skilled computer operators.  The CIA could recruit, train, and fund these pre-made militias.  It is highly preferable, however, to ensure that cyber militias of this sort consist of foreign members.  Cyber attacks have grown in stature and may be interpreted as acts of war in the near future.  It is against international law and grounds for war to allow national territory to be used by non-state actors as a safe-haven from which to attack another nation.  The most recent US invasion of Afghanistan was largely based on this premise.  The US held the Taliban accountable for failing to stop attacks on the US based on their soil.  The same reasoning could legally justify an attack on the United States if a government endorsed cyber militia caused loss of life in a foreign country.  Russia appears to be ready to test this concern.  According to Brenner (2008), “Russia’s attitude toward cybercrime-prosecute individuals who strike domestic targets, and ignore the ones who attack foreign targets-raises the specter of cyber crime havens.”

Contemporary Cyber Militias

            Cyber militias as described above are not prevalent or public-facing.  Two public-facing examples of cyber militias appear to be reserve elements of military information warfare units.  The US created a Reserve Information Operations Command utilizing 400 Army reservists.  This group is hierarchical and involves current reservists, so vetting is not a problem.  Estonia is largely viewed as the pioneer of the cyber militia.  Hans-Inge Lango describes their unique situation and their response:

“In 2007, Estonia was the first country to be the target of a cyber attack when unknown assailants, most likely hackers in Russia, paralyzed government, financial, and media networks in the Baltic state. The attack prompted Estonian authorities to think long and hard about how to defend against such attacks, and in 2011 the Cyber Defense League was established as part of the national Total Defense League, a paramilitary force dedicated to protecting Estonia. The cyber volunteer group consists of programmers, computer scientists, and lawyers, and during wartime the group will function under a unified military command” (Lango, 2011)

Estonia’s experience with cyber warfare in the context of a traditional conflict places them in a leadership position as cyber militias are defined for the future.  According to Tom Gjelten (2012), “Estonia now has the opportunity to serve as a model, and NATO has recognized Estonia's efforts: The alliance's new Cyber Defense Center for Excellence has its headquarters there.”

Conclusion

            With or without government sanction, cyber militias will emerge as players on the international cybercrime arena in the near future.  They will take different forms based on motivations and how closely the membership is acquainted.  It is not advisable for a nation to be affiliated with a cyber militia unless there is a hierarchical structure and military oriented vetting procedures.  Without such safeguards, a militia may provoke conflict or take actions averse to the nation’s interest.  The creation of a cyber militia in the US faces additional challenges due to its international leadership role.  Because the US must defend so much vulnerable intellectual property, the risks of endorsing a cyber militia outside of the military structure likely outweigh the risks.  

Utica College - http://programs.online.utica.edu/programs/masters-cybersecurity.asp [1]

References

Brenner, S. (2010). Cybercrime: CriminalThreats from Cyberspace. Santa Barbara, CA: Praeger.         

Gjelten, T. (2012, July 28). Volunteer Cyber Army Emerges In Estonia. In NPR. Retrieved July 28, 2012, from http://www.npr.org/2011/01/04/132634099/in-estonia-volunteer-cyber-army-defends-nation

Lango, H. (2011, June 14). Should the United States Create a Cyber Militia?. In Hegemonic Obsessions. Retrieved July 28, 2012, from http://hegemonicobsessions.com/?p=516

Ottis, R. (2010) Theoretical Offensive Cyber Militia Models. In Proceedings of the 6^th International Conference on Information Warfare and Security, Washington DC. Reading: Academic Publishing Limited, p 307-313.

Williams, G., Arreymbi, J. (2007) Is Cyber Tribalism Winning Online Information Warfare? In Proceedings of ISSE/SECURE 2007 Securing Electronic Business Processes. Wiesbaden. Retrieved July 28, 2012, from http://www.springerlink.com [2]