The 5×5—Non-state armed groups in cyber conflict
Non-state organizations native to cyberspace, like patriotic hacking collectives and ransomware groups, continue to impact geopolitics through cyber operations. But, increasingly, non-state armed groups with histories rooted entirely in kinetic violence are adopting offensive cyber capabilities to further their strategic objectives. Each of these groups has its own motivations for acquiring these capabilities and its strategy to employ them, making developing effective countermeasures difficult for the United States and its allies. In Ukraine, the Russian government is increasingly outsourcing military activities to private military companies, such as the Wagner Group, and it may continue to do so for cyber and information operations. In Mexico, drug cartels are purchasing state-of-the-art malware to target journalists and other opponents. Elsewhere, militant and terrorist organizations such as Hezbollah and Boko Haram have employed cyber capabilities to bolster their existing operations and efficacy in violence against various states.
The proliferation of offensive cyber capabilities and low barriers to acquiring and deploying some of these powerful tools suggest that the cyber capacities of non-state armed groups will only continue to grow. We brought together five experts from various backgrounds to assess the emerging cyber threats posed by non-state armed groups and discuss how the United States and its allies can address them.
#1 How significant is the cyber threat posed by non-state armed groups to the United States and its allies? What kinds of entities should they be concerned about?
Sean McFate, nonresident senior fellow, Africa Center, Atlantic Council; professor, Georgetown University’s Walsh School of Foreign Service and the National Defense University:
“Currently, the most powerful non-state armed groups that use cyber do it on behalf of a state, offering a modicum of plausible deniability. For example, The Concord Group in Russia is owned by Yevgeny Prigozhin, an oligarch close to Putin. Under the Concord Group is the Wagner Group (mercenaries) and the Internet Research Agency, also known as “the troll farm.” Outsourcing these capabilities lowers the barrier of entry into modern conflicts and allows the Kremlin to purse riskier stratagems.”
Steph Shample, non-resident scholar, Cyber Program, Middle East Institute; senior analyst, Team Cymru:
“The cyber threat posed by independent actors or criminal groups—not advanced persistent threats (APT)—is high, and the first impact is primarily financial. Ransomware flourishes among non-state groups, and can makes these actors, at times, millions of dollars. Consider the SamSam ransomware operations, carried out by Iranian nationals. According to the publicized indictments, the two actors were not found to have ties to the Iranian government, but they took in $6 million in profit—and that is just what was traceable. The second impact is reputational damage for businesses. Once they are impacted by a cyber incident, building the trust of users back is often more difficult than recouping financial loss. Entities to worry about include fields and industries that do not have robust cyber protection or excessive funds, as malicious actors often go after them. These industries include academia, healthcare, and smaller government entities like cities and municipalities.”
Aaron Brantly, associate professor of political science and director, Tech4Humanity lab, Virginia Tech:
“Non-state armed groups do not pose a significant cyber threat at present to the United States and its allies. There are very few examples of non-state actors not affiliated or acting as proxies for states that have the capacity to develop and utilize vulnerabilities to achieve substantial effect. The threat posed by these groups increases when they act as proxies and leverage state capacity and motivation. It is conceivable that non-state armed groups may use cyberattacks to engage in criminal attacks to achieve financial benefits to fund kinetic activities. Yet, developing the capacity to carry out armed attacks and cyberattacks often require members with different skillsets.”
Maggie Smith, research scientist and assistant professor, Army Cyber Institute, United States Military Academy:
The views expressed are those of the author, and do not reflect the official position of the Army Cyber Institute, United States Military Academy, Department of the Army, or Department of Defense.
“I find the most confounding factor of non-state groups to be their motivations for attacking particular targets. Motivations can be financial, ideological, religious, grievance-based, or entities could be targeted for fun—the options are endless and they are not static. Therefore, our traditional intelligence and the indicators and warnings that typically tip and cue us to threats, may not be there. This makes defending against non-state actors that much more unpredictable, confusing, and challenging than defending against states.”
Jon Lindsay, associate professor, School of Cybersecurity and Privacy, Georgia Institute of Technology (Georgia Tech):
“The greatest threat to the United States remains other nuclear-armed states, as well as collective existential threats like climate change and pandemics. Non-state actors are a serious but less severe threat, and cyber is the least severe tool in their kits. Cyber is a minor feature of a minor threat to the United States and its allies.”
#2 How do strategies vary among different types of non-state armed groups and compare with those of states when it comes to cyber capabilities?
Lindsay: “A really interesting feature of the cyber revolution is the democratization of deception. The classic strategies of intelligence—espionage, subversion, disinformation, counterintelligence, and secret diplomacy—that were once practiced mainly by states are now within reach of many actors. The more interesting variation may be in capabilities—states can do more for many reasons—than in strategy. Like it or not, we are all actors, intermediaries, and targets of intelligence.”
McFate: “Outsourcing cyber threats allows states to circumnavigate international and domestic laws. This creates moral hazard in foreign policymaking because it lessens the likelihood of punishment by the international community.”
Brantly: “Whether terrorist organizations or insurgencies, armed groups historically use violence to achieve effects. The strategy of armed groups is to shift the public view of an organization, or issue in such a way as to compel a state actor to respond. Cyber threats do not achieve the same level of visibility that kinetic violence does, and are therefore strategically and tactically less useful to non-state groups. By contrast, state actors seek intelligence and signaling capabilities that control escalation. Because cyberattacks are frequently considered less impactful due to several factors including reversibility, levels of violence, etc., they are a robust tool to enable broader strategic objectives.”
Shample: “There is often overlap. If we again think about APT groups, or those directly sponsored by state governments—the “big four” US adversaries include Iran, China, North Korea, and Russia. All of these countries have mandatory conscription, so all men (and in selective cases, women) have to serve in these countries’ militaries. That mandatory military training can be fulfilled by going through one of their cyber academies and acting as what the United States and Five Eyes community considers a “malicious cyber actor.” Mandatory service is completed eventually, but then these actors can go and act on their own accord, using the training they received to cover their online tracks. State-trained individuals become part of the non-state actor community. They take their learned skills, they share them with other actors on forums and chat platforms, and voila. With training and sophistication, along with a way to evade tracking from their home countries, these individuals continue to improve their skills and networks online, which is a very serious problem. They are sophisticated and able to keep acting in a criminal capacity. The more sophisticated actors can also sell ready-to-use kits, such as Ransomware-as-a-Service, phishing kits, and so on that are premade and do not take high skill to use. The trained malicious actor can not only act independently, but they could have an additional stream of revenue selling kits and supplies to other malicious actors. It is an entire underground ecosystem that I see on closed forums all the time.”
Smith: “One difference is that strategies are more ad hoc or responsive and shift when a non-state group’s motivation for attacking changes. For example, Killnet, the now-infamous pro-Russian hacker group that has been conducting distributed denial-of-service attacks (DDoS) against European nations since March, started off as a DDoS tool that criminal and threat actors could purchase. Just after updating the version of the tool in March, the non-state, but pro-Russian criminals behind Killnet pulled the tool offline and declared that the name was now an umbrella term applied to hacktivism against Russia’s enemies.”
#3 What makes cyber capabilities attractive (or not) to these kinds of non-state groups?
Lindsay: “The obvious answer: cyber tools are low cost and low risk. Cyber becomes an attractive option to actors that lack the means or resolve to use more effective instruments of power. The more that an actor is concerned about adverse consequences like retaliation, punishment, and law enforcement, the more likely they are to use cyber capabilities.”
McFate: “Cyber is important, but not in ways people often think. It gives us new ways of doing old things: sabotage, theft, propaganda, deception, and espionage. Cyber war’s real power is malign information, not sabotage like Stuxnet. In an information age, disinformation is more important than firepower. Who cares about the sword if you can manipulate the mind that wields it?”
Brantly: “Cyber capabilities are less attractive to non-state armed groups because their cost-to-impact ratio is less than kinetic violence. At present, insurgents are unlikely to win by using cyberattacks, and terrorist organizations are unlikely to draw the desired levels of attention to their cause through cyber means that they would by comparable kinetic means. Where attacks disrupt, embarrass an adversary, or facilitate financial concerns of non-state armed groups, such attacks are more likely.”
Shample: “Pseudo-anonymity, of course. They can act from anywhere, target any entity, use obfuscation technology to cover their tracks, and target cryptocurrency to raise money. First, they can cover their tracks completely/partially. Second, they may have enough obscurity to provide plausible cover and not be officially tracked and charged, despite suspicion. Third, they can make a decent amount of money and/or cause damage without any personal harm that comes back to themselves. Fourth, they are able to be impactful and gain notoriety amongst the criminal contingent. The criminal underground is very ego driven, so if an actor can successfully impact a large business or organization, and in so doing make world-wide news, this only helps them gain traction and followers in their community. And they build, keep learning, and repeat, fueled by their financial success and notoriety.”
Smith: “Cyber capabilities are attractive for a lot of reasons—e.g., they can be executed remotely, purchased, obfuscated, difficult to positively attribute, among other attributes that make them easier to execute than a kinetic attack—but if I were a malicious cyber actor, I would be in the business because nation states are still figuring how to respond to cyberattacks. There is not an internationally agreed upon definition for what constitutes a cyberattack, when a cyberattack becomes an act of war, or any concrete estimation for what a proportional response to a cyberattack should be. Additionally, the legal mechanisms for prosecuting cyber activities are still being developed, so as a criminal, the fuzziness and ability to attack an asset within a country without clear consequences is very attractive—especially when law enforcement cyber capabilities are stretched thin and the courts have yet to catch up to technology (or have judges that do not understand the technology used in a case).”
More from the Cyber Statecraft Initiative:
#4 Where does existing theory or policy fall short in addressing the risks posed by the offensive cyber operations of non-state armed groups?
Lindsay: “Generally, we need more theory and empirical research about intelligence contests of any kind. Secret statecraft, and not only by states, is an understudied area in security studies, and it is also a hot research frontier. I do think that the conventional wisdom tends to overstate the threat of cyber from any kind of group, but it is consistent with the paranoid style of American politics.”
McFate: “How many conferences have you been to where ‘experts’ bicker about whether a cyberattack constitutes war or not? Who cares? US policymakers and academic theorists think about war like pregnancy: you either are or are not. But, in truth, there is no such thing as war or peace; it is really war and peace. Our adversaries do not suffer from this bizarre false dichotomy and exploit our schizoid view of international relations. They wage war but disguise it as peace to us. Cyberattacks are perfect weapons because we spend more time on definitions than on solutions. We need more supple minds at the strategic helm.”
Brantly: “Many scholars have focused on proxy actors operating in and through cyberspace. The theories and policies developed on the motivations and actions of proxies is robust. This subfield has grown substantially within the last three to four years. Some theorizing has focused on the use of cyber means by terrorist organizations, but most of the research in this area has been speculative. Little theorizing has been done on the use of cyberattacks by non-state armed groups that are not operating as proxies or terrorist organizations. Although there are few examples of such organizations using cyberattacks, increased analysis on this area is potentially warranted.”
Shample: “The United States and its allies are overly focused on state-sponsored actors. This is because they can issue things like sanctions against state-tied actors, and have press conferences publicizing pomp and circumstance. They ignore the criminal contingent because they usually cannot publicly sanction them. This is short-sighted. The United States needs to combine its intelligence and military efforts to focus on all malicious actors, state-sponsored, criminal groups, and individual/independent actors. Stop worrying about sanctions—malicious APTs often laugh at sanctions from countries without extradition, and the sanctions will quite literally never impact them. They joke about them on underground forums and then continue attacking.”
Smith: “An area that I am working on is the threats posed by non-state actors during periods of conflict—even ones that we cheer on from afar. The Russian invasion of Ukraine and the subsequent rise of the Ukrainian IT Army and pro-Russian groups like Killnet really complicate the conflict and have shown how organized non-military, non-state-sponsored, and mixed-nationality groups can have a direct impact on the modern battlefield. For entities like US Cyber Command and our foreign counterparts, this is an area of concern, as it is really the modern instantiation of civilians on the battlefield. When do those civilians become enemy combatants and how to we deal with them? Those questions are not answered yet and they are further complicated by the various motivations among groups that I discussed above.”
#5 How can the United States and its allies address the cyber threats posed by the many disparate non-state armed groups around the world?
Lindsay: “We should start by accepting that cyber conflict is both inevitable and tolerable. Cyberattacks are part of the societal search algorithm for identifying vulnerabilities that need to be patched, which helps us to build a better society. The United States and its allies should continue to work on the low-hanging fruit of cybercrime, privacy, and intelligence coordination (which are not really hanging that low), rather than focusing on bigger but more mythical threats. The small stuff will help with the big stuff.”
McFate: “Three ways. First, better defense. Beyond the ‘ones and zeros’ warriors, we need to find ways to make Americans smarter consumers of information. Second, we need to get far more aggressive in our response. I feel like the United States is a goalie at a penalty shootout. If you want to deter cyberattacks, then start punching back hard until the bullies stop. Destroy problematic servers. Go after the people connected to them. Perhaps the United States should explore getting back into the dark arts again, as it once did during the Cold War. Lastly, enlist the private sector. ‘Hack back’ companies can chase down hackers like privateers. It is crazy in 2022 that we do not allow this, especially since the National Security Agency does not protect multinational corporations or civil society’s cybersecurity.”
Brantly: “The United States and its allies have already addressed cyber threats posed by different groups through the establishment of civilian and military organizations designed to identify and counter all manner of cyber threats. The United States has pushed out security standards through the National Institute of Standards and Technology, and US Cyber Command and the military cyber commands have worked to provide continuous intelligence on the cyber activities of potential adversaries. Continuing to strengthen organizations and standards that identify and counter cybersecurity threats remains important. Building norms around what is and is not acceptable behavior in cyberspace and what are critical cybersecurity practices among public and private sector actors will continue to constrain malicious behavior within this evolving domain of interaction. There is no single golden solution. Rather, addressing cybersecurity threats posed by all manner of actors requires multiple ongoing concurrent policy, regulatory, normative, and organizational actions.”
Shample: “If all entities working cyber operations (law enforcement, intelligence, and military) worked together and with the private sector more, the world would benefit. The private sector can move quicker with respect to changing infrastructure and the quickness of tracking malicious actors. Cyber criminals know they need to set up, act, and then usually tear down their infrastructure, change, and rebuild from scratch so as to avoid tracking. Cyber truly takes all efforts, all kinds of people working it together to be effective. There is too much focus on state-sponsored vs. criminal, and there is too much information not shared among practitioners. Counterterrorism focused analysis needs to be combined with combatting weapons and human trafficking and counter-narcotics, which all then come back to a financial focus. Terrorists like ISIS and others have been observed funding their operations by selling weapons, drugs, or humans, and then putting those funds into cryptocurrency. We have pillars of specialists that focus on one area, but there needs to be more combined efforts vs. singular-focused efforts. Underground forums need to be monitored. Telegram, discord, and dark web forums all need more monitoring. There needs to be a collective effort to combat serious cyber threats, versus dividing efforts and keeping ‘separate’ tracking. Government, military, and law enforcement need to work with the private sector and share the appropriate amount of information to take down criminal networks. There are too many solo efforts vs. a collective one to truly eradicate the malicious cyber criminals.”
Smith: “First, there is no silver bullet because there are so many variables to consider for each threat as it arises—context, composition, etc. are all confounding factors to consider. But I think that international partnerships and domestic partnerships with the private sector and critical infrastructure owners are the key to addressing non-state cyber actors and the threats they pose. The more we communicate and share intelligence and information among partners, the better we will be at anticipating threats and mitigating risk, while also ensuring that we are steadily working to create an ecosystem of support, skills, knowledge, processes and partnerships to combat the multi-modal threats coming from non-state cyber actors.”
Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.