Rise of the Cyber Militias

Feb. 1, 2011

The Zapatista National Liberation Army in 1994 opened a guerrilla war in Mexico. In 1998, the Zapatistas went cyber. This leftist band, aided by European hackers, first shut down Mexican police and other websites. Then, it ranged further, lashing at US targets and paralyzing the Frankfurt Stock Exchange.

This was a signal event—the first time that a “cyber militia” took part in a regional conflict. It is an increasingly common occurrence, say some cyber experts.

One is Scott Borg, director and chief economist of the US Cyber Consequences Unit, a nonprofit research institute that investigates the dangers of cyber attacks. At a recent conference in Colorado Springs, Borg listed some 20 “significant” cyber campaigns that have occurred since 1998. (See chart, p. 89)

One notable thing, said Borg: Most of these cyber wars stemmed from local conflicts. Moreover, they have not, for the most part, been the work of nation-states, but rather of informal and loosely organized civilian groups—sometimes aided by organized crime.

“The big theme here is ethno-nationalists, who are not governments, … carrying out very aggressive and extensive cyber campaigns,” said Borg. He went on, “They often have the tacit support of governments. They maybe are quietly, in the background, being encouraged by governments, but they are not really government operations. These are civilian operations.”

While governments have encouraged and influenced these cyber conflicts to varying degrees, they do not control these cyber warriors. “They are militias,” he said. “I don’t know what else to call them.”

Ever since the Zapatista operations in 1998, virtually all regional conflicts have had a cyber component. Later in 1998, for example, India performed some nuclear tests, and nongovernment Pakistani ethno-nationalists attacked Indian cyber targets. The campaign, which went on for months, was “quite significant,” said Borg.

In 1999, the US mounted some cyber attacks in Operation Allied Force, the NATO air war over Serbia. The US action led to a counterattack by nongovernment Serb groups, and eventually by Russian hackers. In the OAF “kinetic” war, a USAF B-2 accidently bombed the Chinese Embassy in Belgrade. Chinese cyber militias soon launched a cyber campaign against US targets, and pro-NATO hackers responded with counterattacks on Chinese sites.

A Loss of Control

These unofficial cyber armies soon became organized and effective. Such was the case later in 1999, said Borg, when there was a “not so minor cyber war” between China and Taiwan, the two historic antagonists in the Far East.

Also in 1999 came a cyber war in connection with the long-running conflict in Kashmir. It again pitted against each other the cyber militias of Pakistan and India, though undoubtedly with government support on both sides. In this round, India was the more active fighter.

In the final cyber war of 1999, the Iranian-backed group Hamas attacked Israeli cyber targets. From that point on, cyber attacks have been chronic features of the Arab-Israeli tensions in the Middle East, said Borg.

Among the more interesting cyber campaigns was that staged simultaneously with Russia’s 2008 invasion of Georgia. It was an extensive militia effort, and it came in two waves.

The first wave was carried out by Russian organized crime, which used botnets to attack 11 targeted websites in Georgia. Those sites were under attack throughout hostilities.

The second wave featured Russian attacks on 40 other targets on a detailed list. These were attacked by civilian hackers, organized by social websites. “It was a very disciplined attack,” Borg noted. “They had a list of targets. They went after those targets in a prescribed set of ways, … and they never deviated.”

The perpetrators made no effort to conceal what they were doing. There were various reasons for this. Civilian militias wanted to show the attacks were not official Russian government operations. As for the Russian Mafia, said Borg, it wanted credit for its “patriotic contributions,” and so “they let us watch.”

According to US sources, Russian cyber militias mounted similar attacks on Estonia in 2007 and Kyrgyzstan in 2009. In the latter event, the attack shut down Kyrgyzstan’s two main Internet service providers, temporarily eliminating roughly 80 percent of Kyrgyzstan’s bandwidth.

Today, cyber experts see signs that groups in different nations are forming alliances. Worse, the militias, which to this point have been restrained and nationalistic, may slip the leash altogether and pursue their own independent goals.

In China, the government has been able to cue its cyber militias, indirectly, about what is expected of them, said Borg. So far, they have pretty much followed the rules. To a lesser degree, this has been the case in Russia, too.

“I’m sure that Russia is not going to be able to maintain control over time,” warned Borg, “and I think it will break down in China as well.”

This is true also in many other nations. “I worry that these [informal ties] could break down,” said Borg, “and the cyber militias will stop showing the kind of restraint they’ve shown so far. No critical infrastructure has been targeted—yet.”

Because cyber war is now so firmly entrenched as a feature of local conflicts, they have the potential to erupt quickly and to escalate, spread, and disrupt international affairs in heretofore unseen ways. As a case in point, Borg cites the aftermath of the 2008 Russia-Georgia fight.

He notes that, in that conflict, Georgia got pounded by Russian cyber mobs, but it made little effort to counterattack in any significant way. Georgian hackers were careful to avoid cyber attacks on Russian physical infrastructure industries such as oil refineries, chemical plants, pumping stations, and electric power generators.

Ever since, though, Georgian hackers have been organizing, determined that, if Russia hits them again, they will hit back as hard as they can. According to Borg, the same thing is taking place in Latvia, Kyrgyzstan, Kazakhstan, Estonia, and Lithuania.

“The attackers, if they are going against Russians, will not be restrained,” said Borg. “They will hit Russian critical infrastructures if they can. At that point, it is very doubtful that the Russian government, even if it tries, will be able to keep its civilian militias from hitting back.”

In short, the conflict will not only escalate and spread, but it will likely spin out of control and do significant damage.

Borg says similar situations are developing in other parts of the world, particularly the Far East. There, the biggest concern is China, simply because of the size and skill of its cyber militias. Indeed, China’s Ministry of Public Security announced that, in a Nov. 30 crackdown, it had arrested 460 suspected cyber criminals and closed more than 100 websites catering to hackers.

“It is possible that China in the future will still be able to control its own cyber militia, as it has done in the past,” said Borg, “but other countries definitely won’t.”

The dangers are enormous. The worst attacks would be ones that physically destroy infrastructure—wrecking big electric generators, blowing up oil refineries, disrupting pipelines, crashing trains in tunnels, causing toxic chemicals to leak from chemical plants, and so forth.

As Borg recently said, “The total economic destruction caused by an intense campaign of such attacks could be greater than the damage done to Germany and Japan by strategic bombing during World War II.”

These kinds of attacks are very difficult to mount and at present are within the grasp of nation-states only. The worry is that such techniques are rapidly leaking out into the world of subnational civilian groups.

“So,” said Borg, “we have a situation that could easily get out of hand.”

While direct physical attacks are scariest, Borg notes, other types of cyber attacks could cause great harm. He points out that the US is “completely dependent” on global supply chains—not just for oil and other commodities but for services and specialized parts for industrial uses—and that these can quickly be disrupted by determined attackers.

What’s more, cyber militias pose a threat to America’s vast webs of business outsourcing to nations such as India, which is at daggers drawn with both China and Pakistan.

“India could easily be involved in a major cyber conflict,” said Borg. “Suddenly, all of these call centers, all of these business outsourcing processing centers that do all of the back office support for our financial institutions and so on, could not only be suddenly knocked off line but also their activities could be corrupted.”

Borg warns that, despite the prominence of regional cyber militias, there has been virtually no discussion of the threat at US Cyber Command or elsewhere in the US government.

“We talk a lot about nation-state attacks,” he said. “I think that there is a great danger that we are neglecting—even missing—the main thing we need to be worried about.”

Robert S. Dudney is a former editor in chief of Air Force Magazine (2002-2010). His most recent piece was “The Lavelle Syndrome” in the September 2010 issue.