Intentional Disintegration of Cybercriminal Networks

Approaches in Network Strategic Security Modeling W.J. Poolen Masterthesis Governance of Security Vrije Universiteit, Amsterdam June, 2012 Supervision: Prof. Dr. P. Groenewegen, Faculty of the Social Sciences, Organization Sciences Dr. F.P. Wagenaar, Faculty of the Social Sciences, Administration Sciences

- this page is intentionally left blank -

Abstract
This masterthesis assesses whether network strategic security models can be used for disintegration of cybercriminal networks. Strategic models are conceptualized as methods for security intervention that use network mathematical algorithms to define sets of targets in a hostile network that seem crucial to attack in order to disintegrate a cybercriminal network. Two strategic models are constructed that are associated with different types of targets in cybercriminal networks. One model focusses on hubs (computer devices, human operators and other nodes that interact within a network); the other model focusses on the exchange connections between clusters of interacting nodes. After elaboration of the strategic models a set of cases of cybercriminal interventions is invoked to investigate how the theoretical models contribute to real life intervention. In reflection on the cases and theory the main issue that becomes apparent is that the strategic models do not adequately take in account the ability of targeted networks to react to disintegration attempts. The notion of network resilience is considered and a subsequent theoretical attempt interprets network resilience as an effect of the relations that a network maintains with its resource networks. Networks are perceived to be embedded and interconnected in a network environment in which they exchange resources. Finally, a broadening of the theoretical understanding towards the multilayered aspects of a network is suggested to gain a more adequate perspective for network strategic security interventions.

Keywords
access actions activities aim algorithmic algorithms analysis anonymous approach arrested attack barabasi basic betweenness bitstream black botnet bridges business calculations cares cases centrifuges china clear clusters collective com communication components computer connections consequence considered construct contribute counterattack crime criminal cybercrime cybercriminal cybersecurity data decision deletion design detect develop devices different directed disintegration distributed edges effect example exchange firewalls free gain girvan government graph grow hackers hacking hat host hostile hubs human importance information infosec infrastructure intelligence interaction internet interventions involved koobface layers level life links maintain malware media method metrics models monitor network newman nodes nuclear operators organizations parts path perform perspective possibilities proposition provide public question real relation reports represent research resilience resistant resources rhizome routers rule scale security server service shadowcrew site social software source specific strategic strategies structural stuxnet support targets teams technical techniques terms theory topology users virus website wikileaks world worm * created at TagCrowd.com *

Table of Contents

Introduction: Fighting Cybercrime .................................................................... 2

1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.7.1 1.7.2 1.7.3 1.8 Threats ................................................................................................................................................... 2 Skeptics ................................................................................................................................................. 3 Watershed .............................................................................................................................................. 4 Network theory ....................................................................................................................................... 4 Research question ................................................................................................................................. 6 Definitions .............................................................................................................................................. 7 Research design and methodology ........................................................................................................ 8 Topological approach ........................................................................................................................ 8 Cases ................................................................................................................................................ 9 Theoretical reflection ....................................................................................................................... 10 Chapters .............................................................................................................................................. 10

Strategic Models for Network Disintegration ................................................. 11

2.1 2.1.1 2.1.2 2.1.3 2.1.4 2.2 2.2.1 2.2.2 2.2.3 2.2.4 2.2.5 2.3 2.3.1 2.3.2 2.3.3 2.3.4 2.4 Barabsis 5-15% rule .......................................................................................................................... 11 Network Growth ............................................................................................................................... 11 Robustness ...................................................................................................................................... 12 Disintegration ................................................................................................................................... 13 Hub Oriented Disintegration Model .................................................................................................. 14 Girvan Newman: Targeting Bridges ..................................................................................................... 15 Clusters............................................................................................................................................ 15 Identifying Bridges with Betweenness ............................................................................................. 16 Shortest path ................................................................................................................................... 16 Flow ................................................................................................................................................. 17 Bridge Oriented Disintegration Model .............................................................................................. 17 Network Security Model ....................................................................................................................... 19 Targets, sensors, decisions, interventions ....................................................................................... 19 Added Intelligence ........................................................................................................................... 19 Synthesis ......................................................................................................................................... 20 Topology of an intervention model ................................................................................................... 21 Concluding Remarks ............................................................................................................................ 21

Cases of Network Intervention ........................................................................ 23

3.1 3.1.1 3.1.2 3.1.3 3.2 3.2.1 3.2.2 3.2.3 3.2.4 Bitstream Interventions ........................................................................................................................ 23 Firewalls, antiviruses and antispyware ............................................................................................ 23 Routers ............................................................................................................................................ 24 Operation Cisco Raider ................................................................................................................... 25 Device interventions ............................................................................................................................. 26 Hackers............................................................................................................................................ 26 Shadowcrew .................................................................................................................................... 27 Malware ........................................................................................................................................... 28 Stuxnet: search-and-destroy ............................................................................................................ 28

ii

3.2.5 3.3 3.3.1 3.3.2 3.3.3 3.3.4 3.4

Japans cyberweapon: counterattack-and-destroy........................................................................... 29 Interventions against operators ............................................................................................................ 31 Black Ops ........................................................................................................................................ 31 Prosecution: Esthost and MegaUpload ............................................................................................ 31 Invitas Eastern Europe Branch ....................................................................................................... 32 Koobfaces Public exposure............................................................................................................. 32 Concluding remarks ............................................................................................................................. 33

Contemplating Strategic Models and Interventions ...................................... 35

4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 Bad case, related questions ................................................................................................................. 36 Marketing Strategies ............................................................................................................................ 36 Security Intrusion Teams ..................................................................................................................... 37 Black Market Rhizome ......................................................................................................................... 37 Strategic Software ................................................................................................................................ 38 Fear as a side effect of interventions ................................................................................................... 39 The relative ease of disintegrating a star network ................................................................................ 39 Luring into the unknown ....................................................................................................................... 40 Targeting Communication .................................................................................................................... 40 Concluding Remarks ............................................................................................................................ 41

Resilient, resistant Networks ........................................................................... 42

5.1 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.2 5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 5.3 Ways of resistance ............................................................................................................................... 43 Endurance ....................................................................................................................................... 43 Recovery.......................................................................................................................................... 43 Disconnect ....................................................................................................................................... 43 Putting up defenses ......................................................................................................................... 44 Counterattack .................................................................................................................................. 44 Resources of Resilience ...................................................................................................................... 45 Rhizome topology as resource feature ............................................................................................ 46 Operation Payback .......................................................................................................................... 46 Connections between networks ....................................................................................................... 48 The Networks of WikiLeaks ............................................................................................................. 48 A model for interconnected networks ............................................................................................... 49 Concluding remarks: towards a multilayered re-conception of networks.............................................. 50

Conclusions and Discussion........................................................................... 53

6.1 6.2 6.3 6.4 6.5 6.6 The Effort ............................................................................................................................................. 53 Case recapitulation .............................................................................................................................. 53 Resilience ............................................................................................................................................ 54 Resource networks .............................................................................................................................. 55 Conditions of Resilience ....................................................................................................................... 56 Intervention Framework ....................................................................................................................... 58

Bibliography...................................................................................................... 59

iii

The Hydra of Lernaea had been wreaking havoc among the crops and flocks of the area. Even the breath emitted by its snakes heads was so poisonous that it could kill anyone standing nearby. Heracles fired burning arrows at the monster to drive out its lair, and as soon as it appeared he began to cut off its heads with an axe. His efforts were in vain, however, since it sprouted two heads for every one that Heracles could cut off. As the battle was going on, a huge crab which was guardian of the area bit Heracles on the leg at Heras instigation. Heracles was forced to kill the crab first, after which he called for the help of his nephew, Iolaus of Thebes. Iolaus set fire to a nearby forest, and as Heracles smote off the heads of the Hydra he cauterized the necks with a fiery torch so as to prevent the appearance of fresh heads. After cutting off the central head which had been presumed to be immortal Heracles buried it and turned it into a huge rock. The blood of the Lernaean Hydra contained a very powerful poison, and the point of any arrow dipped in it became fatal. Sofia Souli (Greek Myhthology, 1995) Cover Illustration: Hercules slaying the Hydra (Hans Sebald Beham, 1545)

Introduction: Fighting Cybercrime

This masterthesis sets out with cybercrime and social network theory. It assesses if social network theory can make a practical contribution to security interventions by analyzing cybercriminal networks and identifying target structures. As such, it assess if social network theory can play a front stage part in fighting cybercrime and - if so - how this role will look. Cybercrime, or internet crime, is nowadays perceived as a major threat for the security of households and organizations. Academics of a variety of disciplines show a growing interest for the phenomenon (Clough, 2010; Franko Aas, 2007; Kshetri, 2010; Yar, 2006) and news media generate a continuous flux of reports on the risks and dangers of cybercrime that conveys an urge to mobilize network society to help fight cybercrime. Before taking up a design for researching how social network theory can contribute to fighting cybercrime, the following paragraph obtains an impression of what makes the networks that are supposed to spread the threats so special. The features that are illustrated are loosely derived from Cloughs chapter on The challenges of cybercrime (Clough, 2010:5-8).

1.1

Threats

Combat cybercrime before it's too late headlines the Australian news site News.com.au (Emmerson, 2012). The article reports on a global crime survey by PWC that observes that cybercrime ranks worldwide among the top four of economic crimes just behind asset misappropriation, accounting fraud, and bribery and corruption. The report touches on what Clough considers one of the main features of cybercrime: the global scale on which it takes place. The interconnection of more than 2.25 billion people to the internet for personal and business use (Miniwatts Marketing Group, 2011) makes the web an almost limitless pool of potential victims and opportunities for cybercrime. In addition it can be noted that not only the quantity of the users, but also the ways in which the internet community uses the internet is constantly changing. New adaptions and applications by internet entrepreneurs and internet users (like social media) not only create new friendly ways of interacting over the digital networks, but at same time create new possibilities for criminal exploit. Cybercrime spreads on Facebook, according to Reuters, who not only informs, but also warns users who think the world's top social networking site is a safe haven on the Internet (Finkle, 2009). Another trait of cybercrime is that on internet many crimes go unnoticed as Clough calls it. What appears as a click on an erratic hyperlink on Facebook may well trigger the installation of a piece of malware on a computer, tablet or mobile phone. Not all internet users do recognize cybercriminal attacks all the time. As a consequence cybercriminal networks can spread malicious software modules like viruses, worms, and Trojans widely over the internet, before security organizations are alerted and can take initiatives to organize measures against the threats. iPhone Password Hacking is Easy (With the Right Software), headlines an article on PCMag.com (Horn, 2012). The article reports on Micro Systemation software that is specialized in cracking the password system of mobile phones and retrieve data from it. The software is not offered for download on the website, but the article illustrates another feature, the ease of access to cybercrime. The availability of relatively cheap computers and internet connections makes it for almost anyone possible to erect on line and explore the criminal possibilities of the internet. Where expertise is lacking, it can be exchanged. For those activities that may be beyond the skills of the individual, the Internet provides easy access to those who will do it for you, or tell you how. Offenders, who might otherwise be isolated in their offending, can now find like minds, forming virtual communities to further their offending. (Clough, 2010:6) It should be noted that criminal ventures can of course try to buy or coerce expertise into a situation of like-mindedness, when they do not succeed to find it otherwise.

The relative anonymity the internet provides for its users makes up for another key feature of cybercrime. Next to the hacker collective Anonymous - the internet collective that took the feature for its trademark - the so called TOR networks pose a substantial challenge for security organizations. TOR stands for The Onion Router, a project originated by the US Navy, but adapted as a public standard for anonymous browsing and other internet activities. The ambitions of the TOR-project lie in shielding personal data against network surveillance that threatens personal freedom and privacy [..], and state security known as traffic analysis (Tor Project, 2012). But as is the case with a lot of internet techniques, entrepreneurs at the dark side incorporate technologies in their illegal activities. De Volkskrant reports on anonymous black trade offerings on TOR networks of drugs, fire arms, stolen credit cards, child porn and even contract killing (Volkskrant, 2012). Not only techniques, but also legal restrictions of access to data make them who want to remain unknown hard to trace for security organizations. Laws that facilitate security organizations to obtain user and network data from Internet Service Providers and other data companies are consequently in the making. Masked identities can be un-masked quicker and easier when security data analysts have swift access to interactive network data. State cyber crime laws need updating says the Shelby County Reporter in post on the US Senate Bill 356 for example. The Senate Bill aims at facilitating security organizations in the state of Alabama to obtain subpoenas and search warrants for information held by out-of-state providers such as Facebook and Twitter and network providers like AT&T and Verizon. Author - and state senator Cam Ward stresses that Senate Bill 356 is an important piece of legislation that will provide added protection for our families and businesses at risk of cyber criminals and Internet bullies. (Ward, 2012) The deterritorialization of cyberspace makes up for a last feature of cybercrime that is discussed here. The lack of clear borders and territory in cyberspace poses serious challenges for legal organizations. Not only does it require new methods for security organizations to catch cybercrooks as van Dijk suggests (Dijk, 2008). Victims and offenders of cybercrime do not have to reside in the same jurisdictional zones when offences occur, so prosecution and extradition of cybercrooks cannot be taken for granted when they are caught. Computerworld.com observes that Ukraine for example can be considered a growing haven for hackers. The members of the Conficker hacker group for example that robbed 72 million dollars from US bank accounts over digital connections in 2008 were arrested and sentenced to 6 year prison. The Ukrainian authorities did not put the sentence to effect though, nor did they respond to request for extradition. Computerworld signals that Ukraine lacks adequate juridical power to prosecute hackers and that the group consequently has been able to slip through mazes of national and international law. The complaint of Computerworld is that Ukraine should get its legal institutions on the roll. More in general it supports a call for extension of international cooperation between security organizations and legal institutions in fighting cybercrime (Armerding, 2012).

1.2

Skeptics

As Yar observes, perception of cybercrime is simultaneously informed and obscured by political and media discussions of the problem (Yar, 2006:19). Awareness of the obscuring trait of news media can easily stimulate a skeptical attitude towards reports on cybercrime. The news reports can easily be considered exaggerations that serve particular interests of the organizations that publish the reports. The news media for example can be suspected to launch anxious headlines because they have a commercial interest in grabbing the readers attention, and by publishing scary stories on cybercrime they try to do so. Or the media may be considered to embed political bias. The column in The Shelby Reporter provides a sample of an article that is designed to legitimate the laws and intentions of policymakers that are connected to the medium. And the PWC report that brings alarming news on the global situation of cybercrime can be easily thought off as a global marketing strategy to acquire assignments in the realm of cybersecurity audits for PWC offices worldwide. On a sociocultural level of skepticism Wall considers reports on the growth of cybercrime and the urgency of countermeasures as a product of a culture of fear (Wall, 2008). To Wall, cybercrime is a

phenomenon that is relatively new in mens interaction with technology. Due to ignorance a cognitive frame of mind that helps relativizing and normalizing the phenomenon has not developed yet. Media and other organizations fill up this gap with stereotypes that find its roots in the angst that surrounds the experience of movies and literature of the science fiction genre.

1.3

Watershed

Wall and others may have interesting relativistic notions, and although some developments of cybercrime have very scary science fictional resemblances for sure the Stuxnet virus for example that will be discussed later , it is not the aim of this research to determine if the perceived threat of cybercrime is an outcome of interest based exaggeration or that the threat experience has an empirical ground. The starting point of this masterthesis is that, on a global level, there is a growing awareness of cybercriminal threats and that, consequently, a perceived need is arising for security 1 organizations to be able to counter it. In line with the classical sociological Thomas theorem the investments in the societal organization of security that has to deal with protection against threats of cybercrime is gaining priority on political and corporate agendas worldwide. The constitution, structuring and practical operation of organizations that have to deal with defense and counter attack of cybercriminal networks is in full swing. To give a few examples closer at home, the Dutch Minister for Security and Justice opened the National Cyber Security Centre in January 2012 as a platform for sharing knowledge and expertise on cybercrime between government and businesses. According to the minister the foundation of the center is an important step to improve the defensibility of the Netherlands against ICT-disturbances by hackers, cybercriminals and malicious powers (Rijksoverheid, 2012). This initiative for cooperation between government and businesses was preceded in March 2011 by the Agreement Approach Espionage in which Dutch government and businesses agreed to cooperate in fighting cyberespionage (Algemene Inlichtingen- en Veiligheidsdienst, 2012). In May 2012 a cooperation of Dutch ministries started a tender by publishing a list on Research Topics in the National Cyber Security Research Agenda to stimulate sponsored development of new products and services for fighting cybercrime (IIPVV, 2012). Investments on operational levels of law enforcement are also 2 expanding; in January 2012 the KLPD started a campaign for recruiting 30 internet detectives for extension of its High Tech Crime Team and about another 30 for dismantling exchange networks for child porn (Vries, 2012).

1.4

Network theory

Because of the involvement of cybercrime with worldwide digital networks this masterthesis takes a specific perspective on cybercrime and cybersecurity that is aimed at finding out if and how social network theory can be used in fighting cybercrime. Social network theory is a social theoretical approach that understands groups, collectives, organizations and other forms of human liaison as networks. In a sociological sense social network theory contains a reformulation of the fundamental sociological insight that humans mutually depend on each other. From that interdependency humans interact and exchange goods, ideas, money, opinions and all other things that can be exchanged. These interactions and exchanges in its turn structure expectations, routines and practices among interactants that constitute a more or less stable environment, a social order in which the participants continue their actions and interactions (Giddens, 1984). On theoretical network level a network can be understood as this more or less stable environment where people exchange and interact. Network theory considers the individuals that populate the environment as nodes and the interactions and exchange relations the nodes maintain among each

The Thomas theorem is a classical sociological proposition that was formulated in 1928 by W. I. Thomas and D. S. Thomas: If men define situations as real, they are real in their consequences. 2 KLPD: Korps Landelijke Politie Diensten, Corps National Police Services, The Netherlands

other as edges (or vertices). The aggregate collection of nodes and edges can be considered the network under study.

Figure 1 Network graph representing a network under study (source: Easley and Kleinberg, 2010)

Figure 1 is a graphical representation of a network with nodes (the dots) and edges (lines between the dots). The network represents the pattern of e-mail communication among 436 employees of the Hewlett Packard Research Lab. From a network theoretical perspective the different properties of the nodes and edges in the network are of interest. The nodes for example can be weighted on the amount of other nodes they have been connecting to over email. Nodes can have many connections to other nodes, or just a few. The amount of connections a node maintains makes up for its degree. A node with a high degree can be assumed to maintain a more central position in the network than nodes with a low degree, because it connects more nodes to each other than the others do. Differences in centrality can be assumed to have consequences for the importance of a node to the network. Analogue reasoning can be applied to the edges of a network. Some edges between nodes can have more weight than others. In case of the Hewlett Packard graph edges can have more weight than others because some nodes send more emails to each other than they do to others. Edges can also have differences in importance in how they connect parts of the network. The graph of the Hewlett Packard Research Lab for example looks clustered, which means that interaction between nodes seems to be distributed (like grapes) in small bunches that have a preference for connecting with each other. Some edges connect these bunches or clusters with each other and gain importance from that connection. Degree, centrality, clustering and other calculated measures are derived from a mathematical discipline called graph theory (Steen, 2010). It can be used to detect all kinds of features, properties and relations of a network and its constituent nodes and edges. A term that is used for basic calculations in graph theory is network metrics (Hansen, Shneiderman, & Smith, 2010). Some of the

basic calculations will return in the next chapter, where will be discussed how network metrics can be used for designing strategies to intervene criminal networks. Cybercrime opens up for network theory and research in a specific way: cybercriminal practices all take place in an environment that literarily is a networked environment. Although - as the cases in chapters 3 and 4 will show - cybercrime can take many forms and faces, a technical infrastructure always functions as the precondition of cybercriminal activities. Without a networks technical infrastructure cybercrime cannot be committed. As consequence of this orientation, the scope of social network theory needs to be extended to technical networks. Social network theory is in this research accordingly understood as network theory (without the adjective social). It does not only deal with human nodes that are capable of interaction and exchange, but with any entity that is capable of interaction and exchange with other entities - be they from the same kind (computers to computers) or any kind (humans to computers). For now it is taken for granted, that the network metrics as discussed in the previous paragraphs can be applied to human, technical or hybrid networks (as supported by Contractor, Monge, & Leonardi, 2011).

1.5

Research question

Beyond its conception of a network as set of interacting nodes that constitute a reality sui generis, network theory can take two directions. According to McCloin and Kirk (2010) it can be used as a theoretical approach that explains behavior of individuals from the position and relations they maintain in the networks they populate. Or network theory can be used as a methodical backdrop from which analytical tools can be derived for analyzing and describing structural characteristics of the networks under study. In the realm of crime and security a variety of studies in both directions are available. Morselli (2010) bridges both the explanatory and analytical approach and researches how network analytics can contribute in explaining behavior in traditional criminal networks like street and motor gangs. Xu and Chen (2003; 2008) engage in appliance and discussion of social network analysis as descriptive tools for criminal networks in general. In the realm of cybercrime Yip (2011) explains the differences between Western and Chinese carder practices by analyzing structures of network interaction on Western and Chinese carder communication forums. Dcary-Htu et al (2011) try to explain how social recognition among so called Warez hackers relates to the effort they undertake to make software cracks and hack available to their peers in the Warez community. And Ma et al (2011) describe how stylometric network analysis can attribute unidentified posts on forums to already identified authors. What the analytical studies have in common (Xu & Chen, Ma et al) is that they seem to be able to make a practical contribution to interventions of security organizations against criminal networks. Network analysis does not only describe the networked character of crime problems, but it can also make suggestions for the development of interventions and suppression tactics (McGloin and Kirk, 2010:170). Network analytics can assist security organizations by identifying sets of nodes and connections between nodes that classify as promising targets when the organizations aim for the intervention of a criminal network. As such, network analysis and network metric calculations can be thought of as an analytical base that can be used to derive strategies for interventions against a network. This masterthesis joins the intervention supporting approach of network analysis. The research question is: How can strategies for network intervention contribute to the disintegration of cybercriminal networks? To be clear, this masterthesis does not apply network analysis in relation to intervention of a specific criminal network. To arrive at an answer the research reflects theoretically on the possibilities of the

application of network analysis as a supportive tool for interventions. It does that by constructing two strategic models that use network analysis and subsequently comparing these models with cases of interventions against cybercriminal networks. Before considering the research design of this thesis in more detail, next paragraph will first bring forward definitions of basic terms that are used.

1.6

Definitions

To avoid extended discussion on how definitions of cybercrime can be composed (Yar, 2006:8-10; Clough, 2010:8-11), this research invokes a few shortcuts to definitions it considers adequate to define the phenomenons it is researching. Wherever a definition falls short, it can be rephrased to match with newly obtained understanding of the subject matter. Cybercrime Kshetri defines cybercrime as a criminal activity in which computers or computer networks are the principal means of committing an offense or violating laws, rules, or regulations (Kshetri, 2010:3). Clough specifies two categories (targets and tools) in which the offenses and violations can be classified (Clough, 2010:10). 1. Crimes in which the computer or computer network is the target of the criminal activity. For example, hacking, malware and DoS attacks. 2. Existing offences where the computer is a tool used to commit the crime. For example, child pornography, stalking, criminal copyright infringement and fraud. To the second category can be added that not only a computer, but also a computer network can be understood as a tool for constituting cybercrime. For example, Distributed Denial of Service attacks (DDoS) and black market networks for trading illegal goods (for example credit card data). Network A network can be comprised of people and technologies (Contractor, Monge, & Leonardi, 2011:684). In line with a sociomaterial approach as Contractor et al call it, a network is defined as a collection of human and technological agents that exchange and interact with each other in such a way that they generate a reality sui generis that cannot be reduced to its constituting parts. The sui generis part is included to stress this thesis ontological understanding of sociomaterial networks as real life entities, as opposed to an understanding of a network as a mere analytical construct (a methodic toolkit) that help theorists analyze social reality (Groenewegen, 2008:14). Cybercriminal network From combining the definition of cybercrime and that of a network a cybercriminal network can be defined as a collection of human and technological agents that exchange and interact with each other over computers and computer network in such a way that they offend or violate laws, rules or regulations. Cybersecurity According to the National Cybersecurity Strategy that was launched by the Dutch Ministry of Security and Justice in 2011 cybersecurity can be defined as the absence of treats and damages that are caused by disturbance or failure [..] or abuse of ICT (Ministerie van Veiligheid en Justitie, 2011). This research considers cybersecurity solely in a context where disturbance, failure and abuse of ICT are at stake due to intentions of ICT users (i.e. cybercriminal network users), not by unintentional malfunction or erratic use of ICT. Security Organizations The existence of a National Cybersecurity Strategy implies first and all that cybersecurity is a state of affairs that is not present in contemporary society. Second, the subtitle of the strategy - empowerment

by collaboration - suggests that if a state of cybersecurity should be realized, it should be realized over collaboration between governmental and private organizations. Security organizations are consequently defined as the governmental and private organizations that collaborate and organize efforts to reduce the criminal abuse of ICT and hence contribute to cybersecurity. This definition does not only follow the Ministrys guideline. Social theory on the neo liberal organization of security, in what is called late modern society, suggests in general that organizations that are involved with security can be expected to be both governmental and private (Franko Aas, 2007; Zedner, 2009). In this mix the constitutive background is likely to make up for a division in specialties and expertise. Government organizations can be expected to bring in legal permissions to execute operational interventions; private organizations can be expected to bring in knowledge and skills that deal with the practical aspects and preparation of interventions. This division of permissions and expertise can blur though. In realizing cybersecurity government organizations can get intensively involved with the organization of cybersecurity and private organizations can be delegated (informally) with permissions for interventions that are assumed to lie within the discretion of government organizations (Zedner, 2009:53). Strategic intervention model In this research a strategic intervention model means a mathematic model that can be used for designing practical steps in specific real life interventions against criminal networks. Network disintegration Network disintegration is considered the systematic isolation or removal of network nodes and edges to such extent that the overall functioning of the network fails.

1.7

Research design and methodology

To arrive at an answer on the question how strategies for network disintegration can contribute to the resolution of cybercriminal networks, the design of this research is set up in three parts. First, from existing network theory two intervention strategies will be elaborated. The strategies are modeled around network metrics that enable systematic targeting of network elements (nodes, edges) in a way that the network will disintegrate and stop performing its criminal activities. Second, cases of real life cybercriminal network interventions are collected along categories that are implied by the strategic models. In the third part the strategic models will be confronted with the cases of real life interventions. By a closer inspection of the cases the presence of strategic models is analyzed. Consequently, where the strategic models do not seem to occur, a deepening of theoretical reflection is undertaken to argument why the strategic models fall short. In this reflection new theoretical elements and cases are introduced to broaden the perspective to a theoretical framework that explains more adequate the relation between strategic interventions and cybercriminal network disintegration. 1.7.1 Topological approach Network theory can take three perspectives on analyzing networks: relational, structural and topological (Groenewegen, 2008). The effort of this research can be considered a topological exercise that takes in both relational and structural elements. Relational analysis focusses on the type of edges that nodes maintain between each other. Edges between nodes can be weak or strong. A weak edge consists out of a loose, superficial relation between nodes. A strong relation consists out of an engaged, intense relation with a high value of exchange and interaction. The importance of weak and strong links lies in the type of connections

Subtitle NCSS: Slagkracht door samenwerking

nodes maintain. Weak ties are important for new information for example. For collaboration strong 4 ties are important. (Groenewegen, 2008: 15) A structural perspective focusses on the patterns of interaction between nodes and the effect interaction has for the positions of the nodes in the network. In the structural approach interaction patterns are supposed to be of importance for the behavior and functioning of the individual nodes. Metrics like centrality and betweenness, which are further discussed in the next chapter, are central in structural network analysis. A topological approach finally focusses on the map of networks and especially the map of large-scale networks like the internet. Network topology - a field of research that has gained interest with the growth of the internet - studies the overall complexity of networks. It tries to answer questions as how networks are connected, how networks grow and decline and how different objects and actors with different exchange and interaction patterns can be topological related to each other. This research deals with the complexities of the internet and can primary be considered a topological exercise. Relational and structural elements are mixed in, or even more to the point -, the strategic models that are developed in the next chapter rely on structural and relational notions, in a way that the research can be thought off to theoretically depart from a structural and relational perspective. The subsequent reflections upon the cases of real life interventions points to a limitation of the two perspectives though. To make sense of things, the research includes - and at the same time illustrates - the dynamics and complexity of a topological perspective. 1.7.2 Cases Cases of real life interventions are brought in this research for two reasons. As already mentioned, cases are brought in to expand an empirical base that can serve as a confrontation, a test, for the strategic models. The basic conception behind the strategic models is that cybercriminal networks can be targeted at level of the nodes that make up a network or at level of the edges that bind the nodes together. On the two levels different kind of interventions are possible. Interventions can be directed against all kinds of nodes and edges that make up for a cybercriminal network. Physical connections, bitstreams, routers, servers, software modules, and the operators who run the network can all considered as targets for systematic network intervention. The cases that are brought in - by researching news, publications, and knowledge repositories on the internet - are selected on their characteristic to illustrate a part of the variety of possibilities for network interventions. Seawright and Gerring (2008), in their classification of case selection techniques, would consider the method for selecting test-cases can be considered diverse. The cases are representative in the minimal sense of representing the full variation of the population (Seawright & Gerring, 2008:297). The cases represent the variety of intervention possibilities in some respect, but in real life there can still be other ways in which interventions take place. The effects the interventions have on the cybercriminal networks may also differ. Neither does the diversity of the presented cases say much about the distribution of compatible cases in the field of cybersecurity. Claims for external validity of conclusions drawn on case analysis should consequently be modest. No hard revealing truths about interventions can be expected, but sensitizing theoretical concepts seem to be the result of analysis of the diverse cases. The reason that after a first batch of cases a second, more modest batch is brought in is that in the reflection on the first batch of cases shortcomings of the strategic models are found. On theoretical level the notions of resistance and resilience are picked up to get a better understanding of the shortcomings and new cases are brought in to illustrate and deepen this understanding. Especially the case of the organization of the whistleblowers site WikiLeaks is worked out to gain insights in the network features of resistance and resilience. Seawright and Gerring would classify the WikiLeaks case as influential. The case confirms the theoretical shortcomings the diversity cases have laid
4

Translations of Dutch text and quotations provided by the author.

bare and is at the same time used a jumping board to confirm a new theoretical direction. An influential case is typically not representative, according to Seawright and Gerring (Seawright & Gerring, 2008:297). If it were typical of the sample as a whole, it would not have unusual influence on estimates of the overall relationship. The WikiLeaks case does indeed not have a representative outline in comparison with the other security troubling organizations that are considered, but it is brought in because its network topology illustrates wonder well what the theoretical turn tries to make clear. Like the diversity cases, the influential case is embedded in theoretical statements that can be considered as sensitizing concepts, as a direction in which subsequent research and theory building can be undertaken. 1.7.3 Theoretical reflection On a theoretical level this research formulates two strategic models for intentional disintegration of networks that are subsequently contrasted with reality over a series of cases that relate to interventions of security organizations in hostile networks.

Intervention

Network disintegration

Theoretical construct 1 Basic Proposition

In terms of de Vaus the starting point of this research is a simple theoretical proposition: strategically modeled interventions of security organizations lead to disintegration of cybercriminal networks. The aim of contrasting the theory with real life cases is to find out if reality is as simple as the statement supposes, or else, to discover if interventions on a theoretical level differ from real life situations. If the two differ, questions can be asked to why there is a difference between the theoretical proposition and real life situations. Is it because the theory is completely wrong, as de Vaus puts it, or does the theory require some refinement? Is the theory applicable only under specific circumstances? (Vaus, 2010) The social scientific idea of researching a simple proposition by contrasting it with cases is to obtain a better understanding of reality beyond the simplicity of the statement. In case of the theoretical proposition of this research the aim is to find out if strategic models of disintegration do contribute to the success of resolution of criminal networks. If not, questions can be posed as to what conditions do obstruct the successful application of disintegration models? Will the strategic models gain effictivity when the conditions are neutralized, or are in some other way taken into account? Or do the models embody a set of bad assumptions? If so, how can they be refined? This research does indeed find its theoretical proposition a bit too simple. The reflection on the cases confirms this and tries to pick up theoretical notions of resilience and resistance, and especially the interlinkage of the two, to theoretically refine a framework around the proposition.

1.8

Chapters

Finally, the chapters in the masterthesis keep in line with the steps that were laid out in the research design. Chapter 2 takes up network theory and network analytics and unites those in the two strategic models for network disintegration that are theoretically assumed to provide a basis for network interventions. In chapter 3 the first round of cases is presented to paint the contours of the landscape of cybercriminal networks and security interventions. Chapter 4 systematically reflects on how the cases support the theoretical proposition. Since this is not the case chapter 5 tries to find an explanation for the lack of support for the proposition and brings in new theoretical angels. The conclusion finally brings together all results and presents a theoretical framework that reflects the complexities of network interventions in cybercriminal networks.

10

Strategic Models for Network Disintegration

In this chapter two strategic models for network disintegration are constructed from existing network theory. The first model is named the 5-15% rule. It is derived from the work of Albert-Lszl Barabsi, a mathematician that asserts that large, scale free networks like the internet will disintegrate when 5 to 15% of its best-connected nodes (so called hubs) are deleted. The second model is the GirvanNewman model, which is called after an algorithm for cluster detection that is developed by the physical scientists Michelle Girvan and Mark Newman. Instead of hubs, the Girvan Newman method aims at bridges for network disintegration, the edges that tie network clusters together. After introduction of the two strategic models another network model is suggested for understanding how hostile networks and the security networks can be unified in one topology - the network arena where network disintegration can take place.

2.1

Barabsis 5-15% rule

Barabsi has been studying the rapid development of the internet in the ninetees of the previous century. In Linked he generalizes his discoveries as a theory of scale free networks (Barabsi, 2003): Networks grow out into scale free networks; Within networks some nodes grow out to hubs over a regularity called preferential attachment; The fitness of nodes enables younger nodes to grow bigger than older nodes.

Another trait of scale free networks is that, by growing, they gain robustness. Scale free networks do not have a central point of power that controls exchange and interaction in a network, but instead, that hubs make up for multiple points of power in a network. Hubs prevent that a network can be easily taken out. But according to Barabsi, bringing down a scale free network is not impossible; by eliminating 5 to 15% of the hubs the network as whole will stop functioning. 2.1.1 Network Growth With the notion of scale free networks, Barabsi points to a dynamic property of networks. The size of a network, the amount of its nodes and edges, is not somehow given, but varies over time. Complex networks like the internet have a point of origin, but from that point they evolve into complex topologies. There neither is a clear end point to the expansion, nor is there a fixed amount of nodes that the network can or will obtain. Instead, networks are able to gather nodes without restraint. They can extend their scale infinitely and hence can be called scale free. The growth of a scale free network has two characteristics. First, networks grow node by node. They do not all come to existence at once, but they become part of the network one by one, in sequential order. Second, a node that is somehow constituted (like a web page, a computer, or a piece of software) has to connect to other nodes to become part of the network. But as the network can contain manifold nodes, nodes have manifold possibilities to connect to existing nodes. Barabsi has been finding that there is no randomness in the way nodes connect to other nodes. New nodes in a network have a preference for connecting to existing nodes that are popular and have already gathered a lot of connections to other nodes. This is called the principle of preferential attachment. As an effect of nodes that have already gathered a lot of connections, will over preferential attachment continue to grow out stronger than nodes with less connections. The rich-get-richer, according to Barabsi, and some nodes in a network can grow out in what is called hubs, super nodes that contain many links to smaller nodes and other hubs (Barabsi, 2003:88). Typical for scale free networks is that the amount of hubs that evolve can be described by the power law of distribution. It means that a scale free network contains only a small amount of hubs that maintain a large amount of connections to other nodes and a large amount of nodes that maintain a

11

small amount of connections to other nodes. Or as Barabsi puts it: most nodes have only a few links, held together by a few highly connected hubs (Barabsi, 2003: 71). Preferential attachment predicts that nodes that exist in the early stages of a network will automatically evolve to the hubs of the network, the argument being that nodes that enter in later stages can only attach to nodes that are already embedded in the network. From this inevitability the first nodes will in the beginning of the growth of the network acquire a bit more popularity than nodes that join the network later. This difference will escalate in a substantial difference when the network keeps growing and new nodes will enter the network with a preference for popular nodes. Mathematical rules of large numbers will transform the first nodes over their inevitable popularity into the hubs of a network But according to Barabsi Nodes the rich-get-richer-phenomenon does only partly explain how networks grow out into scale free networks. He poses the fitness of a node as a concept that matters in the ability to acquire links. Nodes have qualities of their own and some nodes can - over these qualities - be fitter than other nodes in gaining new connections. What exactly makes out for fitness is not discussed in Linked, but Barabsi brings in search engine Google as an example. Google was not the first engine on the World Wide Web, but as soon as it launched it started outpacing older search hubs like Alta Vista and Hotbot in connecting internet users to it search services. As services seems just the right word, network fitness can be understood as a service (or services) of some kind that a node provides, which is appreciated by the other nodes over comparable services that other nodes provide. 2.1.2 Robustness As was already mentioned, scale free networks with lots of nodes and connections gain a certain robustness that prevents the network from breaking down, when a single node is taken out from the network. Where nodes are tied together over many connections there is not a central point that holds together the network; all nodes hold together pieces of the network. Barabsi considers this a feature of scale free networks, but robustness seems to become a feature of networks as soon as multiple nodes gain multiple connections. Networks gain robustness as soon as they become distributed networks as Cares (2005) calls it. Arquilla and Ronfeldt (2001) give an interesting description of what robustness of distributed and scale free network means from a security perspective. The network as a whole (but not necessarily each node) has little to no hierarchy; there may be multiple leaders. Decisionmaking and operations are decentralized, allowing for local initiative and autonomy. Thus the design may sometimes appear acephalous (headless), and at other times polycephalous (Hydra-headed). (Arquilla & Ronfeldt, 2001:9) Arquilla and Ronfeldt consider networks predominantly as a kind of social organization that is constituted among human agents, where this research considers networks foremost as technological networks where social actors are involved as the organizers behind the technology. But the authors adequately describe how power in a network (loosely interpreted as the ability to get things done) can be distributed over the constituting parts of a network. Nodes form relatively autonomous units that are able to decision making, perform tasks and run a business on their own. The use of the metaphor of the Lernaean hydra to grasp together the concept of distributed criminal networks is imaginative. Arquilla and Ronfeldt do not mention scale free networks, but a headless network topology can be interpreted to apply to distributed networks where no scale free polarization into a small set of supernodes has taken place yet. And a hydra-headed topology can be interpreted to apply to scale free networks which have a few extremely big and powerful nodes. The last only holds true since the hydra dies when Heracles chops off his one immortal head - when none of the hubs is considered crucial for the survival of the other nodes and hubs.

12

To illustrate the phenomenon of robustness beyond the realm of mythology the network graphics in Figure 2 are laid out. The figure contains a set of forty-four nodes that are connected in three different ways. The connections compose a centralized (A), a decentralized (B) and a distributed network (C).

Centralized (A)

Decentralized (B)

Distributed (C)

Figure 2 Connected networks (source: Paul Baran, 1964)

In (A) the centralized network (or star, or ego network) one node is central to the other nodes; the other nodes do not have direct connections other than the one to the central node. In (B) the decentralized network a central node connects to a set of nodes that are themselves central to a cluster of nodes. In (C) the distributed network nodes maintain multiple relations to each other; a central node in the network is lacking. The network models are constructed by Paul Baran (1964), an engineer who started working in the late nineteen fifties for the RAND Corporation - a US military think tank - on the question how communication networks can survive nuclear attacks. Baran developed the model of distributed networks as an answer. The model of a distributed network became the design for the ARPANET, an academic military experiment for network communication that eventually evolved in the internet (Abbate, 1999). 2.1.3 Disintegration To illustrate how the robustness of a distributed network surpasses that of a centralized and a decentralized network the graphics in Figure 3 are drawn. The figure shows Barans graphs again, but now with the node removed that forms the heart of the centralized network. The node that is central to the star network is removed from all three sub graphs and consequently all networks suffer from some degree of disintegration. The differences of the effect of taking out this one node are considerable. The centralized network (A) is fully disintegrated by taken out the core node. After removing the central node from the decentralized network (B) the network parts of the network are still intact. The network is split up in different isolated components and nodes and the overall topology of the network has been disintegrated. The distributed network (C) in the distributed network

13

does not seem to have suffered at all. The topology of the network remains intact; the only thing that is missing is a node and a few edges that make up for what is called a structural hole in the topology of the network.

Disintegrated centralized (A)

Disintegrated decentralized (B)

Disintegrated distributed (C)

Figure 3 Disintegrated networks (source: Paul Baran adapted to own design)

Although the disintegration of a distributed network seems to be a tough venture, Barabsi considers the deletion of hubs the Achilles heel of networks. Distributed networks can be taken down by focusing on the deletion of hubs. Due to the robustness of the network an attempt to disable a network is not an easy job and taking out a few hubs will not do. According to Barabsi several of the largest hubs must be simultaneously removed to crush them. This often requires taking out as many as 5 to 15 percent of all hubs at the same time (Barabsi, 2003:118). 2.1.4 Hub Oriented Disintegration Model In Linked Barabsi does not work out a specific strategy or strategic model on how hubs can be taken out to disable the network. But by taking in network metrics a strategic model can de designed fairly easy. The disintegration model would consist out of the following steps: 1. 2. 3. 4. Define a hostile network; Identify 15% of its main hubs; Delete 15% of its main hubs; Monitor the network disintegration.

The model is simple, but has a few ambiguities. First, the model could be more specific on the exact amount of hubs that need to be deleted before disintegration to come to effect. The steps take in account the maximum of 15%, but for security organizations it can be pragmatic for operational intervention to take in a lesser amount. Barabsi is not clear under what conditions a lesser amount of targeted hubs will suffice.

14

Second, Barabsi specifies that hubs need to be taken out simultaneously, but he does not specify what that means. Are the hubs to be taken out in exactly the same moment? Or is it possible that there is some sequence in deleting the hubs from the network? Third, Barabsi does not specify if theres some order in which the hubs should be taken out. Should the deletion of hubs start with the big ones and work its way down to the smaller ones? Or does an inverse procedure apply? Or does size not matter? The questions are left open here, for what they are. Wherever the cases in next chapter seem to suggest an answer, the refection will return to them.

2.2

Girvan Newman: Targeting Bridges

Where Barabsi focusses on hubs as the pillars of a network that can be targeted in attempts to disintegrate networks, Easley and Kleinberg suggest clusters, or actually, the connections between clusters, as the focal point for network disintegration (Easley & Kleinberg, 2010). To disintegrate a network, Easley and Kleinberg suggest a cyclic deletion of the links that keep the clusters together. Once these links are removed, the network begins to fall apart into large pieces; within these pieces, further spanning links can be identified, and the process continues. (Easley & Kleinberg, 2010:65). To identify the bridges between clusters Easley and Kleinberg make use of the Girvan Newman method, an algorithm that detects bridges by calculating the betweenness values of edges. Before getting to that, first clusters will be examined more thoroughly. 2.2.1 Clusters Instead of hubs Easley and Kleinberg consider clusters the building blocks of networks. Within a network clusters are subsets of nodes that are well connected with each other (tightly-knit regions). Friends, team members, people who share a common interest can be for example considered clusters in a wider network (school, work organization, social media). In addition, a clique is a kind of cluster where nodes are fully connected with each other.

Figure 4 shows network diagrams of a cluster (A) and a clique (B).

(A) Network cluster where nodes have fairly tight connections

(B) Network clique where all nodes are connected

Figure 4 Network clique and clusters (source: own design)

The nodes in clusters and cliques maintain connections to each other over edges that Easley and Kleinberg call strong links. Clusters and cliques are connected to the broader network they are embedded in (school, work organization, social media) over weak links. In a cluster oriented network approach a network can be considered a set of clusters that are connected to each other over these weak links. Figure 5 illustrates how clusters are embedded in and compose the broader network they belong to.

15

Figure 5 Clusters within a network (source: own design)

The figure contains 5 clusters that are connected over 5 weak links (a, b, c, d, e). The weak links are called bridges because they overpass the gaps between clusters. Bridges may signify weak interactions between nodes, but since they tie all clusters together they are fundamental to the network. As a matter of speaking: bridges are the threads that keep the patches of a quilt together. Without the threads there would only be patches, no quilt. 2.2.2 Identifying Bridges with Betweenness Figure 5 contains a small network and is laid out in such a way that the clusters and the connecting bridges are easy to observe. In data that describe large real life networks bridges and clusters are likely to be detected less easy. For a disintegration strategy that aims at bridges though, it is necessary to have a solid method for identifying the bridges in a network. Easley and Kleinberg bring out the network measure betweenness, or betweenness centrality, as a key measure for identifying bridges. Two adjacent concepts are necessary to determine the betweenness of edges: shortest path and flow. 2.2.3 Shortest path If a step is considered to be a connection between two nodes, the shortest path is the minimum amount of steps that have to be taken to arrive from a random node at another random node. In Figure 6 node A and C are connected over a connection {A-C}. The shortest path from A to C is one step.

Figure 6 Shortest path from A to E

In Figure 6 two paths are possible between A and E. The first path P = {A-B;B-C;C-D;D-E}, which contains 4 edges. The second path P = {A-C;C-D;D-E}, which contains 3 edges. Since P contains the least amount of steps, P is the shortest path from A to E. Since there is only one shortest path in this graph (k=1) a full unit of flow (1/k) can be said to pass along this path.

16

2.2.4 Flow The betweenness of an edge can be understood as the total amount of flow it carries, taking into account the flow between all pairs of nodes using this edge (Easley & Kleinberg, 2010:67). Or to rephrase this, the betweenness of an edge is determined by the amount of shortest paths that are crossing an edge. To make this explicit, edge {C-D} in Figure 7 carries 9 shortest paths. A to D A to E A to F B to D B to E B to F C to D C to E C to F

Because there are no multiple shortest paths from any node to another, every shortest path represents a flow of one. Added up, the edge CD carries a flow of 9.

Figure 7 Betweenness

In the graph no other edge has such a high amount of flow crossing it. The edges {A-B}, {A-C}, {B-C}, {D-E}, {D-F}, {E-F} have no other shortest paths crossing than that of the nodes they connect, so they all carry a flow of one unit. Consequently the betweenness of edge {C-D} is 9, while that of the other edges in the network is one. When the network in Figure 6 would qualify for a bridge targeted intervention, the most likely bridge to be targeted first would consequently be {C-D} 2.2.5 Bridge Oriented Disintegration Model The example network in previous paragraph is tiny, but the intent was to make clear as simple as possible how betweenness of edges can be calculated and hence how bridges between clusters can be identified. From this principle Easley and Kleinberg formulate the steps of a model that can disintegrate a network by systematically targeting the bridges. 1. Calculate the edge with the highest betweenness and remove the edge from the network. 2. Recalculate the betweenness of all edges in the network and remove again the edge with highest betweenness. 3. Continue recalculating and removing edges from the graph until all connections are deleted and the network ceases to exist. Figure 8 shows the steps of network disintegration when the logic of the Girvan-Newman method is applied. Without performing the calculations, the disintegration process can be visually reconstructed relatively simple. In the begin situation the bridge with the highest value for betweenness is the one that connects node 7 and 8. The removal of the bridge renders the graph (a) with a network component to the left and one to the right. After recalculation of the betweenness of the remaining edges, in the remaining components 4 bridges have an equal highest value and can be removed (b). After removing the remaining bridges the network remains fully disintegrated (c).

17

(begin situation)

Figure 8 Bridge targeting method applied to a network

18

2.3

Network Security Model

After developing two network disintegration models in previous paragraphs, this paragraph will consider the design of a network model that embeds both the hostile network and the security network that initiates the disintegration. The reason to do so is to obtain a network visualization of the topology of a network intervention. An intervention topology can be used not only to prepare interventions, but also to monitor the progress of an intervention. To be able to monitor an intervention, the model must be dynamic so that it can record the effects of the specific intervention actions. The model developed does not do all of that, but can be considered an upbeat for stimulating the topological imagination The network security model is synthesized from thoughts from Jeff Cares on Distributed Network Operations (Cares, 2005) and Jerry H. Ratcliffe on Intelligence Led Policing (Ratcliffe, 2003). 2.3.1 Targets, sensors, decisions, interventions Cares conceives security organizations as networked organizations. Hierarchical organizations that take decisions and distribute commands in a top down fashion represent methods of intervention that, according to Cares, represent an outdated centralized industrial age approach. Contemporary security organizations adjust to the network topology of security treats and become networked organizations themselves. Security organizations become hubs in a security network that are able to detect, observe, take decisions and organize interventions against threats themselves. Security organizations that adjust to distributed network principles gain flexibility and effectiveness in a way that Cares associates with a wolf pack, a set of relatively autonomous units that is able to attack a target from all sites where it shows beneficial. A security hub consists of a few components that are able to detect hostile activities, take decisions and intervene hostile networks. Figure 9 renders Cares basic security model in which the components maintain a circular relation with each other. The figure represents hostile nodes (targets) in red outline and friendly nodes in black outline. The Tnode represents a hostile network as a target for security organizations. The S-node embodies a sensor that detects hostile activity. The D-node stands for the decision makers who receive report on detected offensive activity. The I-node represents the intervention team that receives instructions to perform certain kind of intervention against the targeted node, which can also be a targeted edge. T = Target S = Sensor D = Decision makers I = Intervention team

Figure 9 Basic intervention unit according to Jeff Cares (Source Cares 2005: 79)

2.3.2 Added Intelligence Although Cares aims to make clear that network mathematics and in a broader sense the intelligence that analyzes possibilities for intervention should obtain an active and dynamic position in security networks, he does not make clear where exactly the math fits in in his model. Its not clear if analyses and intelligence activities belong to the sensor, the decision or the intervention units, or that a main body (Cares, 2005: 118) behind the different network segments takes care of the calculations and intelligence. Ratcliffe (2003) explicitly brings in the position of intelligence units in a security model that aims to describe the structure and processes of Intelligence Led Policing (ILP). Figure 10 shows how

19

intelligence units interpret a criminal environment (or targets as Cares called it). With the intelligence they obtain the intelligence units influence the decision makers for some kind of intervention against targets in the criminal environment. Ratcliffe constructs a basic organizational structure of security organization that tries to take in intelligence in its decision making and he defines the processes that are involved: interpreting, influencing and impacting.

Criminal environment

Interpret

Impact

Intelligence

Influence

Decision-maker

Figure 10 Model for Intelligence Led Policing from Ratcliffe

2.3.3 Synthesis In contrast to the model of Cares Ratcliffe leaves out units for detection and intervention. Although Ratcliffe does not explicit the model as a network model, his nodal representation of security organization lends itself for a sensible merge with Cares model. Figure 11 shows a synthesized rendition for intelligence led security that combines elements from both Cares and Ratcliffes models. T= Target S = Sensor AI = Analysis & Intelligence D = Decision makers I = Intervention Units

Figure 11 Basic model for intelligence led network security

In Figure 11 a sensor detects a target in the criminal network environment and notifies the analysis and intelligence unit. The AI-unit interprets the targets in the criminal environments and reports to the decision makers about threats and possible counteractions. The decision makers in their turn take decisions what to do and instruct the intervention units to make an impact on the targets in the criminal environment. The actions of the intervention units are monitored by the sensor again that briefs about it to the AI-units that assess the impact of the interventions. The decision-makers get informed and stimulated to make new decisions and provide new instructions to the intervention units. The synthesized security model does not only contain nodes with specific functions in the security topology, it also incorporates a cycle of security processes between the nodes. The cyclic character of the security actions enables the security network to observe the effects of its action and adapt its interventions where necessary.

20

2.3.4 Topology of an intervention model Figure 12 brings together the topology of a hostile network and the topology of security organizations that perform an intervention of that network.

Figure 12 Steps in network disintegration by security network

In the graph sensor S detects hostile activity by a set of nodes t5, t6 and t7. The unit for analysis and intelligence researches the network and detects a network set T = {t1 t14}. Subsequently the AI-unit advises the decision makers by the way of network calculations to attack bridging nodes t7 and t8. Conform instruction the intervention unit attacks the subscribed targets t7 and t8 which according to the Girvan-Newman method is the main bridge in the hostile network. In case of success the deletion of the bridge will scatter network T in 2 smaller components that no longer maintain connection with each other. After monitoring the effect of intervention by the sensor and additional analysis by the AI team the intervention team can be instructed over the decision makers to attack newly defined targets (bridges (t3-t7)(t6-t7)(t8-t9)(t8-t12)). After subsequent monitoring, analysis and decision making new bridges can be targeted, etcetera, until the network reaches a state of disintegration.

2.4

Concluding Remarks

In this chapter two strategic intervention models for systematic intervention against cybercriminal network have been derived from existing network theory: the Barabsian 5 15% Rule and the Girvan Newman Method.

21

The Barabsian 5 15% rule comes down to the point that scale free networks can be disintegrated by attacking the largest nodes in a network. By taking out 5 to 15% of the largest nodes of a network the hubs -, exchange between nodes will stop and the network will disintegrate. A not fully specified condition that Barabsi provides with the model is that the deletion of the hubs needs to take place at the same time. The Girvan Newman method focusses on the edges of a network for network disintegration. It specifies an algorithmic cycle in which edges in a network can be taken out in accordance with their importance for connecting clusters of nodes in the network. No specific conditions are given as to the time frame in which disintegration should take place. Network analysis, or better, network metrics belong to the heart of these strategies in that they provide the calculations that determine the specific targets that the models take in account in interventions. Within the 5 15% rule, they determine by calculation what the 5 to 15% of the largest hubs in a network are. Within the Girvan Newman method network metrics are used to calculate and recalculate the importance of the edges. Table 1 summarizes the steps of the two models.
Table 1 Strategic Intervention Models

5-15% rule 1 2 3 4 Identify 15% of its main hubs Delete 15% of its main hubs -

Girvan Newman Method Define a hostile network Calculate the bridge with the highest betweenness Remove the bridge from the network. Repeat two previous steps until network is disintegrated

Monitor the overall network disintegration

Finally, in this chapter a security model is developed in which the nodes of a targeted cybercriminal network and the attacking security organizations are unified in one network topology. This model is primarily aimed at stimulating the network topological imagination on how security interventions can be represented, but network metrics could be added and the model could be elaborated as a system for monitoring the progress of network interventions and disintegration.

22

Cases of Network Intervention

This chapter presents an overview of cases of real life interventions against cybercriminal networks. The cases are taken from internet reports and literature that deal with cybercrime and cybercriminal interventions. The structure of this chapter follows the distinction between the strategic models that were constructed in the previous chapter. Or rather, the cases are laid out along the different targets of the intervention models: hubs and bridges. Hubs are operationalized as computer devices (pcs, servers, mobile phones, tablets) and the human operators that constitute the criminal networks over these devices. Bridges are operationalized as infrastructural means that enable the exchange of bits and bytes between the computer devices in a hostile network. As a result the operational distinction makes up for three interventional categories that form the paragraphs of this chapter: technical devices, human operators and the network bitstream.
Intervention Model Disintegration Targets

Technical devices 5 15% Rule Human operators

Girvan Newman Method

Bitstream

Theoretical construct 2 Operationalization of targets the basic proposition

Theoretical construct 2 provides an overview of the operationalization of the targets in relation to the models. This chapter first brings in cases that relate to bitstream interventions, then looks at in interventions against technical devices and finally considers interventions against human operators of cybercriminal networks. The 5-15% rule and the Girvan Newman method are not explicated present in these paragraphs, of course, because the interpretation whether cases support the presence of the intervention models is the subject of the next chapter.

3.1

Bitstream Interventions

Bitstream interventions refer to interventions that occur at level of the network edges and that prevent exchange or interaction between nodes. In terms of digital exchange it means that bitstream interventions aim to prevent or disrupt in any other sense the exchange of bits and bytes between technical devices. 3.1.1 Firewalls, antiviruses and antispyware Firewalls, antiviruses and antispyware are example techniques that block the bitstream that travel from one network device to another. A firewall is usually a device that separates an organizational network cluster from the greater internet and that researches and blocks where necessary exchange from the organization to and from the internet. The source and destinations address of bitstream packages that internet devices exchange can be a reason for a firewall to block exchange. A webpage that is requested by a web user behind the firewall, but whose request is denied by the firewall because the

23

requested webpage is registered by the firewall to be hosted on a website with a suspect IP-address is an example of a blockade of exchange based on the destination address. The denial of a telnet session to a fileserver behind the firewall from an internet computer with an IP-address that does not occur on list for IP-addresses that are allowed to set up remote sessions is an example of a blockade based on source address. The criteria on which firewalls examine and authorize in- and outgoing bitstreams depends on its configuration and can include parameters like type of content, location, time, date, day, of week, participants and other criteria of interest (Goldman, 2006). Antivirus and spyware applications function like firewalls and monitor the bitstream that comes in a local network or computer (like emails, downloaded files and webpages), except firewalls act upon parameters that regulate the exchange of packages in the bitstream and antivirus applications analyze the content of the bitstream itself. Antivirus technologies try to detect and block specific patterns in the bitstream that indicate exchange contains certain viruses, worms, Trojans and other malware that would do harm to the nodes and networks that receive them.

Figure 13 Positive filtering (or blocking) function of a Firewall (source: Goldman, 2006)

Both antivirus programs and firewalls block communication streams and from that capacity take part in an isolation of hostile networks, or maybe better, they have a capacity for isolating the network they are protecting from the greater internet. Firewalls and antivirus devices do not take a direct part in the deletion of hostile nodes, but they can function as starting points for detection and analyses of network security (Schmid, 2006). By taking in samples of hostile activity and providing these for network analysis and (reverse) engineering they participate as sensors in the security cycle described in the previous chapter. 3.1.2 Routers Another type of devices that has an impact on the exchange of bitstream packages are the so called routers. Routers carry the bitstream between nodes on the internet (or other digital networks where nodes engage in distributed connections). In whatever type of exchange the nodes of a network are involved (data-exchange, file download, IRC-chat, Facebook), as long as the interaction uses internet as its transporting medium the exchange is facilitated by internet routers. Routers connect network hosts and segments with each other. Every package that is send from one device to another will at least engage one but likely more routers. Routers are the pillars of the infrastructure of digital network exchange. The network organizations that get control over routers get access to what was called the Achilles heel of networks in previous chapter, which means they can do serious damage to overall network functioning. Table 2 sums up sources, threats and consequences that router techniques can constitute for the networks they are part of.

24

Threat Source Outside Internal

Concerns

Threat Actions

Outcomes

Consequences Infrastructure Hosts Cut Delay Eavesdrop Looping Starvation

Access Control Authentication Availability Confidentiality Data Integrity Physical Access Reliability

Deliberate Exposure Sniffing Traffic Analysis Spoofing Falsification Interference Overload

Usurpation Deception Disruption Disclosure

Blackholing Churning Clog Congestion Instability Looping Overcontrol Partition

Table 2 Summary of threats to routers and their implications (Dommel, 2006)

Without going into details of considering all aspects of router security summed up in the table, its interesting to see that tampering with routers can have consequences for both the infrastructure and the nodes that they provide distribution services for (the hosts). A spectacular added effect that overloading (Table 2, column Threat Actions) can have for the overall functioning of the network is a form of disruption that is called cascading failures. When a router is overloaded it means that a router is receiving so much traffic that it congests and consequently its performance in routing the packages that arrive will fail. As a consequence the router can shift its workload to nearby routers that will also have to deal with increasing bitstream to a level that they will get overloaded. The overcharged routers will also drop function and pass their load to other nearby routers that also downfall by overload. A decreasing quantity of routers will have to deal with an increasing bitstream. In a parallel modus one after the other router will drop its functioning with the effect that parts or all possibilities for exchange in the network will drop. The consequence for the connected hosts and computers will be that they are still up as computing devices, but that there is no possibility over for network exchange, which renders the nodes isolated and the network disintegrated. 3.1.3 Operation Cisco Raider The importance of routers is stressed by Clarke and Knakes suspicion (Clarke having worked as cyberadvisor in the last Bush government) that router distribution was systematically targeted by Chinese forces. At the change of the millennium according to Clarke and Knake (Clarke & Knake, 2010) agents of the Peoples Republic reengineered routers from the worlds leading router firm Cisco and started mass producing the counterfeit router. Chinese companies then sold counterfeit Cisco routers at cut-rate discounts around the world. The buyers allegedly included the Pentagon and other federal government entities. Counterfeit routers started showing up on the market in 2004. Three years later, the FBI and the Justice Department indicted two brothers who owned a company called Syren Technology for selling the counterfeit routers to a customer list that included the Marine Corps, the Air Force, and multiple defense contractors. A fifty-page report authored by the FBI and circulated within the technology industry concluded that the routers could be used by foreign intelligence agencies to take down networks and weaken cryptographic systems. Meanwhile, another Chinese company, Huawei, was selling similar routers throughout Europe and Asia. The major difference was that, unlike the counterfeits, these routers did not say Cisco on the front. Their label said Huawei. (Clarke & Knake, 2010) According to Grow the FBI report on Operation Cisco Raider does not make clear if the production of the fake Cisco routers is initiated by the Chinese state or that it is a profit motivated enterprise by Chinese businessmen (Grow, 2008). News media on the internet do not make clear either if Chinese puppet masters somewhere behind the scene have real access to the counterfeited routers or that this

25

possibility is primarily perceived as a theoretical possibility. For Clarke and Knake to classify the counterfeiting as an act of cyberwar seems a bit premature, but the point here is not so much if the story of Clarke and Knake resembles true historical developments or that it is an uttering of antiChinese sentiments. The point is to stress that routers can have such an importance to friendly and hostile security networks that they can be expected to engage in activities to gain broad router control to be able to disintegrate adversary networks when necessary.

3.2

Device interventions

Next to exchange interventions that aim to gain power and possibilities to disintegrate networks by preventing exchange and interaction between nodes, security organizations can aim at taking over the nodes themselves and perform deleting actions directly against the nodes. Device interventions are interventions in which security organizations take over control of other devices (or clusters of devices) to use them according to their own security interests. 3.2.1 Hackers First, device interventions refer to human operators that take over targeted machines. The history of network computing next to being the history of how computers transformed mankind by connecting its computers is the history of how men started breaking in other mens computer devices as soon as they were connected. Hacking is the general term used for breaking in on a computer device. And the person who engages in accessing other mens devices is called a hacker. Hackers appear in all kind of flavors. Within the hackers world hackers supposedly categorize each other according to the level of skills they possess and the kinds of motivation in which hacking activities arise (Wikipedia, Hacker (computer security), 2012) . A common denominator for typifying categories of hackers is the color of the metaphorical hat they wear, referring to the color of hats the good and bad guys wear in Western movies. White hats are the good guys in the hackers world. They explore vulnerabilities in software and systems, with the purpose of repairing and reporting their results to vendors and security organizations for software and systems improvement. Another term for white hat is ethical hacker. Levy (2010) traces white hat computer hacking back to the beginning of the sixties, when students at the Massachusetts Institute of Technology (MIT) made serious attempts of bypassing organizational and operational procedures to gain access to the (non-networked) computers of the institute. These early hackers engaged in activities as converting Arabic numbers to Roman numerals and reprogramming the institutes computers to play fugues of Johann Sebastian Bach. The bottom line of these activities being that the early hackers did not so much care for cracking security as they did for getting access to computer devices and stretching the possibilities of the machines in unforeseen directions. Levy formulates the ethics of white hat hacking in a more vital, non-security oriented way as a spirit of sharing, openness, decentralization, and getting your hands on machines at any cost to improve the machines and to improve the world. (Levy, 2010:ix) Without wanting to dive in the history of hacking and its accompanying spirit, it is worth noting that white hat hacker ethics is not so solely concerned with security related issues, but that it contains elements of a broader vitalized philosophy and life style that originates outside the realm of security. But the history of white hat hacking is at least partly - restructured and redefined along goals that meet standards of formalized security. The International Council of Electronic Commerce Consultants, also known as the EC-Council has developed certifications, courseware, classes, and online training covering the diverse arena of Ethical Hacking. The quote serves as an example that white hat hacking has become a career possibility for which individuals with a technical mind set can sign up to be trained and employed by security organizations. A recent, interesting example of recruitment of white hackers by security organization is provided by the Cyber Challenge initiated by 5 the Dutch police corps KLPD . The challenge invites techies to crack a bitstream containing network
5

KLPD: Korps landelijke politiediensten (Corps National Police Services), The Netherlands

26

traffic that is tapped from an alleged cybercriminal and from there find out how the challenge leads to an invitation at the KLPDs high tech crime unit for a department tour and a job interview. The Cyber Challenge is part of KLPDs recruitment for engineers and other techies to fill in vacancies for about 50 internet detectives that will research cybercriminal networks that deal with Botnets and about another 50 detectives that deal with networks exchanging child porn. Black hats are considered the bad guys in the world of unauthorized device and network penetration, the ones who enter machines for profit seeking or political goals or both when black hatters offer their services to a market where any biding organization can contract their skills. Stoll (1989) for example offers an account of the latter, in which the German computer hacker Markus Hess accesses military U.S. server networks and retrieves military information that he sells to the KGB, the secret service of the former Soviet Union. Wikipedia makes a distinction between different kinds of hackers with malicious intent. Black hatters are the core of malicious hacking, circled by script kiddies who lack significant skills but use preformatted technologies in hacking computers and neophytes who are the newbies to the trade. Gray hat hackers form a kind of species between the strata of white and black hatters; hackers who enter systems without authorization and try to sell their knowledge of unauthorized access to the owners of the system. Hacktivists finally are networked groups that engage in obstructing and disabling network computers for social and political purposes; worldwide internet collective Anonymous being the best known and most active hacktivist group at the time of writing this masterthesis. Security organizations (or the hackers they deploy) that know how to access and operate on devices of cybercriminal networks can use their access to disable the devices in an attempt to disintegrate the infrastructural basis on which the network operates, or they can use their access to gather and extend their information on the functioning of the criminal networks that are accessed. In the latter case the analysis and intelligence function as discussed in previous chapter would be involved, which may be a prelude on interventions of operational teams against the criminal network. Poulsen (2011) documents an illustrative case on how device intervention is used for intelligent analysis and interplays with operational intervention. The case concerns the communication and exchange on the black hat expert website Shadowcrew.com. 3.2.2 Shadowcrew The website Shadowcrew started in 2002 as an underground on line marketplace for black hat hackers. According to Poulsen (2011) the website provided hacked personal data for sale as well as false IDs, stolen credit card numbers, magnetic card strips, card plastics, holograms, printers and machines to render full functional credit cards for product purchases or cash withdrawal. The article on Wikipedia on Shadowcrew mentions that about 4000 accounts registered for an account, of which different members registered with multiple accounts (Wikipedia, Shadowcrew, 2012). Next to facilities for product purchase Shadowcrew offered discussion boards, tips and tricks, and manuals instructing its members how to ensemble and monetize information and goods distributed on the website. According to Poulsen the website served goods and information that connected to a clientele with real needs. Hackers, carders and other frauds traded their goods and exchanged information. Credit cards were created and successfully monetized. Households, shops and banks worldwide were duped by the networks activities. Shadowcrew became a real life support platform for criminal networks or, as the sites motto proclaimed, for those who like to play in the shadows. Poulsens account of Shadowcrew has an interesting edge in that his story Kingpin does not follow so much the development of the criminal ventures of Shadowcrew, but rather that of the hacking career of one of its participants: Max Butler. Butler is an experienced and skilled black hatter that has an interest in acquiring credit card data for criminal enterprise. But Butler does not just buy data that are offered over Shadowcrews bulletin boards. In a stroke of criminal genius he has hacked the machines of

27

about a thousand of coparticipants in Shadowcrew and rather steals credit card data in fair amounts from their machines. Butlers hack gives him unrestricted access to the machines of Shadowcrew and when he finds emails that indicate that Security Service are getting involved with the affairs on Shadowcrew he gets suspicions that operators of the Shadowcrew are involved as informants for Security Services. In October 2004 his suspicion turns out to be true. United States Security Service recruited website operator Albert CumbaJohnny Gonzalez at Shadowcrew in May 2004 as an informant and since then almost all communications and trade information of Shadowcrew was transferred and analyzed. The Secret Service had converted Shadowcrews infrastructure to a Virtual Private Network (VPN) that was fully funded and delivered by the Secret Service. All data flowing over the VPN was directly taken in and analyzed by the USSS, resulting in a sixty-two-count conspiracy indictment and an arrest of 23 US citizens related to Shadowcrews website on October 24, 2004. Max Butler the main character in Poulsens Kingpin - was not one of them. Butler got arrested 3 years later for having run a similar black market credit card service to Shadowcrew under the name of CardersMarket. 3.2.3 Malware Next to interventions by human operators device interventions refer to software and automated processes that take over targeted devices. In the world of modern network computing automated take overs are manifold and diverse. The software components that perform device take overs are qualified as viruses, Trojans, worms, rogueware or with a general term: malware. Malware can be considered agents of some kind of network that takes an effort in developing and distributing malware. With the exception of some type of viruses that spread without control, malware tries to connect devices to the command and control center of a cybercriminal network that aims for some kind of activity. Devices that are kidnapped by malware can be used for information retrieval, altered function performance or the disabling of functionalities (culminating in the non-functioning of the device). Malware spreads itself in a variety of ways: as email attachment, in downloading webpages, nested in other software packages, or just seeking a way through the internetworks on its own (worms). When malware has arrived on a device it can perform malfunctions on its own (viruses), it can engage in communication and instructions with other devices on the malicious network (botnet agents for example) that launched or it can open up the host device for takeover by a human operator in the malicious network (Trojan horses). The use and application is commonly associated with cybercriminal networks that use malware to gain financial profit, steal data or just damage devices. Next two examples hope to make clear that the use of automated device interventions has transcended its profit seeking application by criminal networks and entered security arenas. 3.2.4 Stuxnet: search-and-destroy Stuxnet is a malware application that was first discovered in June 2010 by Sergey Ulasen from security VirusBlokAda (Minsk, Belarus) and subsequently researched by security engineers at computer security firm Symantec in cooperation with specialists worldwide. According to the reports, the malware is a most advanced piece of software component due to its complex and professional architecture and its ability to corrupt an industrial system on a level that security experts are not able to detect that the system has been corrupted by the malicious software. Stuxnet behaved like a worm and was able to replicate itself from one device to another, or better, from one disk to another. Stuxnet did not spread over the internet but replicated in Local Area Networks (LAN) over the drives from connected computers and was also able to replicate to USB sticks and other portable storage mediums. When the researchers found out the Stuxnet worm was designed to target Simatic WinCC Step7 software, it became clear that he ability to reproduce itself over disks was intentionally programmed

28

into the worm. Step7 software is an industrial control system made by Siemens that was used to program controllers that drive motors, valves and switches in everything from food factories and automobile assembly lines to gas pipelines and water treatment plants, but that usually operate in stand-alone settings without internet connections (Zetter, How Digital Detectives Deciphered Stuxnet, 2011). After deciphering the layered architecture of the malware, few questions remained as to what specific controller systems where targeted and what the effect would be. Not all Siemens controller systems that use the Step7 software that received the worm seemed to be affected. After more efforts in which Dutch industrial systems engineer Rob Hulsebos gave a decisive lead - the researchers finally found out the controllers where specifically targeting centrifuges in Iranian plants for uranium enrichment. The malware was designed to modify the parameters in the frequency converters that set the frequency of rotation of the centrifuges in which uranium is enriched. At specified time intervals Stuxnet programmed the centrifuges to rotate at such frequencies that the centrifuges would over and under roll and in the end break down. If the worm was effective is not unambiguously clear, but inspectors of the International Atomic Energy Agency (IAEA) that control replacement of centrifuges in Iranian nuclear plants to make sure no enriched uranium is smuggled out, have noticed unusual amounts of centrifuge replacement in 2010. The Natanz enrichment plant in Iran is said to replace about 800 centrifuges per year. The IAEA inspectors observed 1000 to 2000 centrifuges being replaced only in the first 3 months of 2010 (Zetter, How Digital Detectives Deciphered Stuxnet, 2011). Iranian Government officials have admitted the worm was detected in Iran and actions have been undertaken to remove the software. According to the officials the software did not affect Irans nuclear program. Not all pieces of the Stuxnet puzzle are solved yet. Pieces of encrypted code are still not understood and the question of the origin of Stuxnet remains: who made it and why? According to the experts who unraveled Stuxnet the complexity indicates that a professional team that has received government support must have developed the worm. In the light of international tensions around Irans nuclear program Israels secret intelligence service Mossad is speculated to be responsible for the project. Other voices mention US secret services as the originator of the malware, eventually in corporation with the Mossad. No state or secret service claimed responsibility for the development of Stuxnet (Wikipedia, Stuxnet, 2012). Postscript At the finish of this masterthesis New York Times published an article that reveals that Stuxnet is a project that was started in 2006 under US President G.W. Bush in cooperation with Israel secret services (Sanger, 2012). Project management and operational control were done by the US National Security Organization. Codename of the project was Olympic Games; the worm itself was referred to as the bug. The worm was released in 2007 directly on the computer network of the Natanz enrichment facility with the help of collaborating maintenance personnel and engineers (both spies and unwitting accomplices). Thumb drives (USB sticks) were distributed to get the worm on the Natanz net. The worm eventually escaped to the internet where it drew the attention of Symantec. When the worm got public US President Obama decided to intensify the attacks on the enrichment facility by releasing new versions of the worm. According to the New York Times 1000 to 5000 centrifuges have been destroyed. 3.2.5 Japans cyberweapon: counterattack-and-destroy The emergence of Stuxnet has shaken up the cybersecurity world. Its professional design, the complexity of its functions, its persistency and its ability to search for remote isolated targets and perform physical damage to the targets has grabbed both the imagination and awareness of security communities. Stuxnet has redefined the meaning of cybersecurity and it is most likely that its

29

organization and operations will have an exemplary function for security developments in times to come. The Daily Yomiuri, one of Japans national newspapers, reports in January 2012 about a cyberweapon that resembles Stuxnet like capacities (Yomiuri Shimbun, 2012). The cyberweapon is not so much a weapon for attack, but counterattack. It is supposed to perform Stuxnet like search-and-destroy functions and it is engineered in commission of a powerful actor: Japans Ministry of Defense. Japans ICT giant Fujitsu acquired the contract for the development of the weapon in a tender. And the ICT provider could well develop the weapon as a part of its WisReed technology (Fujitsu, 2012). According to the Yomiuri the weapon is developed for use on the internet and other electronic networks, but it is now in use for experiments behind the firewalls of Japans governmental intranet. The Daily Yomiuri published a network infographic (Figure 14) that illustrates the perceived automated operations of Japans cyberweapon.

Figure 14 Operations of Japans cyberweapon (source: The Yomiuri Shimbun, 2012)

The weapon spreads itself as a worm over the devices on a network. When it arrives on a host it sets itself back in detection mode, waiting for other malware or intrusions to occur. When the weapon signals a security breach on its host computer it gets active by tracing the source of the intrusion and jumping over to the attacking device. At its new host the weapon analyzes if the current host is the originator of the attack or merely a springboard for the treat. It disables the source of attack at its current host and jumps over to device that intruded its current host. On its new host it analyzes the status of the attack; it disables the malicious software jumps over to the next computer, and so forth and so on, until it reaches the device that initially launched the attack. Interesting in this example is that the security cycle of detection, analysis, decision and intervention that was discussed in paragraph 2.3 is embedded in the software weapon itself. An alternative concept of automated target searching software would be Trojan like abilities to connect back to the human operators for additional analysis or decision in the progress of its intervention. This kind of

30

feedback mechanisms are assumed to be embedded in Stuxnet. According to the Wikipedia article, instances of the Stuxnet worm phoned home as long as they resided on the internet to receive additional commands and to be updated to newer versions (sic) of the software. Comparing Stuxnet and the Japanese cyberweapon brings forth an interesting similarity. According to the Yomiuri Shimbun Japans Ministry of Defense contracted Fujitsu in 2008 for the development of the counterattacking worm. And according to the Wired-timeline on Stuxnet (Zetter, Stuxnet Timeline Shows Correlation Among Events, 2011) the first attacks of Stuxnet took place in beginning of 2009, which makes it sensible to assume that the development of Stuxnet must have taken place in 2008, from where the conceptualization of projects for realizing the cyber weapons must have taken place in 2007. This pinpointing of dates is not so much intended to suggest that the development of the two cyber weapons are somehow organizational or practical related, but to suggest a year that powerful security organizations worldwide conceived the need for realizing security tools that before that projects belonged more to the realm of stories of fiction.

3.3

Interventions against operators

3.3.1 Black Ops Six months before Sergey Ulasens discovery of Stuxnet in Minsk, in January 2010, Iranian nuclear scientist Massoud Ali Mohammadi was assassinated in his habitat Tehran. Up to January 2012 other Iranian nuclear scientists, technicians and nuclear related machinery have been targeted, assassinated and blown up in physical assaults. Another victim according to Israels newspaper Haaretz being Dariush Rezaeinejad, an electronics PhD student who participated in developing highvoltage switches, a key component to setting off the explosions needed to trigger a nuclear warhead (Haaretz, 2011). Commenters on Haaretz discussion forums mention the Mossad as a possible contributor to the black op style attacks. Others mention Iranian opposition parties being responsible for the killings. The emergence of Stuxnet at the cybersecurity scene, a high-tech Worm developed with the intention of destroying nuclear equipment, coincidences with a series of high security terrorist style attacks aimed at undermining Iranians nuclear program. It is not the intention of this research to suggest a connection between the physical and the cybernetical attacks as it neither is an intention to suggest the opposite but the point is not to think away from the theoretical possibility that security organizations who operate in realms of covert action can physically target network operators as a means of disintegrating cybercriminal networks. To distill the theoretical notion: security organizations can decide on physical elimination of both human and technical network actors when they find necessity and legitimization to engage in state security activities that in political hindsight lie beyond the regular operations of democratic law and jurisdiction (what Dutch and Germans understand as Rechtsstaat). 3.3.2 Prosecution: Esthost and MegaUpload The possibilities for legal action by security organizations that are bounded to operate within the restrictions of the Rechtsstaat, have been gradually evolving since the introduction of computers and computer networks in global society (Clough 2010). New laws, investigative tools and international cooperation have been introduced in fighting cybercrime and cases where security organizations successfully intervene against the human operators and actors of cybercriminal organizations occur in the media regularly. Two cases that made headlines in the timespan of constructing this research are the so called Esthost Botnet and MegaUpload. In November 2011 the Esthost Botnet was taken out of operation in Operation Ghostclick. The botnet contained a network of about 4 million malware contaminated computers that were comprised in click fraud; the business model being the redirection users of the corrupted computers to websites and advertisements that generate pay-per-click bonuses for the botnet operators. Six Estonian organizers

31

of the botnet were taken in custody by the Estonian police in cooperation with the FBI (FBI, 2011), the Dutch KLPD and private internet security firm TechMicro (Hacquebord, 2011). The server park of the gang was dismantled and the botnet stopped operating and the nodes fully disintegrated from the network. In January 2012 the public sharing site MegaUpload.com was shut down. The site gave about 150 million paying subscribers access to movies, books, pictures and other copyrighted materials (Biddle, 2012). The website was said to generate 4% of all internet traffic daily (Tooley, 2012). The New Zealand police arrested Chief Kim Dotcom and other members of the organizing gang of MegaUpload.com that faces charges of illegal copying and harming copyright holders for about $500 million dollar (Kravets, 2012). 3.3.3 Invitas Eastern Europe Branch Poulsen (2011) documents how FBI teams try to extend their jurisdictional reach by establishing Invita, an internet security firm that is looking for talented security programmers to start up Invitas Eastern Europe branch. From that ambition talented Russian programmers are invited to come over to Seattle, US, Invitas home base, and participate in a job interview; costs and expenses all provided for by Invita. The applicants that are invited are suspected Russian hackers and cybercriminals. When they arrive at Invitas headquarters they are asked to show their technical skills by trying to crack Invitas server network. The keystrokes of the Russians and subsequent actions were all registered by the FBI and are used later by the FBI to break in on the hackers Russian computers and use the data as evidence. After the interview the applicants are arrested. The operation of the FBI was considered legal (Wikia, 2012) and the Russians are sentenced to three years imprisonment. It would be interesting to find out what more attempts security organizations have undertaken to lure suspected criminals into territory where the security organizations can exert juridical power and what techniques have been used for the trickery. Interesting question would also be how effective and structural techniques like this can be. It can be expected that stories about deluded colleague hackers will snowball over the connections of cybercriminal networks as stories that serve as warnings and words of precaution, and that the viability of the tricks like Invita will fade. 3.3.4 Koobfaces Public exposure A practice that seems to emerge and that expresses the difficulty of security organizations to reach out their powers to prosecute human operators of criminal networks is the attempt of public exposure as a form of disabling the operators. The Koobface botnet serves here as a case. Like the Esthost Botnet, according to a report of Villeneuve (2010), the Koobface Botnet installed malware on devices of internet users and rerouted browser clicks of the users according to scripts that complied with click-per-view and click-per-install programs. The business model of Koobface is that it spreads hyperlinks over user accounts of social networks like Facebook (notice the anagram), Twitter, Fubar, Tagged and other social network communities. The links are disguised as messages of friendly contacts and by clicking the messages users are taken into a click sequence that is aimed at the installation of the malware. If the malware succeeds to install, the browser sessions of the users are taken to sponsored websites and advertisements. The botnet can even deploy forced software installations on user machines where it receives commission for on a pay-per-installation base. Although reports like Villeneuves and that of TrendMicro (Baltazar, Costoya, & Flores, 2009) have documented the workings of Koobface extensively and personal details of the operators of the botnet (located in St. Petersburg, Russia) have been worked out, no interventions have been undertaken against the network. Unwillingness on side of the Russian police force is suggested as the main source of the continuation of Koobface. As a subsequent action security agents have started to publicly expose the technical and personal details of the Koobface organization. On January 9, 2012 Dancho Danchev, an open source intelligence (OSINT) analyst, revealed names, residential

32

addresses, telephone numbers, mail addresses and photo series of the Koobface operators on his weblog (Danchev, 2012). Security firm Sophos shortly followed with an extended version of photos and private details of the Koobface operators (Drmer & Kollberg, 2012); shortly followed by a publication in the New York Times based on data that Facebook provided in cooperation with Sophos (Richmond, 2012).

3.4

Concluding remarks

Next chapter considers how the cases reflect the strategic models. These concluding remarks apply to the diversity of the cases that were found and the effectiveness of the structure that was used in ordering these cases. Two adaptions of the initial structure seemed to have slipped in during the process of documenting the cases. First, considering interventions against devices, a distinction was made between manual (hacking) and automated interventions (worms). And second, the interventions aimed at public exposing the Koobface gang seems to make up for a category that was neglected in the initial structuring of the cases: interventions against the edges between operators, the human nodes in the network. The category was not supplied initially because it was not thought of to have any relevance, but the case of the Koobface gang makes clear it does. Blaming and shaming human agents can be considered interventions in the social communicative exchange of operators. This communicative exchange between operators can be thought off to take place over the digital networks (social media, chat forums) and beyond the virtual world in the social networks of everyday life. Another interesting point is that - as the case of routers showed - interventions can have consequences for both nodes (hosts) and edges (infrastructure). A strict distinction as to what type of intervention should be applied to what kind of target does not seem necessary in classifying interventions. Intervention types can, in principle, be designed and directed towards all network elements.

Intervention Type

Targets

Bitstream Automated Devices

Operators Manual Communication

Theoretical construct 3 General model for classifying cybercriminal interventions

From these considerations a general model for classifying cases of cybercriminal interventions can be (re)constructed (theoretical construct above). Specific attributes of interventions, like the 5 15% rule

33

and the Girvan Newman method, can be considered to be part of specific cases that are documented according to this scheme. Some categories may seem to be far-fetched, like automated interventions against operators and communication, but to keep up with the pace of developments it seems beneficial to maintain an open mind. Missile lock-on can be considered automated intervention technique against operators and objects in traditional warfare. And its not hard to imagine that scripted blaming and shaming can be developed as automated technique against communication that is applied on social media on other communication forums.

34

Contemplating Strategic Models and Interventions

The question if the cases in previous chapter match algorithmic patterns of network disintegration can be answered with a quick no. None of the cases of security interventions convincingly demonstrates network metric patterns that could be expected when strategic models would be applied. But at the other hand the cases are not fully void of calculus. MegaUpload.com and the Esthost botnet were disintegrated by taking out the main hubs. And the target oriented attacks of Stuxnet for example seems to rub against strategic modeled interventions. Interventions against cybercriminal networks do not seem to be a black and white story; elements of calculated disintegration that comply with strategic intervention models do seem to play some part in it all. Table 3 systemizes the cases (rows) and strategies (columns), and provide an indication if the interventions reflect algorithmic strategies or not. No plusses are applied. Some cases qualify for plusminus. This chapter will reflect on the results that are summarized in the table. The main thought will be that real life criminal networks have network mathematical properties, but that they are not frictionless models that can be mathematical manipulated at will. Networks are vivid, dynamic entities that respond to events that occur in its environment.

Table 3 Interventions and strategies

Nodes & hubs Exchange interventions Firewalls, antiviruses and antispyware Cisco Raiders Device interventions White hat hacking Shadowcrew Stuxnet Japans cyberweapon Interventions against operators Black Ops MegaUpload Esthost Invita Koobface

Clusters & bridges

Remarks

Bad case, only defense, no counterattack Random targeting over marketing strategies

+/+/-

No adequate data found Hub specific orientation that is too small Embedded strategic architecture Embedded strategic architecture

+/+/-

+/-

Major hubs taken down Major hubs taken down Hub specific orientation that is too small The effictivity of public exposure is unsure, but the phenomenon accounts for a new intervention category

35

4.1

Bad case, related questions

Firewalls and antiviruses do intervene in the free and uncontrolled exchange of bitstreams over connections between nodes and clusters of nodes, but they lack any counter attacking force. They protect friendly nodes and clusters against malicious attacks without countering the attacking devices, not in a singular way, nor in a systematic fashion as the strategic disintegration models prescribe. From the perspective that firewalls and antiviruses do not aim to disintegrate hostile networks, but are designed to prevent the networks they defend from disintegration, they do not classify as cases for researching how strategic algorithms contributes to network disintegration. The case of firewalls and anti-viruses does not help to elaborate on the theoretical proposition but some related interesting theoretical issues can be noted. Does for example the distribution of protective devices and software somehow follow the logic of scale free networks in a broader sense? Are hubs better protected against exchange interventions than simple nodes? Does the power law of distribution that states that in scale free networks there are a few nodes that are huge and many, many nodes that are relatively small apply to security distribution? And does that distribution of protection tools correspond to the size of the nodes and hubs it protects? If so, what mechanisms could be at play? Does self-awareness of the importance of supernodes for example play a role or the high level of technological expertise they already possess? Or, to refer to the importance of fitness, is adequate protection of its servers and local networks a prerequisite to remain in position as a hub? Business strategies of Google and Facebook for example seem to converge at the development of connecting all kinds of data and application services in an attempt to optimize the ties between the gathering and display of personal data of its users and network marketing revenue models (Nielsen, 2012). Can business strategies of such supernodes expand and succeed without a corresponding high level of security of these connections? The case of Diginotar for example, in which a main provider of security certificates for government organizations was found to have overlooked the exchange security of its own local area network and disappeared from the certificate security market overnight after it got hacked and security keys were stolen, seems to indicate internet hubs are indeed increasingly dependent on their network security for survival (Zetter, DigiNotar Files for Bankruptcy in Wake of Devastating Hack, 2011). At the same time the Diginotar case illustrates that the level of security does not automatically correspond to the importance of its position in the network. The fitness of a node was earlier in this paper defined as the ability of a node to provide a service of some kind that is appreciated by other nodes. This definition should be extended with the condition that a node must be able to protect its services to a level that security issues dont cause the other nodes to withdraw from the use of the services.

4.2

Marketing Strategies

The case of the Cisco Raider, where counterfeited routers penetrated US governmental security networks, does not serve a very adequate example of in network disintegration either. Theres no report that deals with any attempt of the fake routers with factual disintegration, its even not clear if the routers could be used for remote disintegration by the Chinese government. But the case also provokes some related theoretical thoughts since it illustrates an interesting point on the possibilities of gaining access to a hostile network by security powers (the US network considered here the hostile network from a Chinese cyberwarfare point of view). The point of interest is that security organizations can gain access to targeted networks over marketing sales strategies instead of over methods that resemble the strict calculations of the strategic models. The distribution of intervention devices over a low price marketing strategy has something ambivalent to it that counters the controlled character of the intervention models. The fake Cisco routers found a place on the digital networks of serious US security organizations, but this effort incorporates the element of luck. If the government organizations would not have favored a low pricing purchasing policy, or if they could have gotten a better deal from another supplier, the routers would have remained outside the infrastructure of the network.

36

The problem with marketing strategies to intervene networks with security devices is that they carry elements of randomness that stand counter to the strict procedural progression of for strategic approaches in security modeling; which is not to say marketing strategies are or cannot be successful in penetrating networks. Dutch newspaper Het Parool for example reports on a new European Center against cybercrime that the European Commission wants to initiate (Boogaard, 2012). One of the successful branches of cybercrime that the Center has to counter, according to Het Parool, is that of criminal gangs that produce and deliver infected computers to the hardware market. The computers are supposed to become part of a botnet as soon as they come on line. Het Parool mentions botnets, but it is not hard to envision other cybercrime and cybersecurity applications for in advance prepared computers. Trapped computers can be used to sniff data and document repositories that users start building on their new device; user accounts on remote sites can be taken over; they can be used for the typical Botnet activities: DDoS attacks, email spamming, ad spoofing; the kernel of the operating system of the machine can be controlled so that the computer can be permanently disabled with a remote command; even explosives or capsules can be attached to the motherboard and detonated remote. The idea that computer devices are systematically prepared for serving criminal networks in the assemblage process - instead of on line software contamination - is new to this research. The distribution of the devices over retail channels has something uncontrolled and random about it, but it is an interesting question how successful practices of delivering maldevices to a free market is for criminal or security ventures are. And, not at least, what the possibilities of these devices are for controlling the network they become part of.

4.3

Security Intrusion Teams

Adequate data on white hat hackers or hacking intervention teams and the way they organize and operate have only been found minimally. White hat hacker groups or maybe better legal intrusion engineers do exist, but the cases did not delve deep enough in their organization and methods of operations. The introduction of this research already mentioned KLPDs High Tech Crime Team and additional queries bring up mentions of Chinese hacker groups that systematically attack and infiltrate targets worldwide in benefit of Chinese security ends. But what they do and how they work is not described; their existence is even disputed (Hvistendahl, 2010). Also, the US National Security Agency (NSA) is mentioned to maintain Red Teams (or Tiger Teams) for invading hostile networks (SecPoint, 2012), but additional data could not be found. What intrusion teams exactly do, and if how strategic models and network analysis play apart remains unclear.

4.4

Black Market Rhizome

The case of Shadowcrew illustrates how security organizations infiltrated a hub where cybercriminal networks were active in selling and purchasing black market products and services, but the security activities were directed at information gathering on operators so that they could be legally prosecuted. The website of Shadowcrew was in the end taken out of the cybercriminal scene, but the deletion of this specific hub does not indicate a specific interest of the security organizations in following a strategic model in disintegrating black market networks or carder rings. As a consequence similar black traders sites like Butlers CardersMarket could have been initiated and operated. Since theft of credit card data is still preeminent on the web (Nazari, 2012) the trading of card numbers and appliances to monetize the cards seems to flourish. The network of these markets can be theorized as a black market rhizome; rhizome being a growth method of plants which grow in surface extensions through interconnected roots oriented in a vertical fashion (Haggerty & Ericson, 2000).

37

Figure 15 Rhizome as a metaphor for hidden growth. At the left a graphic illustration of a rhizome plant growth (source unknown). At the right an illustration of a rhizome network, with colors indicating the possible state of visibility (source Ge (2012))

Figure 15 shows an illustration of a rhizome. Part of the rhizome grows visible above the surface and other parts grow hidden underneath the surface. When a part of the rhizome network is broken down it does not affect the overall growth of the network. When the conditions are right, new parts of the network arise above the surface. Black market websites resemble rhizome in that nodes that are removed from the network do not affect the survival of the network but only seem to facilitate the appearance of other sites that operate in a similar fashion as ones that disappeared. A problem in designing strategic models for fighting cybercriminal networks with rhizome like properties is and this is actually a very fundamental problem that the full topology of the network is not known, because it has not appeared at the surface of the internet yet. So how then can security organizations determine 15% of crucial hubs or the order of clusters that have to be deleted to disintegrate a network? The rhizome perspective on cybercrime poses a bit of a dark, at least pessimistic view on the possibilities of security organizations to be especially in the long term effective in taking down cybercriminal networks. The volatile distilled, hydratic rule if one node is down, another will arise seems to predict and endless loop of cybersecurity actions that only generate new cybercriminal initiatives.

4.5

Strategic Software

Software automated interventions on devices seem to be able to deal with this duality more adequate than human interventions. Due to their automated character they adhere more adequate to the dynamic properties of networks than human agents do. To recall the Stuxnet example, in case the Iranian nuclear enrichment plant replaced broken down centrifuges while the Stuxnet worm was still active on Siemens industrial controller new nodes in the network (the centrifuges) seems to have been attacked with the same ease by Stuxnet as the centrifugal nodes that were already up in the network when Stuxnet arrived. Even when Iran would have set up a new nuclear enrichment plant with the same technological architecture, Stuxnet would have been able to reach it over its automated procedures for spreading and activating itself. Stuxnet seems to embody the strategic models for disintegrating networks up to certain level. As far as conceived it doesnt explicitly show Barabsian or Girvan Newman like calculations, but it targets specific nodes and is systematic in attacking these nodes. The strategic model that incorporates Stuxnet can be abstracted as follows:

38

1. 2. 3. 4.

Search and penetrate a host; Detect if it belongs to the target range; If no, search and penetrates other hosts that can be reached; repeat previous step; If yes, destroy nodes in the cluster to which the host forms the controlling center.

The case of Fujitsus cyberweapon seems to inhibit a comparable straightforward intervention model. Distribute, spread and wait until you discover an instance of an attack, seems the sequence of the model. Then trace the malware back to its root and destroy the root. Both Stuxnet and Fujitsus cyberweapon do convey the thought that not so much the strategic models that are constructed in this thesis necessarily guide interventions, but that custom strategic models nonetheless inhibit automated interventions that aim to disintegrate hostile networks.

4.6

Fear as a side effect of interventions

The premier site for illegal downloading high quality content, MegaUpload.com, was said to be accountable for about 4% of the total amount of internet traffic at the time the site was seized. 4% of the total amount of internet traffic must add up to 5 to 15% of the amount of traffic of sites and platforms for illegal downloading. According to the 5 15% rule the whole network of illegal distribution of high quality content must have disintegrated from this seizure. And indeed, taken from the browser experience of this research, the closing of MegaUpload.com seriously disturbed the flow of connectivity and exchange within the networks of illegal distribution. Comparable sites as FileSonic.com and RapidShare.com all closed their public sharing functionality day after the arrest of Kim Dotcom and his crew. Ebookee.org - a prime discloser of high quality content books - does not provide working links since then Two remarks can be made to this observation. First, the general network for illegal down appeared to be down after the seizure, but the network was not disintegrated. If you search well for alternatives you will find them. An article on Gizmodo.com even lists alternative possibilities (Henry, 2012), although one of them is Rapidshare.com, which - as already observed does not function. Piracy alternatives that use different techniques than MegaUpload.com (bittorrent, Usenet) do not seem to be touched by the seizure. In interesting question is if downfall of the download network is permanent or that it will gradually fade away, and that in line with rhizome theory - new heads will sprout where one was cut off. Another remark has to do with this researchs impression that fear for prosecution and security intervention stimulated the disconnection of other hubs in the network after the closing of MegaUpload.com. The hubs itself (FileSonic, RapidShare) did not malfunction; the operators refrained from serving the public. And this is not the sort of effect the Barabsi model predicts. The model states that a network will disintegrate because its internal robustness is broken and exchange cannot take place any longer due to failing connectivity, not because the spirit of the remaining operators is flawed. Fear for prosecution or interventions otherwise does seem to be a real side effect of security interventions, independent of the time span it takes in effect.

4.7

The relative ease of disintegrating a star network

The Esthost botnet that was rolled up in November 2011 in cooperation by the FBI, KLPD and TechMicro contained about 4 million nodes, which can be considered a huge cybercriminal network. Upon closer inspection the topology of the network is relatively simple. The botnet consist out of a commands and control center that directs the rest of the network, which makes a botnet actually a star network how extended the range of its satellite may be. So the breakup of the Esthost Botnet can be considered a success in the light of the security organizations efforts, but the disintegration does not really make a case for involvement of the strategic models. Yes, the security organizations fully disintegrated a cybercriminal network by taking out the major hubs. And no, the network was a relative simple star network that lacks the robust complexity that the strategic models are designed for.

39

4.8

Luring into the unknown

Next to the Shadowcrew, the rhizome effect seems to undermine the Invita Enterprise. The FBI that tricks the Russian hackers into US territory and the consecutive arrests points to an interesting jurisdictional experiment in fighting cybercrime. But the disintegrating effect on the Russian or even international hacker scene can be without going into further analysis - assumed minimal. The greatest effect of this operation on the hacker scene is probably that hackers think twice before they accept an invitation for a job interview in the US.

4.9

Targeting Communication

The conclusion of the previous chapter already discussed that the intervention of public exposing the members of the Koobface gang from St. Petersburg makes up for an explication of an intervention category: that of intervention of the communicative exchange in the social networks of the human operators of a criminal network. By blaming and shaming security interventions can aim to discredit the reputation of cybercriminals that are out of juridical reach and drive them in isolation. According to Morselli (2010) criminal networks main worries are to avoid public attention. A position of not being in the thick of things, as Morselli calls it, is a position that is beneficial for criminal business. Public attention for criminal activities would draw attention of external controls to the criminal network which can provoke legal actions that try to intervene and stop the activities. Out of theoretical interest some possible targets are considered that security interventions against operator communication can aim at. Security interventions can aim to disturb the peer communication among the cybercriminal operators that have taken up the criminal venture. Interventions can convey false presentations of motives, actions, decisions, ambitions and other idiosyncrasies that disturb the consensus among the peers on the organization of their venture and the different roles and positions they take. Interventions of business communication can try to harm the business relations with external resource providers. Revealing the true nature of cybercriminal ventures may for example scare Internet Service Providers away from offering connectivity services to the criminal organization. The intimate sphere of friends and family can be intervened by revealing information about the nature of the businesses of spouses, friend, sons and daughters. The aim of interventions in the intimate circles of cybercriminals can be to establish conflict and stress on a social psychological level that may contribute to a change of heart in business orientation of the network operators.

How interventions in communication networks can be organized and what techniques can be used and are in use - other than exposing personal information on the internet, seems a terrain to explore. Kott (2007) for example mentions the cascading failure that was discussed in previous chapter as an overloading technique for a router network can also be applied in organizational decision making. When one decision-maker is overloaded, the effects spill over to other decision-makers in the organization (particularly through an increased number of erroneous decisions made by the overloaded element) and cause the deterioration of their performance as well. (Kott, 2007:125) If and how network calculations can be applied in communication interventions, and if and how the 515% rule or the Girvan Newman apply to communicative interventions can be considered too. The fluidity of the communicative targets should maybe be discussed in strategic terms that use different less quantitative conceptions.

40

4.10 Concluding Remarks

The cases do not overwhelmingly support the presence of strategic models in real life intervention cases. The only case that adheres to the strategic network logic is the Stuxnet worm and the criteria should even be loosened to underpin this claim. The worm is programmed to target specific nodes and it follows a specific route to arrive at these nodes. When it was performing its disintegration activities it seems to include replacement parts in its attacks too. If Stuxnet followed a specific order or attributed specific weight to the nodes it attacked the main criterion for use of a strategic model is not known. The reflection on the cases did not find any convincing proof of the use and presence of strategic models. The next chapter will try to find an explanation for it. What the reflection did find though are some interesting questions on network interventions and cybersecurity, that will summarized here. Can the distribution of protection techniques (firewalls, antiviruses) be understood from a network structural perspective in which the size of a hub corresponds with its protection level? If so, how does the size of a node translates into its security level? If not, from what kind of (business) logic does the security level of organizations spring? How do commercial sales and distribution processes of computer equipment contribute to the formation of cybercriminal networks? How are professional hacker-squads organized? Is the phenomenon of hacker squadrons that are employed in government service on the rise? How can network analysis be deployed in Stuxnet like cyberweapons? How does a discipline for Psychological Warfare look as sub discipline of cybersecurity? How do rhizome features of cybercriminal networks contribute to its persistency?

The answers to the questions will not be answered here, but must be researched elsewhere. The last question on the rhizome features of cybercriminal networks though will return in the next chapter that sets out with a theoretical explanation why it is unlikely that as this chapter brings forward security interventions

41

Resilient, resistant Networks

It is not easy to disintegrate a network. First, nodes and edges that are defined as hostile may be hard to reach - like the Koobface gang in St. Petersburg or the Siemens centrifuges in Iranian uranium enrichment plants. And second, wherever security interventions reach out to intervene, the network does not tend to wait passively for deletion according to one or another strategic model. Just as security organizations try to protect friendly networks against intrusions from hostile networks, hostile networks will try to protect themselves against security interventions directed against them. Networks can be considered to be resilient and resistant to the interventional powers that attack them. This chapter tries to understand where the resilience of a network comes from and how it can be understood in network terms. By doing so it provides a frame for understanding why the elegance of strategic models for network disintegration has a purely mathematical base, but cannot be put to effect in attacking real life cybercriminal networks. The first paragraph in this chapter discusses some of the methods that networks under attack can apply to enhance their resilience and organize resistance. Paragraph 5.2 tries to understand the resources of resilience as connections that networks maintain with a multitude of other networks. Paragraph 5.3 finally sets out with a reconceptualization of the network analytical framework to include the multiple dimensional aspects of networks.

Real Life Use of Network Analysis

If real life interventions do not show traces of strategic algorithms it is because they are not used in the preparation of interventions. This assumption seems to provide a shortcut in explaining the lack of support of the cases for the strategic models. To gain a better insight in how network analysis is used in preparation and operation of intervention, this research addressed some questions to cybersecurity professionals over internet discussion groups in LinkedIn and the Dutch website Politie 2.0. About 10 professionals responded and the impression they convey is that network analysis is indeed not used directly in interventions in a way the strategic models suggest, that is, by calculating and recalculating an order of nodes or bridges that should be targeted in order to disintegrate the network. The use of network analysis seems to be restricted to research of cybercriminal networks in a variety of ways. Thread identification, exchange pattern analysis and monitoring of cybercriminal product and service development are suggested. The respondents seem to consider the benefits of network analysis as a complementary tool to other research tools and techniques. One of the respondents sees a complementary use for network analysis and computer forensics. Other respondents consider network analysis more like a kind of meta-tool that provides a general overview of hostile networks. One professional brings out: It gives an essential overview of the working area in order to conduct proper investigation. Or as another puts it more practical: You cant detect and fight the threat if you do not possess a proper picture of the network and its components. In operational cybersecurity network analysis seems to stand more at the beginning of operations then at the interventional end. This practical position is likely to account for the lack of traces in operational cybersecurity in so far the cases adequately resemble it. The approach in this research is a theoretical though. Consequently this chapter tries to grasp a theoretical sense of how dynamics in the subject matter of network analysis the topology of cybercriminal networks obstruct relatively easy interventions like the strategic models promote.

42

5.1

Ways of resistance

There are different ways in which a network can react when it detects that an intervention takes place. Following paragraph describes how endurance, recovery, disconnection, defense and counterattack can be used to withstand a security attempt to disintegration. Combinations of methods of resistance seem possible too. 5.1.1 Endurance Endurance of an attack seems to be the most basic form of resistance and resilience against a security intervention. When devices, connections and operators are not paralyzed or destroyed, they can simply draw back activities, hide, sit still, and wait until the attacks are over. The Koobface gang for example that is confronted with public exposure as a form of disintegration, could as a reaction lay low on its social visibility in the physical and digital world and wait until the wind of public exposure has blown over before entering public life again. 5.1.2 Recovery After enduring an attack networks can start recovering the damage that has been done to a network. Or as the replacement of nuclear centrifuges in Iranian enrichment plants shows replacement of damaged nodes can even take place when a network is under attack - although in this example it is not clear if the network that was taking in the hits was aware that the damage to the centrifuges was caused by a cyberattack. What matters is that damaged nodes can be restored, destroyed nodes can be replaced and isolated nodes can be reconnected. Or, in the case if resources are available; a destroyed network can be rebuilt from the ground up. Shubik and Zelinsky (2012) discuss in this context how network organizations should try to increase capacities of what they call post-attack recovery regimes to recover as smooth as possible from attacks. Although their article deals with social and technical networks in general as a case they use an electronic grid that faces potential terrorist attacks. The points of advice they offer to develop an efficient post-attack recovery regime for an electronic power grid are considerable. In general terms they can be reformulated as follows Study the network to learn its vulnerabilities and better understand cascading failures Undertake efforts to monitor and detect network breakdowns in real time Build up stock replacement parts for critical facilities to reduce offline time in case of attack Develop and test contingency plans for cases of network breakdowns Improve the network architecture to produce subnets and clusters Encourage the research and production of backup systems

The authors propose measures to endure and recover from an attack by investments in research, monitoring, stock building, developing contingency plans, network architecture and maintenance. These investments are considerable in that they erect or continue to erect facilities and organizations around the network that enhance its recovery. 5.1.3 Disconnect Clarke and Knake (2010) provide a grand example of how a network can hide from an attack that is directed at it by disconnecting its edges from the broader network it is related too. They mention that the Government of the Peoples Republic of China has equipped all its computers, servers and routers with special software (Green Dam Youth Escort software, The Great Firewall DNS manipulator and other components) that enables the Chinese government to literally flip an application switch to disconnect all Chinese networks from the rest of the global Internet.

43

5.1.4 Putting up defenses As discussed firewalls and virus scanners form the most basic defense against intrusions and attacks in a network on a technical level. Another type of defense system is made up by the so called Intrusion Detections Systems (IDS) that have been developed to monitor the behavior of software when it runs in network environments. IDS monitor network traffic and produce reports and notifications on irregularities so that network operators can intervene when intrusions and interventions seem to take place. Human operators that are physically attacked by security organizations (interventions by arrestment teams for example, or black ops) can involve physical defenses against security teams. The amount of physical violence that participants are willing to use is at stake. Kim Dotcom Schmitz, the leader of the MegaWorld gang that was arrested in February 2012, was reported to retreat in the safety room/ panic room of his New Zealand mansion during the arrest, in company of a shotgun. In Schmitzs case the panic room did not hold and the shotgun was not used. 5.1.5 Counterattack Networks may protect themselves against security interventions by counterattacking the organizations that are targeting them. Counterattack can be directed at the edges, the machines or the human operators and the communications of the intervention teams. In short, hostile networks that are under attack can use all intervention techniques that are discussed until so far to counter attack and probably more. The internet hacktivist collective Anonymous seems to have made counterattacking of security organizations as a trademark (Norton, 2011). The collective seems to penetrate and/or disable the network devices of security organizations that aim to investigate and prosecute its organization and (assumed) connected nodes on a systematical basis. News media, websites and weblogs provide dozens of examples of how Anonymous attacks its perceived disintegrators. The website Pastebin.com functions as a press release publication service where participants of Anonymous - and 6 its clusters of technical expertise AntiSec and LulzSec - publish accounts on operations they are involved in. To get an impression of Anonymous counterattacks Table 4 provides a collection of cases that have been published in the weeks ahead of writing this paragraph.
Table 4 Selection of Anonymous counteractions in January and February 2012 # Date Related Country Spain Security Intervention Anonymous Counterattack

Feb 2012

Arrest of six Anonymous members by Spanish police

Hacking and distributed denial of service (DDoS) attack against website of Spanish police: policia.es (Mezzofiore, 2012). Hacking and publishing login credentials of the website of the Ontario Association of Chiefs of Police (OACP) (Press, 2012).

Feb 2012

Canada

Support of bill C-30, a proposed internet law that requires Service Providers, or ISPs, to track users Internet history and provide that information to police without a warrant in exceptional circumstances Arrest of LulzSec hackers by Scotland Yard

Feb 2012

US

Hacking and publishing telephone conference call between Scotland Yard and FBI (Coscarelli, 2012).

AntiSec and LulzSec, hacktivist lingo for Anti Security and Laughing at your Security (LULz = LOL = Laughing Out Loud)

44

Feb 2012

Syria

Syrian civilians uprising against Syrian government

Hacking and exposing login credentials of webmail servers of Syria's Ministry of Presidential Affairs (Gallagher, 2012). Publishing private data of Jeffrey Lawrence Bewkes, CEO of Time Warner, and his wife (Anonymous, #OpHiroshima - Dox of Time Warner CEO Jeffrey L. Bewkes, 2011; Wagenseil, 2012). AntiSec hacking and publishing 38.000 private emails of a Special Agent Supervisor of the CA Department of Justice in charge of computer crime investigations (Anonymous, #FuckFBIFriday official #antisec release text, 2011). pr0j3ct m4hy3m, hacking and publishing passwords and personal information of police officers, lawyers and union members (Anonymous, Untitled, 2011; Brook, 2012).

Jan 2012

US

Time Warner support for SOPA, a proposed internet anti-piracy bill

Jan 2012

US

No specific intervention

Jan 2012

US

Police interventions against Occupy activist in a park in Los Angeles

Distributed denial of service attacks to overload servers, hacking, stealing and publishing private information, Anonymous engages in all kinds of digital counteractions to discredit and obstruct its opponents. It is interesting that the counterattacks are not necessarily initiated in response to security interventions that are directed against Anonymous itself. Case #1 and #3 show attacks that express solidarity, signs of the rescue, of the collective with comembers that are taken in by police organizations for prosecution. Cases #2 and #5 show attacks that are designed to counter threats that the collective perceives in the making of laws that are aimed to facilitate security organizations in their struggle with cybercriminal networks. Cases #4 and #7 show cases where the counterattacks seem to be a part of resistance movements that are taking place outside cyberspace in the physical social world. Case #6 seems to rest on a general conception of the collective that security organizations exert a threat to the internet and the Anonymous collective that can be countered randomly (AntiSec); operation FuckFBIFriday being a more structural example of this conception.

5.2

Resources of Resilience

In their consideration of founding post attack regimes, Shubik and Zelinsky (Shubik & Zelinsky, 2012) describe a situation in which the resilience of a network depends on the resources it can draw on. When resources lack, resilience will drop and the network is likely to be more sensitive for security attacks and disintegration. Shubik and Zelinsky consider a situation in which a network needs stock, recovery plans and maintenance teams to be able to recover. That a network depends in case of attack on its resources for recovery seems to hold true for the other kinds of resistance too. To endure an attack a network needs to dispose over buffers that it can fall back on, power supplies, housing, money and provisions for example. To protect a network the software that protects devices has to be bought, installed and maintained. And to be able to counterattack a network needs the tools and the coordination to realize the counterattack. The investments that have to be made in resources for resilience can be considerable. All kinds of organizational teams and departments have to be involved to realize and maintain resources. Research teams, development teams, financial teams, maintenance teams, defense teams, attack teams, all depending on the scope and magnitude of resistance a network envisions for itself. In any case, to be able to resist attacks and interventions a network has to be surrounded, engaged, or embedded in all kinds of organizational structures. The key idea of this chapter is now that the these

45

organizational structures can be conceived as network structures, that is, resources can be conceptualized in terms of exchange relations between networked nodes. Or to put it differently, networks depend for the resources on the connections they maintain with other networks. The following works out this idea by considering two types of network relations that enable resources. First the hidden parts in the rhizomatic topology of a network are discussed as resources for the network. Operation Payback of internet collective Anonymous is brought in as a case to illustrate the rhizomatic character of network resources. Subsequently is considered how resources can be understood as relation not within the same, but between different types of networks. The network organization of WikiLeaks is taken as an example to illustrate how different networks provide resources to each other. 5.2.1 Rhizome topology as resource feature The rhizome concept of a network showed that parts of a network can grow in the dark or rather that parts of the topology of a network can be withdrawn from observation. Outside the realm of observation nodes and hubs can exchange and interact and as such function as hidden resources for a networks resilience. There are multiple reasons why parts of a network can be covered in the shade of a network. An obvious but nonetheless fundamental reason is that observers do not have sufficient access to the network to be able to observe the network as a whole. Exchange over encrypted streams and connections for example, or the masking of nodes in the so called TOR networks, make it hard for security organizations to determine what nodes compose the network. But even without access restrictions it can be hard to observe a network as a whole. Large scale or scale free networks with hundreds of thousand or even millions of nodes are hard to observe and lay out in graphical maps. And as security actions tend to be time restricted, the sheer practical possibility to integral mapping of a network for security interventions may be lacking. Another reason that nodes reside in the underground of a network is that nodes maybe new to the network and that its connections to the overall network are fresh and rudimentary. The nodes are in the process of connecting to the other nodes and may not even be known to the network itself. The hackers collective Anonymous provides an example here. The participants of the Anonymous network do not sign up or enter the network by some kind of recruitment or association protocol. Nodes connect themselves to the Anonymous network by simply intending or declaring themselves as nodes to the hacktivist network. Anyone can become a participant in the hacktivist collective anytime, anywhere. The only condition for nodes to gain a practical sense of connectivity to the collective seems the ability to connect to other nodes and hubs that represent and contribute to the communication of the network collective. Any world citizen with a computer device, an internet connection and a basic understanding of the operations of discussion fora, IRC chat, network browsing, and software installation can meet this condition. 5.2.2 Operation Payback This ease of connection provides a hidden pool of resources within the network for counterattack is illustrated by the historical operations of internet collective Anonymous against PayPal, Visa and Mastercard in December 2010. The occasion for Operation Payback was that whistleblower site WikiLeaks publicly published more than 250.000 classified cables from US Ministry of Foreign Affairs in In November 2010. CableGate allowed the world a public peak in the kitchen of US foreign policy and diplomacy and scandalized US organizations and practices of US foreign policy communications. As an act of retaliation WikiLeaks front man and founder Julian Assange was arrested by Scotland Yard in relation to an assumed sex rape (Vinograd & Satter, 2010). At the same time banking organizations sought to paralyze WikiLeaks by suspending financial transactions. As an act of subsequent solidarity with Assange and WikiLeaks the Anonymous network counterattacked and

46

paralyzed the websites and monetary traffic of Mastercard, PayPal and other banking organizations for days on a row.

Figure 16 Network inspired graph of Ultra Coordinated Motherfuckery. The nodes of the network are represented by cogs embedding a Guy Fawkes mask, an icon from the movie V for Vendetta, that Anonymous has taken up to represent its organization and its members. Source: @biellacoleman (2012) .

The Anonymous counterattacks were coordinated over the IRC channels, chat board site 4Chan.org and Twitter and Facebook accounts that represent Anonymous communication (Bright, 2010). An open source tool for counter attack, the Low Orbit Ion Cannon (Wikipedia, Low Orbit Ion Cannon, 2012), was offered for download over the outlets of the hacktivist network. In effect all internet users who felt attracted to Operation Payback could download the Low Orbit Ion Cannon and connect in a distributed, botnet like fashion to participate in the denial of service attacks against the banking organizations. Its not easy to identify the participants in Operation Payback but in analyzing a report from TorrentFreak.com (TorrentFreak, 2010) web community MyCE.com distills two groups of participants. A core group, made up of about a dozen members, plans and manages the organizations activities. Another, much larger group actually assists in carrying out the DDoS strikes. Most are geeks, file-sharers, and programmers. (wconeybeer, 2010) The BBC reports on five arrests of what seem to be participants of the second kind in Operation Payback: Three teenagers aged 15, 16 and 19, were arrested with two men, aged 20 and 26 [..] (BBC, 2011). The age of the arrested Anonymous participants seems to stress the novice character of the nodes involved in the counterattack: teenagers that seem to have spontaneously decided to have joined the Anonymous attacks. Although the arrested participants can hardly be thought off as hidden resources in the Anonymous network any longer, the interpretation here is that at one point they have been just that. If the sloppy Low Orbit Ion Cannon would not have displayed the IP address of the youngsters (University of Twente, 2012), the teenagers and young men could have remained in the hidden zones of the attacks and providing resources to what Siliconrepublic titles Assanges silent army (Kennedy, 2010) whenever a motivation to participate would become urgent.

47

5.2.3 Connections between networks Besides the hidden parts of a network that provide resources for a networks resilience, a network is strengthened by the connections it maintains with other networks. A network does not stand alone; its viability and self-defense depends on the connections it is able to successfully build and maintain with other networks. The example of the Anonymous counterattacks in support of WikiLeaks against Visa, Mastercard, PayPal and other banking institutions were in a way provoked by attempts to disconnect the WikiLeaks network from an important resource: the financial network that coordinates the financial relations of the distributer of the whistleblowers site. The case of WikiLeaks can be taken a bit further to illustrate the weight and the diversity of the interconnectedness of a network with other networks. Not so much that this research considers WikiLeaks a criminal organization without reservations, but because WikiLeaks is an organizations that keeps a lot of security organizations busy. WikiLeaks can be considered a networked organization that publishes submissions of private, secret, and classified media from anonymous news sources, news leaks, and whistleblowers (Wikipedia, WikiLeaks, 2012). The motivation of the organization lies in the defense of freedom of speech and media publishing, the improvement of our common historical record and the support of the rights of all people to create new history (Wikileaks, About, 2012). Its main publishing media is the website WikiLeaks.org. Next to the publication of the US cables WikiLeaks has published i.e. classified documents related to the war in Afghanistan and the situation of the detainees in Guantnamo Bay detention camp. In February 2012 WikiLeaks has been publishing emails from the intelligence firm Stratfor that were retrieved from Stratfors email boxes by hacking flanks of Anonymous. 5.2.4 The Networks of WikiLeaks Several interconnected networks can be detected in and around the organization of WikiLeaks. The networks do not stop for physical and organizational borders; they enclose nodes from countries and organizations worldwide. First, due to its core business, disclosing classified information, WikiLeaks is part of an information providing network that generates high exposure for a worldwide audience. This journalistic publication network roughly consists out of the whistleblowers that submit classified data, the editors that check and prepare the data and journalists from other news media that cooperate with WikiLeaks for analysis and publication in other media than the WikiLeaks website. The publication of the US cables for example was prepared as a joint publication of WikiLeaks with the newspapers El Pas (Spain), Le Monde (France), Der Spiegel (Germany), The Guardian (UK) and The New York Times (US). The newspapers all started publishing part of the materials at the same time (Wikipedia, WikiLeaks, 2012). Next, behind front man Assange, the organization is in the background run by volunteers. Stefan Mey reports that about 800 volunteers are active at the beginning of 2010 (Mey, 2010). At the time of writing this chapter WikiLeaks is still looking for volunteers. The website has published a Call to Arms. We need people of all colours, creeds and stripes. We need people from all over the world. We need people with local knowledge for every locality. We need speakers of all tongues, jacks of all trades, friends and supporters, writers and readers, creators and critics, artists and coders, builders and teachers, architects and preachers, financiers and promoters, lawyers and advocates, journalists and editors, thinkers and activists, coordinators and leaders, the proud and the humble, dreamers and pragmatists, online and offline. We need citizens who are prepared to act as citizens of the world. (Wikileaks, Portal:Volunteers, 2012) The Call to Arms makes clear that the volunteer network embraces volunteers of all kinds of functions and expertise, or at least, that they are welcome. A position of volunteer at WikiLeaks is not without risk though. Security organizations have been reported to target the volunteer network. The emails of volunteer Jacob Appelbaum for example were taken in for research by the US government (Angwin,

48

2011). Appelbaum is a programmer that is working for the TOR-project that was already mentioned. He is reported to have developed tools that facilitate the anonymous posting of classified data to WikiLeaks. No data have been found that can illustrate if the volunteer network has been growing since 2010. Next to its publication and volunteer network the financial network that was already mentioned makes up for resources of WikiLeaks. Some banking institutions are still blocking money transactions to WikiLeaks. According to the WikiLeaks website the blockade has damaged 95% of its income, costing the organization tens of millions of dollars in lost revenue (Wikileaks, Donate, 2012). The website mentions alternative institutions that citizens that keep the WikiLeaks cause dear can use for making a donation. The dispute with PayPal seems resolved; PayPal is on the top of the list of money brokers again. The donation network of WikiLeaks seems to span a worldwide network. Anybody can join. Additional data like the quantity of donations, the amount of donations or frequency tables that show the distribution of donators over regions have not been found. One account of a motivated donator was found though. Hustlers Larry Flint motivates his 50.000 dollar donation to WikiLeaks. What's wrong, according to Flint reflecting from his U.S. seat on the WikiLeaks publication on Afghanistan, is that a concerned outsider -- an Australian publisher, not our own vaunted mainstream press -- exposed the secret documents. (Flint, 2010) A network that can finally be detected as constituent to WikiLeaks is the technical network that makes up for its website and digital communications. The computer network that hosts the data and the website of WikiLeaks consists of a network that according to a Mastercard video commercial by WikiLeaks spreads over 40 countries (Wikileaks, What Does it Cost to Change the World?, 2012) and that has its main operational center in an underground nuclear bunker in Sweden (Greenberg, 2010; Time, 2012). Next to its own facilities WikiLeaks makes use of public services like BitTorrent and file hosting services like MegaUpload.com to offer its data as an assurance against destruction of its own network. WikiLeaks did not arrive overnight at this advanced network topology overnight (Satter & Svensson, 2012). During the time of the publications of the U.S. cables unknown organizations tried to take out the WikiLeaks servers by attacking them over denial of service attacks. By changing providers and Domain Name Servers and relocating its servers with help of for example Swedish political Pirate Party - it could withstand the attacks and find new solutions for its technical underpinnings until it reached the distributed network topology it has nowadays. 5.2.5 A model for interconnected networks The development of WikiLeaks and the interactions of the networks that are involved can of course be elaborated more empirically. The aim of the case exploration here is rather to gather an impression of how a networked organization that is subject to disintegration attempts is involved and constituted by interactions and exchange between different types of networks resource networks. Or, to invoke the formulation at the beginning of this paragraph: to convey an impression how networks provide resources for each other and how they contribute to each others resilience. In respect to WikiLeaks the impression of the origins of its resilience can be formulated as follows. A network organization that provides a specific publication service draws attention of media, governments, individuals with access to classified information, security organizations, and a global audience of non-descript internet users. As an effect the network organization grows out to a supernode overnight. News media and individuals with access to classified information connect to the supernode immediately and expand a publication network for the supply, analysis and preparation of new information services. Meanwhile, security organizations start attacking the super node by arresting its front man and attacking its server park. Financial hubs try to disintegrate the financial network of the supernode by revoking their intermediary roles between the non-descript audience and the super node.

49

The interventions seem to affect the supernode just slightly, or - because the real damage cannot be assessed here - the security and banking interventions at least do not disintegrate the networked organization. In effect the network of volunteers expands its activities to counter disintegration attacks. New type of connections for contributing in the financial network are constituted and promoted. And a new architecture for the hosting of the server park is deployed. In the middle of all this the publication network prepares new publications that render the supernode in the thick of things again. The case of WikiLeaks illustrates how networks that are structured around different types of exchange (publications, money, webhosting, et al) interact with each other and over that interaction constitute the full scope of the network. Figure 17 presents a loose attempt to graphically express the interconnectedness of the different type of networks that were analyzed to constitute the WikiLeaks supernode. The perspective of the graph is that of an eye of a bird that hovers over a layered network landscape. Four types of networks populate the landscape (black grids), that of the publications, the volunteers, finance and server devices. The nodes of the different networks interact within their own network and with nodes in other networks (over red dotted lines).

Figure 17 Interconnectedness between different types of networks

5.3

Concluding remarks: towards a multilayered re-conception of networks

The theoretical perception of a networks resilience as a function of the interconnectedness of different networks has consequences for both network theory and research. On a theoretical level the most important consequence seems to be that a network can only be understood as a well-defined and bordered entity up to a certain level. A networks topology can be mapped and described as a specific set of nodes that are connected over a certain type of exchange, a computer network for example that is connected over bitstream traffic. This network can be extremely large or even scale free. The origins of resilience make clear that a networks complexity even stretches beyond its scale and that the networks that provide resources to the network should be treated as inherent parts of the network. To recall the WikiLeaks example, different types of networks have been considered to support each other, and how can now be determined which of the networks does stand out for the actual network of WikiLeaks? Is it the publication network that cannot operate without the underlying technical infrastructure? Or is it the infrastructure that will be quite meaningless if the publications network does

50

not use it services? Is it the volunteers network maybe that wouldnt be needed if there were no publications, infrastructure and finance? The proposition of this thesis is to consider all involved networks as the network and to perceive the different socio-technological subnets as different layers that make up for that network. A multi-layered approach in which networks are represented as kind of ecological entity in which different networks grow on top of each other and feed each other seems to provide a theoretical framework that can be elaborated to systemize this network conception. This masterthesis is not to place to take up this effort, but some concluding remarks can be made in relation to the manner in which networks are treated up till here. One of the consequences of this multilayered re-conception of a network is that for effectively fighting cybercrime an understanding of networks is needed that extends beyond the digital realm of the internet. The digital layers of the criminal network, the topology of the technological infrastructure for example, can be considered the analytical entrance to a cybercriminal network. From there different layers of the network can be detected and researched from which the infrastructure is organized and maintained in a broad sense of the word. Who are the people that contribute to the network? In what way? Questions like this that bring the people behind the infrastructure in focus have already been addressed in the cases and interpretations in the previous sections of this report, but not in a network systematical way. In what networks do the people behind the infrastructure participate, should the question about the people behind the infrastructure be? And how do these networks contribute to the infrastructure, and - vice versa - how does the infrastructure contribute and extend these networks? What relations and exchange do exist between the different layers that make up the network? From the reconceptualization of cybercriminal networks as multilayered complexities it can be questioned if Barabsis 15% rule and the Girvan Newman model refers to an adequate network reality. The strategic models make use of metrics that are derived from a network topology that is perceived to occur in one of the layers of the network. The nodes and edges derive their structural position (degree, betweenness) from their relation to other nodes and edges in this specific layer. The calculations of these positions do not take in account however the dynamic interference that the nodes of other layers can have on the nodes and edges of the network in the targeted layer. Hence the variable effects that these interferences have on the structural positions of the individual nodes and edges are not taken into account. Two ways have actually come forward in which metric calculations are undermined by the dynamics of network reality. First, in the case of a rhizome network only parts of a specific layer are known and involved in the calculation. Accordingly, the metrics do not take into account the full topology of the network and hence they misrepresent the structural position of the nodes and edges that are known. Second, if nodes retrieve resilience from exchange from different layers in the network, the nodes gain qualities that are not well represented in the initial topology and the metrics that are used to express it. Hostile nodes can gain strength or be replaced during an intervention; and these dynamic features are not adequately taken in by the strategic models. The question comes up if the theoretical proposition that strategic models contribute to network disintegration make sense at all when networks are considered to be multidimensional entities that contain different network layers? The answer seems to be positive as long as the networks topology meets very specific conditions. First, the specific network layer that is targeted (say, a networks technical infrastructure) should be fully perceived. This means that all hidden zones should be discovered and all nodes and edges are included in the metrical description of a networks structure, so that all relevant hubs and bridges can be identified. Second, a network metrical intervention against one layer will only succeed as long as the interconnected layers are not activated to resist the

51

intervention. As soon as interconnected layers start counterattacking, defending, restoring or disconnecting hubs and clusters from the network the progression of the intervention becomes uncontrolled and ambivalent in a way that the network metrics that are conceived in the strategic models are not adequate to take them into account to adjust the intervention. From that point on an intervention as Stuxnet has shown will not have to become without effect. Depending on its architecture, its complexity, its visibility and additional factors the intervention can still sort effect in damaging and disintegrating parts of the network. But, as was the object of this masterthesis, the chances that an intervention will succeed in a full disintegration are likely to reduce to a minimum.

52

Conclusions and Discussion

6.1

The Effort

The effort of this masterthesis has been to find out if security interventions against cybercriminal networks can be understood as strategic interventions that are guided by algorithmic prescriptions on how networks can be effectively disintegrated. To research this problem two strategic disintegration models were introduced, that were subsequently confronted with reports on real life interventions of security organizations. The strategic models that were used are Barabsis 5-15% rule and the Girvan Newman method. Both methods have a specific approach to network disintegration. Barabsis 5-15% rule is based on the idea that digital networks are composed of a lot of small nodes and a few large nodes that are called hubs. Hubs are considered the pillars of the network, and a Barabsian disintegration strategy aims at taking out the hubs. By deleting a sufficient amount of pillars the network as a whole will stop functioning and disintegrate in isolated nodes. According to the method it is sufficient to take 5 to 15% of the hubs out of a network to stimulate full network disintegration. A condition is that the hubs should be taken out simultaneously. The Girvan Newman method considers clusters the basic entity of a network. Clusters are sets of nodes that are well connected. They maintain connections to other clusters over so called bridges. The Girvan Newman method focuses on these bridges for network disintegration. With the use of network metrics the method calculates what bridges connect the largest amount of clusters and hence considers these bridges relevant targets for network disintegration. The Girvan Newman method has a repetitive element to it. After deleting a bridge, new calculations are performed to re-discover what bridge connects the most clusters in the remains of the network. By deleting the bridges in a loop of deleting and establishing the importance of the remaining bridges a network can be fully disintegrated. The two methods differ in their approach in their focus of disintegration strategies (hubs versus bridges). Another difference is that Barabsis 5-15% method prescribes that the targets of a disintegration operation should be attacked at the same time, while the timespan in the Girvan Newman method seems less restricted in the sense that intervention operations can take time to recalculate new positions of bridges before attacks continue. The Barabsian method though is not clear on what is meant with at the same time. Does it mean that an attack should always take place in a parallel modus or is some kind of serial intervention (like the Girvan Newman method) allowed?

Intervention

Network disintegration

Theoretical construct 4 Basic Proposition

The theoretical construct that strategic modeled interventions cause network disintegration is the basic theoretical proposition on which this research reflects.

6.2

Case recapitulation

The cases that are collected to confront the strategic models are ordered over 3 categories. The Barabsian model specifies that attacks can be directed to the hubs of a network. Hubs are operationalized as the technical devices in a network and the operators that run the devices to which attacks can be directed. The Girvan Newman model specifies that attacks can be directed towards the bridges of a network, which are operationalized as the bitstream exchange between technical devices and clusters of devices. The reflection over the cases makes clear that the non-technical connections and exchange between the human operators of a criminal network form a forth domain where security

53

organizations can direct their attacks. This can be considered the domain of interventions against the communication between human actors that participate in criminal networks (Psy Ops is a term that is introduced for this domain). The case that actually resembles intervention in accordance with the strategical models most is the case of WikiLeaks. When WikiLeaks started publishing the CableGate files, unknown (security) organizations started attacking the WikiLeaks servers with Distributed Denial of Service attacks. The WikiLeaks servers were floated with fake service request and the network servers performance dropped to a level that the network was relocated and redesigned to restore services. The case of WikiLeaks was not brought in to investigate the basic theoretical proposition, but as a case to reflect on possible causes of the lack of support for the proposition. The cases that were brought in in the first round do rather not convincingly support the impression that interventions of security operations take place according to the strategic models. The cases used for illustrating interventions against connections (anti-viruses, firewalls) between nodes did not turn out to be very well chosen because they point to defensive rather than intervention techniques. The case of Chinese powers that distribute trapped routers over hostile networks point to the strategic importance of the ability to control network connections. But the strategy to intervene the targeted networks does not match controlled strategic logic. It is rather market based and incorporates elements of ambivalence. Cases that deal with interventions against technical devices have been split in cases in which human agents operate against devices and cases in which software modules operate against devices. Human interventions that attack networks in a systematic fashion that resembles the strategic models have not been provided. Automated attacks against hubs seem somewhat to resemble the 5-15% rule. The case of Stuxnet, in which a well-designed worm was targeted against Iranian nuclear enrichment plants, and an aggressive, counterattacking anti-virus-like cyberweapon that was commissioned by Japans Ministry of Defense somewhat reflect the 5-15% rule. The two cyberweapons target important hubs of cybercriminal network in a way that structurally harms the hostile network they are embedded in. The success of the intervention in terms of full disintegration can be doubted though. Japans cyberweapon does not provide sufficient data on the results of its functioning. And although the effects of Stuxnet are surrounded with secrecy, it seems fair to say it was not able to fully disintegrate its assumed targets; Irans nuclear enrichment plants are still operational. Successful disintegrations have been reported on the interventions against operators of MegaUpload and the Esthost botnet. The arrest and prosecution of the high quality content provider MegaUpload seems to have spread a retreat of comparable services on the World Wide Web. This retreat seems not to be inspired by interventions directly against the machines and operators of comparable services; fear of prosecution seems to have scared off other content providers at least temporarily in offering their illegal download services. As such the publicity on the MegaUpload bust seems to have had an indirect disintegration effect on other nodes in the network of illegal content providing, not interventions themselves. The Esthost botnet was successfully rolled up, but elements of the strategic models can only be recognized superficial in this success. The network of the Esthost botnet consisted out of millions of nodes, but technically and operational the network was organized as a star network. A small group of operators ran a command and control center that was central to all other nodes that made up for the network. As the 5-15% rule deals with distributed networks and not so much star networks, the Esthost case is not a very convincing case for the presence of algorithmic network disintegration either.

6.3

Resilience

Interventions against criminal networks in general do not seem to take place over algorithmic patterns that are derived from mathematical calculations that describe the structure of the network. On theoretical level the absence of positive traces of the logic of the strategical models is argued to reside in the relatively static design of the models. They do not take into account that networks are living things that are able to resist and defend themselves against attacks they are confronted with. The

54

case of WikiLeaks illustrates that DDoS interventions were successful until technical teams started relocating the machinery and redesigning the network in a way that the receptiveness of the whistleblower network to DDoS-attacks was overcome. The notion of resilience is used to discuss a networks ability to resist and defend. A networks resilience in response to interventions can take many manifestations. Network can endure an attack. And where damage occurs, recovery can take place; during the attack (like the replacement of centrifuges in Irans nuclear enrichment plants) or after the attack. Networks under attack can also go in hiding; humans can retrieve from their operational field, technical networks can disconnect from the broader networks they are connected to. Networks can put up defenses and shield themselves against attacks; the case of WikiLeaks server network showed that networks can be redesigned and restructured as a means of defense to attacks. And finally networks can just fight back the networks that attack them.

Interventions

Network disintegration

Resilience

Theoretical construct 5 The role of resilience

Theoretical construct 5 enhances the basic proposition by taking in the role of resilience. Network resilience interacts with the relation between interventions and disintegration. Resilience can be thought of as an inverter, the more resilience occurs the less likely it is that interventions will succeed in disintegration.

6.4

Resource networks

The adjustment of the basic proposition that this research involves is the idea that the ability of a network to resist attacks depends on the resources it has access too. Resources can take many manifestations (hardware, software, plans, activity, moral support, money) but they all must come from somewhere. The providers of resources are considered to be other networks that are somehow related to a network under attack. As a consequence resources to resist interventions depend on the relations of the network with other networks in a networks environment. First, the ability of a network to provide its own resources over its rhizome features is considered. The rhizome property of networks refers to the circumstance that not all nodes of network are full grown yet and are not active in the network as regular nodes are. When rhizome nodes become active as regular nodes though, they provide new or unsuspected resources in the network. Second, resources are provided to a network over exchange with networks that are of a different type but that are nonetheless related. The server network of WikiLeaks was analyzed to be surrounded by a financial, a volunteers and a publication network that provide the server network resources that contribute to its resilience and survival. As such the server network can be considered to have different resource networks. An additional thought is that it is not clear in advance which network provides resources to which. In case of WikiLeaks technical volunteer networks provided resources to the server network by relocating and redesigning the network. But when the network of financial support was attacked by banking organizations in blocking transactions the server structure provided resources for communicating and directing financial transactions to channels that were not blocked.

55

Consequently an attempt has been undertaken to reformulate the different types of networks that interact and provide each other resources as different layers of the same network. A criminal network can then be analyzed on different levels of organization, and corresponding intervention strategies can then be developed for the different levels.

Interventions

Network disintegration

Resilience

Resource networks
Theoretical construct 6 Resource networks

Theoretical construct 6 enhances the theoretical proposition by adding resource networks as the source of resilience. For the strategic models the consequence of the activation of resource networks is that it brings a dynamic to interventions that it cannot handle adequately. The strategic models are primarily attributed to disintegrate a network that has fixed properties. The 5 to 15% rule needs to be able to take out 5 to 15% of the hubs in network. When nodes or hubs are added in the process of deletion (as is possible in rhizome network layers) the math does add up, as a matter of speaking. The same is true when hubs are switched of, restored when they are deleted, or reconnected when the bridges are taken out. From a resource network perspective the strategic intervention models do not take in account the layered properties of the networks they target. The strategic models are only in a minimal sense effective for network disintegration because they are guided by a static network approach, where real networks interventions ask for a dynamic approach that takes in account the resource exchanges between the different network layers that make up for the network as a whole.

6.5

Conditions of Resilience

A consideration on network resilience that can be explored a bit further is that although onedimensional strategic approaches do not seem to be able to fully disintegrate a network, they do not seem to be without effect overall. Stuxnet did not resolve Irans nuclear enrichment plants, but seem to have caused the Iranian nuclear enterprise a lot of centrifuges and from there most likely a lot of worries. And DDoS-attacks seem to cause a hassle wherever they occur; at least they forced WikiLeaks to redesign and restructure their server network. Viruses, worms and Trojans in general do spread and perform malicious effects as long as interconnected networks do not react and provide resources for protection, recovery, and - in case of Japans cyberweapon - blunt counterattack.

56

Resistance is not instantly deployed. The provision of resources to revitalize networks is a dynamic affair where time sequences seem to play a role. Things happen one after the other and resource links need to be activated to come to effect. This dynamic of intervention, detection and countermeasure creates opportunity for one-dimensional strategic models to sort effect in the specific network dimension it is targeting. This opportunity now, the scale of the effect of a one dimensional intervention, is assessed to be limited due to the interconnection of different network dimensions for resource provision. But at the same time there cannot be a final certainty that resource provision will actually take place when a network is under attack. To provide a hypothetical example: a worm can penetrate all crucial nodes of a server network when it is not detected by protective devices. And from this penetration at a certain point in time this worm can disable all nodes in parallel modus and hence disintegrate the network. At the same time the maintenance department can be out of stock. And the financial department can be short of funds to purchase new machines to replace to deleted ones. As a consequence a one-dimensional attack can sort out a full disintegration under the circumstances that the resources to prevent it are lacking. Although an hypothetical example is used, the point here is to illustrate that if a network attack of the one-dimensional, strategic modeled kind aimed at disintegration of the network will succeed or not does in the end depend on the conditions of the exchange connections on which the network depends for its resilience. The rule at stake can be formulated as follows: networks that are under attack will invoke resources over the links to the different layers of the network to resist and recover from that attack. If the conditions of these links of resource provision turn out to be inadequate, resistance and recovery will not take place and the chance that the attack will succeed will increase. To put it simple: network resilience depends on the conditions of the links to it resources.

Interventions

Network disintegration

Resilience

Conditions

Resource networks

Theoretical construct 7 Conditioning of resilience

The adaption of the theoretical construct shows that the amount and the quality of resilience is a function of the conditions that interact with the exchange between an attacked network and its resource layers.

57

6.6

Intervention Framework

This masterthesis started as a theoretical exploration of the possibilities of metric network disintegration. After theoretical elaboration, case analysis and reflection on the subject matter it finally brings forth a theoretical framework concerning the nature of network interventions. The framework contains an extended explanation why the smooth logic of algorithmic intervention does only sort effect under specific conditions.

1 Interventions 2 5 Resilience Network disintegration

Conditions 4

Resource networks

Theoretical construct 8 Intervention Framework

Security organizations use strategic models to disintegrate a cybercriminal network; A networks resilience interacts with and resists disintegration attempts; Interconnected resource networks provide resilience to a network; The actual delivery and enablement of resilience depends on the condition of the links that provide resilience; 5. To increase the success of attempts to network disintegration, interventions can aim to affect the conditions of resource exchange. As a consequence the fifth relation is added to suggest that the design for intervention should not only be directed against the network it aims to resolve, but also against the conditions that enable the provision of resilience by the interconnected resource networks. An opening question of this research was if network theory can play a front stage role in the intervention of cybercriminal networks. The research has made clear that the strength of network analysis lies in the ability to describe the topology of a network and analyze the structural position of nodes and edges. With that, network analysis takes position in the background to provide support to real life interventions. Methods that analyze the interconnections of different network layers (networks and resource networks) could be elaborated in this respect. The exception, where network analysis seems to be able to engage more directly in network interventions, is the realm of cyberweapons that perform automated interventions against cybercriminal networks. How network analysis can be incorporated in the design of (counter)attacking viruses, worms, and other software modules is a promising area for future research.

1. 2. 3. 4.

58

Bibliography

@biellacoleman. (2012, February 7). ultra-coordinated motherfuckery. Retrieved from Ouroboros: http://www.rennygleeson.com/2011/02/07/hacker-collectives/ultramotherfuckery-2/ Abbate, J. (1999). Inventing the Internet. Cambridge (MA): The MIT Press. Algemene Inlichtingen- en Veiligheidsdienst. (2012, May 27). Ondertekening intentieverklaring aanpak spionage. Retrieved from Algemene Inlichtingen- en Veiligheidsdienst: https://www.aivd.nl/onderwerpen-0/spionage-0/@2641/intentieverklaring/ Angwin, J. (2011, October 9). Secret Orders Target Email. WikiLeaks Backer's Information Sought. Retrieved from Wall Street Journal: http://online.wsj.com/article/SB10001424052970203476804576613284007315072.html Anonymous. (2011, November 18). #FuckFBIFriday official #antisec release text. Retrieved from Pastebin.com: http://pastebin.com/NwN8ehFW Anonymous. (2011, December 31). #OpHiroshima - Dox of Time Warner CEO Jeffrey L. Bewkes. Retrieved from Pastebin.com: http://pastebin.com/8PyB2RWx Anonymous. (2011, December 31). Untitled. Retrieved from Pastebin.com: http://pastebin.com/MSaBvt9R Armerding, T. (2012, March 13). Ukraine seen as a growing 'haven for hackers'. Retrieved from Computerworld: http://www.computerworld.com/s/article/9225140/Ukraine_seen_as_a_growing_39_haven_for _hackers_39_ Arquilla, J., & Ronfeldt, D. (2001). The Advent of Netwar (revisited). In J. Arquilla, & D. Ronfeldt, Networks and Netwars: The Future of Terror, Crime and Militancy (pp. 1-23). Santa Monica: RAND. Baltazar, J., Costoya, J., & Flores, R. (2009, October 1). The Heart of KOOBFACE, C&C and Social Network Propagation. Retrieved from TrendMicro: http://www.trendmicro.com/cloudcontent/us/pdfs/security-intelligence/white-papers/wp_the-heart-of-koobface.pdf Barabsi, A.-L. (2003). Linked. London: Penguin Group. Baran, P. (1964). On Distributed Communication. Santa Monica: RAND. BBC. (2011, January 27). Five arrested over 'Anonymous' web attacks. Retrieved from BBC: http://www.bbc.com/news/technology-12299137 Beham, H. S. Hercules slaying the Hydra. Herakles ttet die Hydra. Staatliche Kunstsammlungen Dresden, Dresden. Biddle, S. (2012, January 9). Feds Kill Megaupload (Updated). Retrieved from Gizmodo: http://gizmodo.com/5877612/feds-kill-megaupload Boogaard, F. (2012, March 27). Kroes wil centrum tegen computercriminaliteit. Het Parool. Bright, P. (2010, December 7). 4chan rushes to WikiLeaks' defense, forces Swiss banking site offline. Retrieved from Ars Technica: http://arstechnica.com/tech-policy/news/2010/12/4chan-rushesto-wikileaks-defense-forces-swiss-banking-site-offline.ars Brook, C. (2012, January 3). Anonymous Leaks Info Following California Police Union Website Hack. Retrieved from Treat Post: http://threatpost.com/en_us/blogs/anonymous-leaks-info-followingcalifornia-police-union-website-hack-010312 Cares, J. (2005). Distributed Network Operations. The Foundations of Network Centric Warfare. Lincoln: iUniverse. Clarke, R., & Knake, R. (2010). Cyber War. The Next Threat to National Security and What to Do About It. Harper Coliins e-books. Clough, J. (2010). Principles of Cybercrime. Cambridge: Cambridge University Press.

59

Contractor, N., Monge, P., & Leonardi, P. (2011). Multidimensional Networks and the Dynamics of Sociomateriality: Bringing Technology Inside the Network. International Journal of Communication, 682720. Coscarelli, J. (2012, February 3). Anonymous Hacked FBI Call About Hackers to Prove They Can. Retrieved from New York Magazine: http://nymag.com/daily/intel/2012/02/anonymous-hackedfbi-call-to-prove-they-can.html Danchev, D. (2012, January 9). Who's Behind the Koobface Botnet? - An OSINT Analysis. Retrieved from Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: http://ddanchev.blogspot.com/2012/01/whos-behind-koobface-botnet-osint.html Dcary-Htu, D., Morselli, C., & Leman-Langlois, S. (2011). Welcome to the Scene: A Study of Social Organization and Recognition among Warez Hackers. Journal of Research in Crime and Delinquency, online edition. Dijk, A. v. (2008). De lokale en de nodale orintatie. In H. Boutellier, & R. v. Steden, Veiligheid en burgerschap in een netwerksamenleving (pp. 175-198). Den Haag: Boom Juridische Uitgevers. Dommel, H.-P. (2006). Routers and Switches. In H. Bidgoli, Handbook of Information Security, Key Concepts, Infrastructure, Standards, and Protocols, Volume 1 (pp. 350-363). Hoboken, New Jersey: John Wiley & Sons. Drmer, J., & Kollberg, D. (2012, January 7). The Koobface malware gang - exposed! Retrieved from Naked Security: http://nakedsecurity.sophos.com/koobface/ Easley, D., & Kleinberg, J. (2010). Networks, Crowds and Markets. reasoning about a Highly Connected World. New York: Cambridge University Press. Emmerson, R. (2012, March 11). Combat cybercrime before it's too late. Retrieved from News.au.com: http://www.news.com.au/business/combat-cybercrime-before-its-too-late/storye6frfm1i-1226296778017 FBI. (2011, November 9). International Cyber Ring That Infected Millions of Computers Dismantled. Retrieved from FBI: http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911 Finkle, J. (2009, June 29). Cybercrime spreads on Facebook. Retrieved from Reuters: http://www.reuters.com/article/2009/06/29/us-facebook-security-analysisidUSTRE55S55820090629 Flint, L. (2010, December 17). Why I Am Donating $50,000 to WikiLeaks' Defense Fund . Retrieved from Huffington Post: http://www.huffingtonpost.com/larry-flynt/why-i-am-donating-50000t_b_798159.html Franko Aas, K. (2007). Globalization & Crime. London: Sage. Fujitsu. (2012, May 28). What is WisReed? Retrieved from Fujitsu.com: http://www.fujitsu.com/global/services/solutions/sensor-network/about/ Gallagher, S. (2012, February 8). Anonymous exposes e-mails of Syrian presidential aides. Retrieved from Ars Technica: http://arstechnica.com/tech-policy/2012/02/anonymous-hackers-exposeemails-of-syrian-presidential-aides/ Ge, G. (2012, May 28). Welcome to guozheng's Homepage. Retrieved from Welcome to guozheng's Homepage: http://users.soe.ucsc.edu/~guozheng/research.htm Giddens, A. (1984). The Constitution of Society. Cambridge: Polity Press. Goldman, J. (2006). Firewall Basics. In H. Bidgoli, Handbook of Information Security, Threats, Vulnerabilities, Prevention, Detection, and Management, Volume 3 (pp. 502-513). Hoboken, New Jersey: John Wiley & Sons. Greenberg, A. (2010, August 30). Wikileaks Servers Move To Underground Nuclear Bunker. Retrieved from Forbes: http://www.forbes.com/sites/andygreenberg/2010/08/30/wikileaks-servers-moveto-underground-nuclear-bunker/?boxes=businesschanneltopstories

60

Groenewegen, P. (2008). Falen van Organisaties. Een sociale netwerkbenadering. Amsterdam: Vrije Universiteit. Grow, B. (2008, October 2). The Threat Posed by Fake Cisco Parts. Retrieved from Bloomberg Businessweek: http://www.businessweek.com/magazine/content/08_41/b4103038201037.htm Haaretz. (2011, January 11). Mysterious deaths and blasts linked to Iran's nuclear program. Retrieved from Haaretz: http://www.haaretz.com/news/middle-east/timeline-mysterious-deaths-andblasts-linked-to-iran-s-nuclear-program-1.406704 Hacquebord, F. (2011, November 9). Esthost Taken Down Biggest Cybercriminal Takedown in History. Retrieved from TrendMicro: http://blog.trendmicro.com/esthost-taken-down-biggestcybercriminal-takedown-in-history/ Haggerty, K., & Ericson, R. (2000). The surveillant assemblage. British Journal of Sociology No. 51 Issue No. 4, pp. 605622. Hansen, D., Shneiderman, B., & Smith, M. (2010). Analyzing Social Media Networks with NodeXL, Insights from a Connected World. Burlington: Morgan Kaufman Publishers. Henry, A. (2012, Januar 19). Five Great Alternatives to MegaUpload. Retrieved from Lifehacker: http://lifehacker.com/5877694/five-great-alternatives-to-megaupload Horn, L. (2012, March 28). iPhone Password Hacking is Easy (With the Right Software). Retrieved from PCMag.com: http://www.pcmag.com/article2/0,2817,2402256,00.asp Hvistendahl, M. (2010, March 3). China's Hacker Army. Retrieved from Foreign Policy: http://www.foreignpolicy.com/articles/2010/03/03/china_s_hacker_army IIPVV. (2012, June 2). Research Topics in the National Cyber Security Research Agenda 'Trust and Security for our Digital Life'. Retrieved from ICT-Innovatieplatform (IIP) Security & Privacy "Veilig Verbonden": http://ictregie.nl/iipvv/downloads/12i-NROI033%20NCSRA_excerpt_for_matchmaking.pdf Kennedy, J. (2010, December 15). Hackers arrested over Operation Payback DDOS attacks. Retrieved from Siliconrepublic: http://www.siliconrepublic.com/strategy/item/19647-hackersarrested-over-oper Kott, A. (2007). Information Warfare and Organizational Decision-Making. Boston: Artech House. Kravets, D. (2012, February 17). Feds Seize $50 Million in Megaupload Assets, Lodge New Charges. Retrieved from Wired: http://www.wired.com/threatlevel/2012/02/megaupload-supersedingindictment/ Kshetri, N. (2010). The Global Cybercrime Industry. Berlin, Heidelberg: Springer. Levy, S. (2010). Hackers. Heroes of the Computer Revolution. Sebastopol: OReilly Media. Ma, J., Teng, G., Chang, S., Zhang, X., & Xiao, K. (2011). Social Network Analysis Based on Authorship Identification for Cybercrime Investigation. Lecture Notes in Computer Science, 2735. McGloin, J., & Kirk, D. (2010). An Overview of Social Network Analysis. Journal of Criminal Justice Education, 169-181. Mey, S. (2010, January 1). Leak-o-nomy: The Economy of Wikileaks. Retrieved from Medienkonomie-Blog: http://webcache.googleusercontent.com/search?q=cache:Z3VfjqO8IswJ:stefanmey.com/2010/01/04/leak-o-nomy-the-economy-of-wikileaks/+&cd=1&hl=en&ct=clnk Mezzofiore, G. (2012, February 24). Anonymous Hits Back at Spain Police for Hacktivists' Arrests. Retrieved from International Business Times: http://www.ibtimes.co.uk/articles/303994/20120224/anonymous-spain-hacktivists-arrestednational-police-oppolicia.htm Ministerie van Veiligheid en Justitie. (2011, 2 22). De Nationale Cyber Security Strategie (NCSS) Slagkracht door samenwerking. Retrieved from Rijksoverheid: http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/02/22/nationale-cybersecurity-strategie-slagkracht-door-samenwerking.html

61

Miniwatts Marketing Group. (2011, December 31). World Internet Usage Statistics News and World Population Stats. Retrieved from Internet World Stats: http://www.internetworldstats.com/stats.htm Moselli, C. (2010). Inside Criminal Networks. New York: Springer. Nazari, A. (2012, April 6). Credit Card Breach: It Can Happen to Anyone, Do You Know What to Do? Retrieved from Huffington Post: http://www.huffingtonpost.com/adrian-nazari/credit-cardbreach-it-can_b_1406901.html Nielsen, S. (2012, January 29). Privacy and technology: Where Google and Facebook go, our constitutional rights follow. Retrieved from OregonLive.com: http://www.oregonlive.com/news/oregonian/susan_nielsen/index.ssf/2012/01/privacy_and_tec hnology_where_g.html Norton, Q. (2011, November 8). Anonymous 101: Introduction to the Lulz. Retrieved from Wired: http://www.wired.com/threatlevel/2011/11/anonymous-101/all/1 Poulsen, K. (2011). Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground. New York: Crown Publishers. Press, J. (2012, February 21). Current laws not focused enough to combat child porn online: RCMP. Retrieved from National Post: http://news.nationalpost.com/2012/02/21/current-laws-notfocused-enough-to-combat-child-porn-online-rcmp/ Ratcliffe, J. (2003, April). Intelligence-led Policing. Trends and issues in crime and criminal justice. Richmond, R. (2012, January 16). Web Gang Operating in the Open. Retrieved from The New York Times: http://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-tospread-worm-operates-in-the-open.html?_r=2&mid=57&ref=technology&pagewanted=all Rijksoverheid. (2012, January 12). Nationaal Cyber Security Centrum geopend. Retrieved from Rijksoverheid.nl: http://www.rijksoverheid.nl/nieuws/2012/01/12/nationaal-cyber-securitycentrum-geopend.html Sanger, D. (2012, June 1). Obama Order Sped Up Wave of Cyberattacks Against Iran. Retrieved from New York Times: http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-waveof-cyberattacks-against-iran.html?_r=1 Satter, R. G., & Svensson, P. (2012, May 28). WikiLeaks fights to stay online amid attacks. Retrieved from Internet Archive Wayback Machine: http://web.archive.org/web/20101204043730/http://www.businessweek.com/ap/financialnews/ D9JSHKUG0.htm Schmid, M. (2006). Antivirus Technology. In H. Bidgoli, Handbook of Information Security, Threats, Vulnerabilities, Prevention, Detection, and Management, Volume 3 (pp. 450-458). Hoboken, New Jersey: John Wiley & Sons. Seawright, J., & Gerring, J. (2008). Case Selection Techniques in Case Study Research: A Menu of Qualitative and Quantitative Options. Political Research Quarterly, 294-308. SecPoint. (2012, May 28). What is a White Hat? Retrieved from SecPoint: http://www.secpoint.com/What-is-a-White-Hat.html Shubik, M., & Zelinsky, A. (2012, February 28). Network Systems: Protection, Detection, and Recovery. Retrieved from HSI Journal of Homeland Security: http://www.homelandsecurity.org/journal/%28S%2805dhlczznqtmt4453lgzzv45%29%29/Defau lt.aspx%3Ft%3D336%26AspxAutoDetectCookieSupport%3D1+&cd=1&hl=en&ct=clnk Souli, S. (1995). Greek Myhthology. Athens: Editions Michalis Toubis. Steen, M. v. (2010). Graph Theory and Complex Networks, An Introduction. Amsterdam: Maarten van Steen. Stoll, C. (1989). The Cuckoo's Egg. Tracking a Spy through the Maze of Computer Espionage. New York: Simon & Schuster. Time. (2012, May 28). Inside WikiLeaks' Bunker. Retrieved from Time: http://www.time.com/time/photogallery/0,29307,2036380,00.html

62

Tooley, M. (2012, January 20). Megaupload Gets Shut Down. Retrieved from The Better Broadband Blog: http://www.betterbroadbandblog.com/2012/01/megaupload-gets-shut-down/ Tor Project. (2012, May 27). Tor Project: Anonymity Online. Retrieved from The Tor Project: https://www.torproject.org/ TorrentFreak. (2010, November 15). Behind The Scenes at Anonymous Operation Payback. Retrieved from TorrentFreak: http://torrentfreak.com/behind-the-scenes-at-anonymousoperation-payback-111015/ University of Twente. (2012, May 10). Attacks by "Anonymous" WikiLeaks proponents not anonymous. Retrieved from University of Twente: http://www.utwente.nl/ewi/dacs/news/archive/2010/wikileaks.doc/index.html Vaus, D. d. (2010). Research Design in Social Research. London: Sage. Villeneuve, N. (2010, November 12). Koobface Inside a Criminal Network. Retrieved from infowarmonitor.net: http://www.infowar-monitor.net/koobface Vinograd, C., & Satter, R. (2010, December 7). Julian Assange Arrested: WikiLeaks Founder Taken Into Custody In London On Swedish Warrant. Retrieved from Huffington Post: http://www.huffingtonpost.com/2010/12/07/julian-assange-arrested-w_n_792956.html Volkskrant. (2012, March 13). Dit is de duistere kant van het internet. Ook Robert M. was er te vinden. Retrieved from Volkskrant.nl: http://www.volkskrant.nl/vk/nl/2694/InternetMedia/article/detail/3224853/2012/03/13/Dit-is-de-duistere-kant-van-het-internet-Ook-RobertM-was-er-te-vinden.dhtml Vries, W. d. (2012, January 24). KLPD start wervingsactie via Tweakers.net. Retrieved from Tweakers.net: http://tweakers.net/plan/616/klpd-start-wervingsactie-via-tweakers-punt-net.html Wagenseil, P. (2012, January 14). Anonymous Harasses Time Warner Chief Over SOPA, Reports Say. Retrieved from Security News Daily: http://www.securitynewsdaily.com/1399-anon-sopabewkes-dox.html Wall, D. (2008). Cybercrime and the Culture of Fear. Information, Communication & Society, 861-884. Ward, C. (2012, March 13). State cyber crime laws need updating. Retrieved from Shelby County Reporter: http://www.shelbycountyreporter.com/2012/03/13/state-cyber-crime-laws-needupdating/ wconeybeer. (2010, November 17). Who are these Anonymous people behind Operation Payback? Retrieved from MyCE: http://www.myce.com/news/who-are-these-anonymous-people-behindoperation-payback-36698/ Wikia. (2012, May 27). U.S. v. Gorshkov. Retrieved from Wikia IT Law Wiki: http://itlaw.wikia.com/wiki/U.S._v._Gorshkov Wikileaks. (2012, May 28). About. Retrieved from Wikileaks: http://wikileaks.org/About.html Wikileaks. (2012, May 28). Donate. Retrieved from Wikileaks: http://shop.wikileaks.org/donate Wikileaks. (2012, May 28). Portal:Volunteers. Retrieved from Wikileaks: http://wikileaks.org/wiki/Portal:Volunteers Wikileaks. (2012, May 28). What Does it Cost to Change the World? Retrieved from Vimeo: http://vimeo.com/25412550 Wikipedia. (2012, May 23). Hacker (computer security). Retrieved from Wikipedia: http://en.wikipedia.org/wiki/Hacker_%28computer_security%29 Wikipedia. (2012, May 18). Low Orbit Ion Cannon. Retrieved from Wikipedia: http://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon Wikipedia. (2012, Januar 31). Shadowcrew. Retrieved from Wikipedia: http://en.wikipedia.org/wiki/ShadowCrew Wikipedia. (2012, June 2). Stuxnet. Retrieved from Wikipedia: http://en.wikipedia.org/wiki/Stuxnet Wikipedia. (2012, May 28). WikiLeaks. Retrieved from Wikipedia: http://en.wikipedia.org/wiki/WikiLeaks

63

Xu, J., & Chen, H. (2003). Untangling Criminal Networks: A Case Study. In Proceedings of the 1st NSF/NIJ conference on Intelligence and security informatics (pp. 232-248 ). Berlin: Springer. Xu, J., & Chen, H. (2008). The Topology of Dark Networks. Communications of the ACM, 58-65. Yar, M. (2006). Cybercrime and Society. London: Sage. Yip, M. (2011). An Investigation into Chinese Cybercrime and the Applicability of Social Network Analysis. Proceedings of the ACM WebSci'11, 1-4. Yomiuri Shimbun. (2012, January 3). Govt working on defensive cyberweapon / Virus can trace, disable sources of cyber-attacks. Retrieved from Daily Yomiuri Online: http://www.yomiuri.co.jp/dy/national/T120102002799.htm Zedner, L. (2009). Security. London and New York: Routeledge. Zetter, K. (2011, September 20). DigiNotar Files for Bankruptcy in Wake of Devastating Hack. Retrieved from Wired: http://www.wired.com/threatlevel/2011/09/diginotar-bankruptcy/ Zetter, K. (2011, July 11). How Digital Detectives Deciphered Stuxnet. Retrieved from Wired: http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1 Zetter, K. (2011, July 11). Stuxnet Timeline Shows Correlation Among Events. Retrieved from Wired.com: http://www.wired.com/threatlevel/2011/07/stuxnet-timeline/

64