Offensive Cyber Militia Models
Volunteer based non-state actors have played an important part in many international cyber conflicts of the past two decades. In order to better understand this threat I describe three theoretical models for volunteer based offensive cyber militias: the Forum, the Cell and the Hierarchy. The Forum is an ad-hoc cyber militia form that is organized around a central communications platform, where the members share information and tools necessary to carry out cyber attacks against their chosen adversary. The Cell model refers to hacker cells, which engage in politically motivated hacking over extended periods of time. The Hierarchy refers to the traditional hierarchical model, which may be encountered in government sponsored volunteer organizations, as well as in cohesive self-organized non-state actors. For each model, I give an example and describe the model’s attributes, strengths and weaknesses using qualitative analysis. The models are based on expert opinion on different types of cyber militias that have been seen in cyber conflicts. These theoretical models provide a framework for categorizing volunteer based offensive cyber militias of non-trivial size.
The widespread application of Internet services has given rise to a new contested space, where people with conflicting ideals or values strive to succeed, sometimes by attacking the systems and services of the other side. It is interesting to note that in most public cases of cyber conflict the offensive side is not identified as a state actor, at least not officially. Instead, it often looks like citizens take part in hactivist campaigns or patriotic hacking on their own, volunteering for the cyber front.
Cases like the 2007 cyber attacks against Estonia are a good example where an informal non-state cyber militia has become a threat to national security. In order to understand the threat posed by these volunteer cyber militias I provide three models of how such groups can be organized and analyze the strengths and weaknesses of each.
The three models considered are the Forum, the Cell and the Hierarchy. The models are applicable to groups of non-trivial size, which require internal assignment of responsibilities and authority.
In this paper I use theoretical qualitative analysis in order to describe the attributes, strengths and weaknesses of three offensively oriented cyber militia models. I have chosen the three plausible models based on what can be observed in recent cyber conflicts. The term model refers to an abstract description of relationships between members of the cyber militia, including command, control and mentoring relationships, as well as the operating principles of the militia.
Note, however, that the description of the models is based on theoretical reasoning and expert opinion. It offers abstract theoretical models in an ideal setting. There may not be a full match to any of them in reality or in the examples provided. It is more likely to see either combinations of different models or models that do not match the description in full. On the other hand, the models should serve as useful frameworks for analyzing volunteer groups in the current and coming cyber conflicts.
In preparing this work, I communicated with and received feedback from a number of recognized experts in the field of cyber conflict research. I wish to thank them all for providing comments on my proposed models: Prof Dorothy Denning (Naval Postgraduate School), Dr Jose Nazario (Arbor Networks), Prof Samuel Liles (Purdue University Calumet), Mr Jeffrey Carr (Greylogic) and Mr Kenneth Geers (Cooperative Cyber Defence Centre of Excellence).
2. The forum
The global spread of the Internet allows people to connect easily and form „cyber tribes“, which can range from benign hobby groups to antagonistic ad-hoc cyber militias. (Williams 2007, Ottis 2008, Carr 2009, Nazario 2009, Denning 2010) In the case of an ad-hoc cyber militia, the Forum unites like- minded people who are “willing and able to use cyber attacks in order to achieve a political goal.“ It serves as a command and control platform where more active members can post motivational materials, attack instructions, attack tools, etc. (Denning 2010)
This particular model, as well as the strengths and weaknesses covered in this section, are based on (Ottis 2010b). A good example of this model in recent cyber conflicts is the stopgeorgia.ru forum during the Russia-Georgia war in 2008 (Carr 2009).
The Forum is an on-line meeting place for people who are interested in a particular subject. I use Forum as a conceptual term referring to the people who interact in the on-line meeting place. The technical implementation of the meeting place could take many different forms: web forum, Internet Relay Chat channel, social network subgroup, etc. It is important that the Forum is accessible over Internet and preferably easy to find. The latter condition is useful for recruiting new members and providing visibility to the agenda of the group.
The Forum mobilizes in response to an event that is important to the members. While there can be a core group of people who remain actively involved over extended periods of time, the membership can be expected to surge in size when the underlying issue becomes “hot“. Basically, the Forum is like a flash mob that performs cyber attacks instead of actions on the streets. As such, the Forum is more ad-hoc than permanent, because it is likely to disband once the underlying event is settled.
The membership of the Forum forms a loose network centered on the communications platform, where few, if any, people know each other in real life and the entire membership is not known to any single person (Ottis 2010b). Most participate anonymously, either providing an alias or by remaining passive on the communication platform. In general, the Forum is an informal group, although specific roles can be assumed by individual members. For example, there could be trainers, malware providers, campaign planners, etc. (Ottis 2010b) Some of the Forum members may also be active in cyber crime. In that case, they can contribute resources such as malware or use of a botnet to the Forum.
The membership is diverse, in terms of skills, resources and location. While there seems to be evidence that a lot of the individuals engaged in such activities are relatively unskilled in cyber attack techniques (Carr 2009), when supplemented with a few more experienced members the group can be much more effective and dangerous (Ottis 2010a).
Since most of the membership remains anonymous and often passive on the communications platform, the leadership roles will be assumed by those who are active in communicating their intent, plans and expertise. (Denning 2010) However, this still does not allow for strong command and control, as each member can decide what, if any, action to take.
One of the most important strengths of a loose network is that it can form very quickly. Following an escalation in the underlying issue, all it takes is a rallying cry on the Internet and within hours or even minutes the volunteers can gather around a communications platform, share attack instructions, pick targets and start performing cyber attacks.
As long as there is no need for tightly controlled operations, in terms of timing, resource use and targeting, there is very little need for management. The network is also easily scalable, as anyone can join and there is no lengthy vetting procedure.
The diversity of the membership means that it is very difficult for the defenders to analyze and counter the attacks. The source addresses are likely distributed globally (black listing will be inefficient) and the different skills and resources ensure heterogeneous attack traffic (no easy patterns). In addition, experienced attackers can use this to conceal precision strikes against critical services and systems.
While it may seem that neutralizing the communications platform (via law enforcement action, cyber attack or otherwise) is an easy way to neutralize the militia, this may not be the case. The militia can easily regroup at a different communications platform in a different jurisdiction. Attacking the Forum directly may actually increase the motivation of the members.
Last, but not least, it is very difficult to attribute these attacks to a state, as they can (seem to) be a true (global) grass roots campaign, even if there is some form of state sponsorship. Some states may take advantage of this fact by allowing such activity to continue in their jurisdiction, blaming legal obstacles or lack of capability for their inactivity. It is also possible for government operatives to “create” a “grass roots” Forum movement in support of the government agenda. (Ottis 2009)
A clear weakness of this model is the difficulty to command and control the Forum. Membership is not formalized and often it is even not visible on the communication platform, because passive readers can just take ideas from there and execute the attacks on their own. This uncoordinated approach can seriously hamper the effectiveness of the group as a whole. It may also lead to uncontrolled expansion of conflict, when members unilaterally attack third parties on behalf of the Forum.
A problem with the loose network is that it is often populated with people who do not have experience with cyber attacks. Therefore, their options are limited to primitive manual attacks or preconfigured automated attacks using attack kits or malware. (Ottis 2010a) They are highly reliant on instructions and tools from more experienced members of the Forum.
The Forum is also prone to infiltration, as it must rely on relatively easily accessible communication channels. If the communication point is hidden, the group will have difficulties in recruiting new members. The assumption is, therefore, that the communication point can be easily found by both potential recruits, as well as infiltrators. Since there is no easy way to vet the incoming members, infiltration should be relatively simple.
Another potential weakness of the Forum model is the presumption of anonymity. If the membership can be infiltrated and convinced that their anonymity is not guaranteed, they will be less likely to participate in the cyber militia. Options for achieving this can include “exposing” the “identities” of the infiltrators, arranging meetings in real life, offering tools that have a phone-home functionality to the members, etc. Note that some of these options may be illegal, depending on the circumstances. (Ottis 2010b)
3. The cell
Another model for a volunteer cyber force that has been seen is a hacker cell. In this case, the generic term hacker is used to encompass all manner of people who perform cyber attacks on their own, regardless of their background, motivation and skill level. It includes the hackers, crackers and script kiddies described by Young and Aitel (2004). The hacker cell includes several hackers who commit cyber attacks on a regular basis over extended periods of time. Examples of hacker cells are Team Evil and Team Hell, as described in Carr (2009).
Unlike the Forum, the Cell members are likely to know each other in real life, while remaining anonymous to the outside observer. Since their activities are almost certainly illegal, they need to trust each other. This limits the size of the group and requires a (lengthy) vetting procedure for any new recruits. The vetting procedure can include proof of illegal cyber attacks.
The command and control structure of the Cell can vary from a clear self-determined hierarchy to a flat organization, where members coordinate their actions, but do not give or receive orders. In theory, several Cells can coordinate their actions in a joint campaign, forming a confederation of hacker cells.
The Cells can exist for a long period of time, in response to a long-term problem, such as the Israel- Palestine conflict. The activity of such a Cell ebbs and flows in accordance with the intensity of the underlying conflict. The Cell may even disband for a period of time, only to reform once the situation intensifies again.
Since hacking is a hobby (potentially a profession) for the members, they are experienced with the use of cyber attacks. One of the more visible types of attacks that can be expected from a Cell is the website defacement. Defacement refers to the illegal modification of website content, which often includes a message from the attacker, as well as the attacker’s affiliation. The Zone-H web archive lists thousands of examples of such activity, as reported by the attackers. Many of the attacks are clearly politically motivated and identify the Cell that is responsible.
Some members of the Cell may be involved with cyber crime. For example, the development, dissemination, maintenance and use of botnets for criminal purposes. These resources can be used for politically motivated cyber attacks on behalf of the Cell.
A benefit of the Cell model is that it can mobilize very quickly, as the actors presumably already have each other’s contact information. In principle, the Cell can mobilize within minutes, although it likely takes hours or days to complete the process.
A Cell is quite resistant to infiltration, because the members can be expected to establish their hacker credentials before being allowed to join. This process may include proof of illegal attacks.
Since the membership can be expected to be experienced in cyber attack techniques, the Cell can be quite effective against unhardened targets. However, hardened targets may or may not be within the reach of the Cell, depending on their specialty and experience. Prior hacking experience also allows them to cover their tracks better, should they wish to do so.
While a Cell model is more resistant to countermeasures than the Forum model, it does offer potential weaknesses to exploit. The first opportunity for exploitation is the hacker’s ego. Many of the more visible attacks, including defacements, leave behind the alias or affiliation of the attacker, in order to claim the bragging rights. (Carr 2009) This seems to indicate that they are quite confident in their skills and proud of their achievements. As such, they are potentially vulnerable to personal attacks, such as taunting or ridiculing in public. Stripping the anonymity of the Cell may also work, as at least some members could lose their job and face law enforcement action in their jurisdiction. (Carr 2009) As described by Ottis (2010b), it is probably not necessary to actually identify all the members of the Cell. Even if the identity of a few of them is revealed or if the corresponding perception can be created among the membership, the trust relationship will be broken and the effectiveness of the group will decrease.
Prior hacking experience also provides a potential weakness. It is more likely that the law enforcement know the identity of a hacker, especially if he or she continues to use the same affiliation or hacker alias. While there may not be enough evidence or damage or legal base for law enforcement action in response to their criminal attacks, the politically motivated attacks may provide a different set of rules for the local law enforcement.
The last problem with the Cell model is scalability. There are only so many skilled hackers who are willing to participate in a politically motivated cyber attack. While this number may still overwhelm a small target, it is unlikely to have a strong effect on a large state.
4. The hierarchy
The third option for organizing a volunteer force is to adopt a traditional hierarchical structure. This approach is more suitable for government sponsored groups or other cohesive groups that can agree to a clear chain of command. For example, the People’s Liberation Army of China is known to include militia type units in their IW battalions. (Krekel 2009) The model can be divided into two generic sub- models: anonymous and identified membership.
The Hierarchy model is similar in concept to military units, where a unit commander exercises power over a limited number of sub-units. The number of command levels depends on the overall size of the organization.
Each sub-unit can specialize on some specific task or role. For example, the list of sub-unit roles can include reconnaissance, infiltration/breaching, exploitation, malware/exploit development and training. Depending on the need, there can be multiple sub-units with the same role. Consider the analogy of an infantry battalion, which may include a number of infantry companies, anti-tank and mortar platoons, a reconnaissance platoon, as well as various support units (communications, logistics), etc. This specialization and role assignment allows the militia unit to conduct a complete offensive cyber operation from start to finish.
A Hierarchy model is the most likely option for a state sponsored entity, since it offers a more formalized and understandable structure, as well as relatively strong command and control ability. The control ability is important, as the actions of a state sponsored militia are by definition attributable to the state.
However, a Hierarchy model is not an automatic indication of state sponsorship. Any group that is cohesive enough to determine a command structure amongst them can adopt a hierarchical structure. This is very evident in Massively Multiplayer Online Games (MMOG), such as World of Warcraft or EVE Online, where players often form hierarchical groups (guilds, corporations, etc.) in order to achieve a common goal. The same approach is possible for a cyber militia as well. In fact, Williams (2007) suggests that gaming communities can be a good recruiting ground for a cyber militia.
While the state sponsored militia can be expected to have identified membership (still, it may be anonymous to the outside observer) due to control reasons, a non-state militia can consist of anonymous members that are only identified by their screen names.
The obvious strength of a hierarchical militia is the potential for efficient command and control. The command team can divide the operational responsibilities to specialized sub-units and make sure that their actions are coordinated. However, this strength may be wasted by incompetent leadership or other factors, such as overly restrictive operating procedures.
A hierarchical militia may exist for a long time even without ongoing conflict. During “peacetime“, the militia’s capabilities can be improved with recruitment and training. This degree of formalized preparation with no immediate action in sight is something that can set the hierarchy apart from the Forum and the Cell.
If the militia is state sponsored, then it can enjoy state funding, infrastructure, as well as cooperation from other state entities, such as law enforcement or intelligence community. This would allow the militia to concentrate on training and operations.
A potential issue with the Hierarchy model is scalability. Since this approach requires some sort of vetting or background checks before admitting a new member, it may be time consuming and therefore slow down the growth of the organization.
Another potential issue with the Hierarchy model is that by design there are key persons in the hierarchy. Those persons can be targeted by various means to ensure that they will not be effective or available during a designated period, thus diminishing the overall effectiveness of the militia. A hierarchical militia may also have issues with leadership if several people contend for prestigious positions. This potential rift in the cohesion of the unit can potentially be exploited by infiltrator agents.
Any activities attributed to the state sponsored militia can further be attributed to the state. This puts heavy restrictions on the use of cyber militia “during peacetime“, as the legal framework surrounding state use of cyber attacks is currently unclear. However, in a conflict scenario, the state attribution is likely not a problem, because the state is party to the conflict anyway. This means that a state sponsored offensive cyber militia is primarily useful as a defensive capability between conflicts. Only during conflict can it be used in its offensive role.
While a state sponsored cyber militia may be more difficult (but not impossible) to infiltrate, they are vulnerable to public information campaigns, which may lead to low public and political support, decreased funding and even official disbanding of the militia. On the other hand, if the militia is not state sponsored, then it is prone to infiltration and internal information operations similar to the one considered at the Forum model.
Of the three models, the hierarchy probably takes the longest to establish, as the chain of command and role assignments get settled. During this process, which could take days, months or even years, the militia is relatively inefficient and likely not able to perform any complex operations.
When analyzing the three models, it quickly becomes apparent that there are some aspects that are similar to all of them. First, they are not constrained by location. While the Forum and the Cell are by default dispersed, even a state sponsored hierarchical militia can operate from different locations.
Second, since they are organizations consisting of humans, then one of the more potent ways to neutralize cyber militias is through information operations, such as persuading them that their identities have become known to the law enforcement, etc.
Third, all three models benefit from a certain level of anonymity. However, this also makes them susceptible for infiltration, as it is difficult to verify the credentials and intent of a new member.
On the other hand, there are differences as well. Only one model lends itself well to state sponsored entities (hierarchy), although, in principle, it is possible to use all three approaches to bolster the state’s cyber power.
The requirement for formalized chain of command and division of responsibilities means that the initial mobilization of the Hierarchy can be expected to take much longer than the more ad-hoc Forum or Cell. In case of short conflicts, this puts the Hierarchy model at a disadvantage.
Then again, the Hierarchy model is more likely to adopt a “peace time” mission of training and recruitment in addition to the “conflict” mission, while the other two options are more likely to be mobilized only in time of conflict. This can offset the slow initial formation limitation of the Hierarchy, if the Hierarchy is established well before the conflict.
While the Forum can rely on their numbers and use relatively primitive attacks, the Cell is capable of more sophisticated attacks due to their experience. The cyber attack capabilities of the Hierarchy, however, can range from trivial to complex.
It is important to note that the three options covered here can be combined in many ways, depending on the underlying circumstances and the personalities involved.
Politically motivated cyber attacks are becoming more frequent every year. In most cases the cyber conflicts include offensive non-state actors (spontaneously) formed from volunteers. Therefore, it is important to study these groups.
I have provided a theoretical way to categorize non-trivial cyber militias based on their organization. The three theoretical models are: the Forum, the Cell and the Hierarchy. In reality, it is unlikely to see a pure form of any of these, as different groups can include aspects of several models. However, the strengths and weaknesses identified should serve as useful guides to dealing with the cyber militia threat.
Disclaimer: The opinions expressed here should not be interpreted as the official policy of the Cooperative Cyber Defence Centre of Excellence or the North Atlantic Treaty Organization.
Carr, J. (2009) Inside Cyber Warfare. Sebastopol: O’Reilly Media.
Denning, D. E. (2010) “Cyber Conflict as an Emergent Social Phenomenon.” In Holt, T. & Schell, B. (Eds.)
Corporate Hacking and Technology-Driven Crime: Social Dynamics and Implications. IGI Global, pp 170-
Krekel, B., DeWeese, S., Bakos, G., Barnett, C. (2009) Capability of the People’s Republic of China to Conduct
Cyber Warfare and Computer Network Exploitation. Report for the US-China Economic and Security
Nazario, J. (2009) “Politically Motivated Denial of Service Attacks.” In Czosseck, C. & Geers, K. (Eds.) The Virtual
Battlefield: Perspectives on Cyber Warfare. Amsterdam: IOS Press, pp 163-181.
Ottis, R. (2008) “Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective.” In Proceedings of the 7th European Conference on Information Warfare and Security. Reading: Academic Publishing Limited, pp 163-168.
Ottis, R. (2009) ”Theoretical Model for Creating a Nation-State Level Offensive Cyber Capability.” In Proceedings of the 8th European Conference on Information Warfare and Security. Reading: Academic Publishing Limited, pp 177-182.
Ottis, R. (2010a) “From Pitch Forks to Laptops: Volunteers in Cyber Conflicts.” In Czosseck, C. and Podins, K. (Eds.) Conference on Cyber Conflict. Proceedings 2010. Tallinn: CCD COE Publications, pp 97-109.
Ottis, R. (2010b) “Proactive Defence Tactics Against On-Line Cyber Militia.” In Proceedings of the 9th European
Conference on Information Warfare and Security. Reading: Academic Publishing Limited, pp 233-237. Williams, G., Arreymbi, J. (2007) Is Cyber Tribalism Winning Online Information Warfare? In Proceedings of
ISSE/SECURE 2007 Securing Electronic Business Processes. Wiesbaden: Vieweg. On-line:
Young, S., Aitel, D. (2004) The Hacker’s Handbook. The Strategy behind Breaking into and Defending Networks. Boca Raton: Auerbach.
Keywords: cyber conflict, cyber militia, cyber attack, patriotic hacking, on-line communities
Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia firstname.lastname@example.org