When tens of millions of Korean pop music sensation BTS superfans descended on the Internet in June in support of Black Lives Matter, some described them as a virtual army. But for renowned hacker the Grugq, the impact of that army was very real. By taking online action to support racial justice at the behest of BTS, their fans were engaging in the kind of cybercraft that analysts often attribute to nation-states, he said.
“People with this level of devotion, who spend $50 on a lightbulb that’s the same color as their neighbor’s lightbulb and can be controlled by the management of the band, these people are operating in cyberspace. I think that’s awesome. But that also means that cyber power belongs to a K-pop band,” Grugq said in his opening keynote on the subject of cybercraft and cyber warfare at the virtual Disclosure Conference on Wednesday.
Grugq drew a bright line between cyberwar, which uses Internet-connected computing devices in the service of a traditional war with real-world impact on infrastructure and lives, and cyber warfare, which, as part of cybercraft, has allowed nation-states to engage each other antagonistically without directly killing people.
“‘Cyber’ used to mean that it only gave you strategic surprise,” which is why cybercraft is so often compared to the Japanese attack on Pearl Harbor, he said. “But now cyber warfare is [the ruleless game] Calvinball. Anything goes.”
This rapidly changing environment is a core part of Grugq’s definition of cybercraft as “applied cyberpower” – the ability to use the Internet to create advantages and influence events in the real world across the realms of diplomacy, information, military, and the economy. Essentially, the interconnectedness of the components that gird almost every aspect of society also makes it significantly easier and cheaper to exploit them.
It’s not just Grugq expressing concern over the state of cyber power. The rapid evolution of environments that promote the exchange of information, whether or not factual, makes it easier to manipulate those environments — and to affect the thinking of large groups of people, according to RAND in an October 2019 report.
Three key findings of the RAND study support Grugq’s analysis. First, national security increasingly relies on institutions that can help mediate the deluge of information available online by better educating people against social manipulation. Second, Big Tech and the private-sector influence billions of people and can wield their cyber power in ways that previously only nation-states have been able to.
And third, networks will become the domain of conflicts, as state actors develop networks to “avoid attribution and strengthen their virtual societal warfare capabilities against retaliation,” the study says.
“It will be much more difficult to understand, maintain an accurate portrait of, and hit back against a shadowy global network,” the report’s authors wrote.
Another way to put it is to think of how the application of cyber power has led to exploiting “cognitive vulnerabilities,” says Herb Lin, computer security policy expert and research fellow at Stanford University’s Center for International Security and Cooperation.
“The idea is not to hack the vulnerabilities in the computer but to hack the vulnerabilities inside the brain” by exploiting our biases and expectations, Lin said. Look no further than the fake Russian hack of the Michigan voter registration database from earlier this week, which turned out to not be a hack at all because the information it contained was already publicly available.
“This is a new environment, and it’s one that we don’t understand very well,” he says.
That lack of ability to get consumers to “slow down and think,” as Lin and others have put it, serves two purposes, said Grugq. It exploits the kinds of societal divisions that have been worsening in the United States and elsewhere, and it decreases the morale of the people being exploited — whether or not they know it.
“Battles stop when the people fighting them choose to stop,” he said. “That’s a much lower bar to reach than destroying the capability to fight or the will of the nation to fight.”
Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also … View Full Bio