What Motivates Attackers?

What Motivates Attackers?

Attackers attempt to break into computer networks for many reasons. Although all attackers present a clear and present danger to networks, the motivation of the attacker will greatly determine the actual threat posed. By understanding what might motivate potential attackers to attempt to compromise your organization s network, you can predict what type of threats the network faces. Armed with this knowledge, once you detect an attack, you might be more able to prevent further damage or better equipped to identify who the attacker is.

Many attackers are motivated by more than one factor. Here are the reasons that attackers attempt to break into computer networks, in ascending order of the danger they present:

• Notoriety, acceptance, and ego

• Financial gain

• Challenge

• Activism

• Revenge

• Espionage

• Information warfare

Notoriety, Acceptance, and Ego

An attacker s quest for notoriety, desire for acceptance, and ego comprise one of the most common motivations for attempts to break into computer networks and applications. Attackers motivated by notoriety often are naturally introverted and seeking a way to gain acceptance in the electronic hacker community; thus, their exploits are very public. Examples of such attacks include defacing Web sites and creating computer viruses and worms.

By breaking into a network of a major company or government agency and defacing its Web site, an attacker is virtually guaranteed national and international publicity and enshrined in the electronic hacker community. For example, Attrition.org runs a Web site that catalogs nearly all Web site defacements in recent years. Querying any major search engine for the phrase Web site defacement invariably returns thousands of accounts of an organization s Web site being defaced, including those of most major corporations and government agencies.

Although not normally regarded as attackers, people who create and release computer viruses and worms cause billions of dollars of damage each year. In 1991, the Michelangelo virus opened a Pandora s box of sorts for computer viruses. Although the Michelangelo virus did little actual damage, the coverage that it received in the mainstream media, including newspapers, magazines, and television news, brought computer viruses into the popular consciousness and opened the door for other malicious publicity seekers. Since then, many other computer viruses have created similar media frenzies, such as Fun Love, I Love You, Melissa, and most recently, Code Red and NIMDA.

Popular media and antiauthoritarian romanticism transformed outlaws of the United States western frontier such as Jesse James and Billy the Kid from common criminals who robbed banks and murdered people into cult heroes. Similarly, several attackers have gained cult hero status in the hearts and minds of computer geeks. Two recent examples include Kevin Mitnick and Adrian Lamo. Other attackers and prospective attackers seek the attention of the media and hacker communities that Mitnick and Lamo received and are envious, if not worshipful. The cult following of these two hacker legends is particularly strong with impressionable teenagers who have not fully developed their own sense of morality and rarely understand the true consequences their actions have on business continuity and information technology.

In all these examples and in many similar incidents, the exploits of the attackers received international publicity. Attackers motivated by notoriety, acceptance, and ego look at these incidents as proof that they too can become famous. You can probably imagine the sense of accomplishment an attacker might feel, seeing his handiwork in the headlines of major newspapers and discussed on television news programs by political pundits. Often attackers know that their actions are illegal but consider their behavior harmless because there is no clear victim, no one physically harmed, and no tangible goods stolen or destroyed. Thus, in the minds of many attackers, they are not doing anything discernibly wrong. Certainly this is not the case. For example, although the direct financial consequences of Web site defacements are often low, the loss of public confidence in how well the organization can ensure the confidentiality and privacy of their employee, business partner, and customer information can be severe. This can result in indirect financial losses from customer distrust and defection.

Financial Gain

We can separate attackers motivated by monetary gain into two categories: those motivated by direct financial gain, and those motivated by indirect financial gain.

Attackers motivated by direct financial gain are little more than common criminals, akin to bank robbers with computer skills. These attackers break into computer networks or applications to steal money or information. In the past few years, there have been several high-profile thefts of credit card information from the databases of companies that conduct online commerce. These attackers did one of three things with the credit card information that they stole: they used the credit cards to purchase products or make cash withdrawals, sold the credit card numbers to other criminals, or attempted to extort money from the companies from which they stole the credit cards. In nearly every case, the attacker was apprehended, but not before causing significant damage. For example, in 1994, a Russian attacker broke into Citibank and transferred roughly $10 million to accounts in several countries. He was captured, and all but $400,000 was recovered. But the real damage to Citibank was in their customers loss of trust because of Citibank s inability to secure their customers bank accounts. The attacker was sentenced to three years in prison and fined $240,000, whereas U.S. Federal Sentencing Guidelines call for a minimum 6 10 year sentence for someone with no prior criminal record who robs a bank in person.

Another way that attackers seek financial gain from attacking networks and applications is to successfully break into an organization s network and then offer to help the organization secure the network. Although many of these attackers maintain the position that they are good guys wanting only to help the target organization, in reality, they are little more than extortionists demanding protection money, like a 1920s gangster in cyberspace.

Some attackers are motivated by financial gain but in an indirect manner. A researcher or computer security company might make a large effort to discover vulnerabilities in commercial software applications and operating systems, and then use their discovery and the publication of such previously unknown vulnerabilities as a marketing tool for their own security assessment services. The publicity that a company or individual receives from unearthing a serious vulnerability in a commercial software application, especially a widely used application, can be priceless. For example, most significant vulnerabilities discovered in a widely used software application will be reported on the front page of major news and computer industry Web sites and in the technology or business sections of major newspapers. The discoverer of such a vulnerability might even receive airtime on the cable news television networks. For most small computer consulting companies, obtaining this type of publicity normally would be out of the question.

There is a critical point in the process of discovering commercial software vulnerabilities when one leaves the realm of ethical behavior and becomes an attacker: the reporting of that vulnerability to the general public without the software company s knowledge or consent. Most commercial software companies are more than willing to work with researchers who have discovered security vulnerabilities to ensure that a software patch is available before the vulnerability is announced. Many software companies will also give credit to the person and company that discovers the vulnerability, thus balancing the interests of their software users with the public recognition earned by the person and company reporting the vulnerability. However, many researchers not only publish the vulnerability without notifying the software vendor, they also create code to exploit the vulnerability. Further complicating this issue are laws such as the 1998 Digital Millennium Copyright Act (DMCA), which prohibits individuals from exposing vulnerabilities in certain software and hardware encryption techniques used for digital rights management. The bottom line is this: although discovering vulnerabilities for indirect financial gain can be done illegitimately via extortion, it can also be done legitimately to advance the mutual business goal of software vendors and researchers protecting consumers.

Challenge

Many attackers initially attempt to break into networks for the mere challenge. In many ways, attackers view networks as a game of chess a battle of minds that combines strategic and tactical thinking, patience, and mental strength. However, chess has precisely defined rules, and attackers clearly operate outside the rules. Attackers motivated by the challenge of breaking into networks often do not even comprehend their actions as criminal or wrong. Attackers motivated by the challenge are often indifferent to which network they attack; thus, they will attack everything from military installations to home networks. These attackers are unpredictable, both in their skill level and dedication.

Activism

One newer type of attacker is the hactivist, an attacker who breaks into networks as part of a political movement or cause. This type of attacker might break into a Web site and change the content to voice his own message. The Free Kevin Mitnick hactivists frequently did this in an attempt to get Mitnick released from U.S. federal custody after he was arrested on multiple counts of computer crime. Attackers motivated by a specific cause might also publish intellectual property that does not belong to them, such as pirated software or music. They might carry out sophisticated denial-of-service attacks, called virtual sit-ins, on major Web sites to call attention to a particular cause.

Revenge

Attackers motivated by revenge are often former employees who feel they were wrongfully terminated or hold ill will toward their former employers. These attackers can be particularly dangerous because they focus on a single target and being former employees often have intricate knowledge of the security of the networks. For example, on July 30, 1996, employees of Omega Engineering arrived at work to discover that they could no longer log on to their computers. Later they discovered that nearly all their mission-critical software had been deleted. The attack was linked to a logic bomb planted by an administrator who had been fired three weeks earlier. The attack resulted in more than $10 million in losses, prompting the layoff of 80 employees. In early 2002, the former administrator was sentenced to 41 months in prison, which pales in comparison to the financial and human damages that he caused.

Espionage

Some attackers break into networks to steal secret information for a third party. Attackers who engage in espionage are generally very skilled and can be well funded. Two types of espionage exist: industrial and international. A company might pay its own employees to break into the networks of its competitors or business partners, or the company might hire someone else to do this. Because of the negative publicity associated with such attacks, successful acts of industrial espionage are underreported by the victimized companies and law enforcement agencies. A widely publicized industrial espionage incident using computers recently took place in Japan. In December 2001, an engineer at Japan s NEC Toshiba Space Systems broke into the network of the National Space Development Agency of Japan. This engineer illegally accessed the antenna designs for a high-speed Internet satellite made by Mitsubishi in an attempt to help NEC gain business from the space agency. As a result, the Japan Space Agency prohibited NEC from bidding on new contracts for two months, but no criminal charges were filed.

Attackers who engage in international espionage attempt to break into computer networks run by governments, or they work for governments and rogue nations to steal secret information from other governments or corporations. The most famous case of computer-related international espionage is documented in Cliff Stoll s book The Cuckoo s Egg: Tracking a Spy Through the Maze of Computer Espionage (Pocket Books, 2000). In 1986, Stoll, an astronomer by trade, was working as a computer operator at Lawrence Berkeley Lab when he discovered a 75-cent discrepancy in an accounting log from the mainframe computer. One thing led to another, and eventually Stoll discovered that German attackers being paid by the KGB were breaking into both military and nonmilitary computers to steal secret information.

Information Warfare

Information warfare is another motivation for attacking computer networks that is becoming increasingly dangerous as people around the world rely on them for mission-critical services. Major wars have been marked by the evolution of weapons systems the machine gun changed the nature of combat in World War I, the tank changed the nature of combat in World War II, and airpower changed the nature of combat in Vietnam. Behind the scenes, each war also marked the evolution of electronic combat. From intercepted telegrams broken by hand, to radar jamming, to satellite transmissions that could be broken only by stealing the encryption keys (despite the power of many supercomputers) electronic combat and intelligence has become a deciding factor in modern warfare. Although no widely reported incidents of cyber-terrorism exist, you can be certain that these attempts have been made. There is evidence of information warfare in China, Israel, Pakistan, India, and the United States. The U.S. President s Critical Infrastructure Protection Board was formed in 2001 specifically to address countering the threat of cyber-terrorism and information warfare against the United States.