It’s time to think beyond cyber harm
Thu 25 Feb 2021 | Shomiron DasGupta
The impacts of hostile cyber events can be felt everywhere and take on a dizzying array of forms
If we go by what many great thinkers expound about the human mind’s ability, cyberspace is as vast as our thought. Today we live in an epoch driven by technological advances that have shrunk the world due to connected devices. There is no escaping the impact of the internet and its ubiquitous influence.
The world has witnessed a transition from mechanised to industrial to technological and now data revolution, which has been the fastest of all the revolutions and forged a much deeper socio-cultural-economic impact, blurring the boundaries between the physical, digital, and biological worlds.
It comes as no surprise that data is called the new oil, where every organisation and country is trying to wrap its head around the importance of data. The value of data is immeasurable and quantum computing machines are been invented precisely to give sense to this data.
Given its enormity and value, we tend to frame data breaches, manipulations, or attacks in terms of financial loss. But one must look at cyber breach beyond this immediate prism and delve into second-order realms not necessarily contained within the internet, which nonetheless cause a long and cascading effect on humanity. It’s time to think beyond cyber harm.
Physical harm consists of bodily or asset harm caused by some cyber event. Today, technology arms us with the power to identify the location of a person without much exertion. Just think about doxxing.
Attacks on critical infrastructure are particularly alarming manifestations of physical harm. A week before Christmas, hackers struck an electric transmission station, blacking out a portion of the Ukrainian capital equivalent to a fifth of its total power capacity. While the outage was only an hour-long, cybersecurity experts believe it may have been a dry run for grid-sabotaging malware which could be far more damaging.
In another instance, a teenager in Poland used a homemade transmitter to trip rail switches remotely and redirected four trams towards a collision course to over a dosen people.
Research by Michael L. Gross, Daphna Canetti, and Dana R. Vashdi has shown how stress and nervousness increase in tandem with the severity of cyber attacks. Standardised anxiety measurement tools operate on a scale of 1-4, with 4 being the top of the scale, usually seen in the case of conventional terrorism. Stress scores for non-lethal and lethal cyber terrorism were recorded on a 3.6 scale.
There is a direct correlation between a hostile cyber incident and the psychological wellbeing of a person. The incidents may include cyberbullying or stalking, where the targets could be as young as a teenager.
Phishing emails, too, exploit the principles of social psychology, consumer traits, and behaviour change. Psychological manipulation is used to create a sense of urgency or fear if the recipient does not respond immediately.
Another aspect of psychological harm is when threat actors or hacktivists groom their targets to commit crimes. Psychological grooming has the potential of arming the unsuspecting youth with misguided ideas. These are also called social engineering, where criminals use social media to get in touch with victims.
What’s alarming is that such activities are often seen as part of a group effort, instead of the work of isolated individuals. For instance, the Hacktivist group Anonymous was held responsible for luring and coercing individuals to participate in online activities to collect information.
To be widely accepted, the group prefers to be presented as hacktivists, rather than calling themselves cybercriminals or cyber terrorists – even though the consequences of their actions lead to the same outcomes as cyber terrorism.
Hacktivists also use tactics to lure disgruntled employees into causing reputational harm, who are difficult to detect in a system that provides them unrestricted access. The misguided individuals, who have limited technological expertise, are not informed or do not understand the consequence of their actions.
It is becoming increasingly difficult to detect such groups that can invoke harm on a massive scale as their motivations can range from financial gain to ideological and political protests. For example, the Church of Scientology was targeted by Anonymous in a distributed denial of service attack (DDoS). The instruction manual to download the software to overload the website and shut it down was distributed among individuals who wished to participate in the infamous campaign called Project Chanology.
One of the most noticeable among all is that this type of cyber harm happens due to a malicious event on the internet like a ransomware attack on an individual or an organisation, which in turn, leads to financial loss. Imagine the stock market being attacked and the catastrophic consequences. A report by McAfee in December 2020 revealed how growing cybercrime incidents now cost the world economy more than $1 trillion – just over one percent of global GDP, which is up more than 50 percent from a 2018 report that put global losses at close to $600 billion.
Cyber attacks regularly damage the social standing of their victims, whether an individual or an organisation. For an organisation, the effect has far-reaching consequences where capital and reputation achieved over the years can vanish overnight and has a corollary impact on the entire stakeholder chain. In 2019, banking group Capital One suffered a data breach involving 100 million customers in the US and Canada. While the costs of dealing with the incident were around USD 100-150 million, the immediate reputational damage was seen on the company’s share price that slid by 6%. Furthermore, Capital One was asked to pay $80 million in civil penalties.
Cultural & Political harm
Cyber propaganda can smear a particular community, group, or even a country through misinformation. Again, this will have a lasting effect on the target and is exceedingly difficult to quantify. Today this often materialises in the form of anti-Semitic or other racist narratives that spread like wildfire through social media echo-chambers.
Spreading wrong ideologies, misrepresenting ideas, and even playing with the electoral event is part of this type of cyber harm.
Beyond the concerns about voter fraud and the challenges of electronic voting, today’s threats have the potential to influence the election process leading up to voting day. The attacks that can be anticipated are:
- Domain name abuse.
- Campaign-targeted phishing.
- Traditional malicious code and security risks.
- Denial-of-service attacks.
A recent example that made headlines was the Facebook-Cambridge Analytica data scandal where data was misused for political gains. Cambridge Analytica gathered data of up to 87 million Facebook profiles for political advertising of the 2016 presidential campaigns of Ted Cruz and Donald Trump.
The scandal sparked an increased public debate on data privacy and social media’s influence on politics. Facebook was accused of allowing Cambridge Analytica to collect personal data of the users and the users’ Facebook friends. Furthermore, psychographic profiling was done with the intent of manipulation.
The need of the hour
Cyber harm caused by social engineering attacks is on the rise and has impacted not just organisations but also the general populace.
As a result, psychologists and behaviour change experts are drawn to cybersecurity. They have presented some fearful insights into the social behaviours of misguided victims and leaders of groups such as Anonymous, LulzSec, and Lizard Squad.
Unsurprisingly, attempts to dissuade people from becoming involved in hacktivism and cybercrime have failed, even triggering a reactance response.
An alternative approach is to avoid using scare tactics and “what to do” as per psychologists. The youth need to be empowered with knowledge and awareness that their actions and decisions online can have dire outcomes. Educating them to develop resilience against being lured into traps that can cause harm – be it any type – will make them sceptical of the people and ideologies they encounter online.
There has to be a global call-to-action wherein hostile hacktivism and cybercrime is considered a grave danger to humanity. And there has to be cohesion between governments and private institutions to formulate policies, methods, and processes to develop a proactive cybersecurity approach.