On January 21st, I was able to interview counterterrorism expert Yan St-Pierre about online user information that is weaponized in cyber attacks.
Yan St-Pierre is the CEO and security advisor to MOSECON, a counterterrorism consultancy in Berlin. St-Pierre has provided security analysis and policy recommendations to politicians and companies for over 20 years. This article explains a summary of our interview as we spoke about different types of cyberwars in both sophisticated and developing environments. In this discussion,
St-Pierre offers his recommendations on how harvesting personal information affects cybersecurity and future sovereign data rights.
Overview of Cybersecurity and Cyber Attacks
For those with little knowledge of cyberattacks, I will provide a short summary. Cyber attacks are online attacks to users on a variety of online platforms that began at the birth of the internet. Users that become victims of cyberattacks may be "targeted or un-targeted". Therefore criminal hackers attack devices without discrimination in search of money, ransom or information. Many cybercriminals could consist of a sole person known as a "black hat hacker" or just cybercriminal. In contrast, cyber warfare is a much more sophisticated type of cyber attack (considered warfare) which specifically targets governments, high profile individuals, entire infrastructure systems or organizations. These attacks are operated with political or economic interests by other governments or militia groups.
Many tactics in cyber attacks and cyber warfare are the same, but they are defined differently based on their targets and the information obtained. Common examples are ransomware, malware, corporate or governmental espionage, phishing scams, social engineering and data breaches.
Types of Cyberwars
Yan St-Pierre believes cyberwars can be broken down into two sections. The first being the cyberwar between nations with sophisticated cyber capabilities such as the US, Israel, Russia, China, Iran, and North Korea. The second type of cyberwar involves less sophisticated militias or organizations that act similar to cyber attacks. Most attacks with unsophisticated organizations are typically short-sighted and involve smaller attacks that occur in developing countries for either military gain or stealing private research and development (R&D). In both cyberwars, the methods of attacks vary greatly depending on the interests of nations.
“There are two different wars when you talk about cyber warfare. There is the one going on for years that's between the United States, Israel, Russia, China, and Iran. That war is ongoing every minute of every day, though we don't really notice it aside from some headlines. The other one that comes from extremist groups isn't necessarily cyber warfare... It's more about attacks in the field of cybersecurity. It will be more about trying to attack certain accounts or the reputation of an individual. This is more about leaks or theft, access to certain information rather than the classic type of attack." -St-Pierre, 2020
Developing Cyberwars
Less sophisticated cyber attacks usually attack business or government infrastructure. They become a greater threat when some actors become involved in proxy wars for larger nations. Other extreme examples are cyber attacks used in civil wars, or areas under the oppression of an extremist organization. In conflict zones, cyber warfare creates an advantage of hitting vulnerabilities while hiding the attacker's identity, which is useful to maintain face in political structures.
Cyber Attacks in Proxy Wars
Countries that are vulnerable to proxy wars or terrorist organizations would use cyber tactics to attack but also conceal their own identity if they were to become deeply involved. St-Pierre comments, "There are so many cases and it’s all about the proxies. I mentioned Iran but Saudi Arabia and Iran in Yemen, everyone gets involved so it’s not just the proxies on the ground but also the proxies online, or the proxies as lobbyists. So if there's a way you can conduct or put pressure on an opponent while looking as though you’re not involved, - that’s the best way to go.”
Vulnerabilities
However, St-Pierre described most of these online hitmen as small threats, mainly interested in wire transfers and money. Their motivation is usually driven by self-interest which creates a lack of allegiance to any certain group or ideology. Therefore, any cyber warfare act typically has short term damage and doesn't manage the profound long term destruction such as in more sophisticated militia attacks. As an example, St-Pierre explains, “Northern or West Africa, ( Sahel, Nigeria) have a lot of incidents where it (cyber warfare) involves money, wire transfers or certain spending or the shutdown of critical infrastructure. What we’ve learned over the years is that hacker collectives are not one group. They do it to be paid or for kicks very often. So in terms of allegiance, they will go from whoever pays best and whatever fits their interests.”
Cybersecurity Involvement
In smaller attacks, MOSECON typically stays uninvolved with small scandals unless the hitmen become involved or hired by a terrorist or extremist organization. “-This is where it involves us because this becomes another threat against governments in terms of terrorism. We’ve had cases where there’s a power grid that's being shut down, or working in areas with a lot of refineries, or just areas where some individuals are targeted then suddenly all electronic devices are without signal in a specific area.” Power outages are often overlooked threats in cyber attacks as they often limit communication between other parties, leaving areas isolated and susceptible to attacks.
Cybersecurity for R&D
The other threat in of cybersecurity outside powerful militias is less concerned with cyber warfare. Instead the main concern is protection against the stealing of technology or development plans. Currently, bigger cities in less developed countries are undergoing massive economic growth predicted to transform the global market, particularly in both Africa and Southeast Asia. In this development, private company data or development plans can be hacked and stolen by foreign companies who wish to maintain a higher power. These hacker countries then create a patent in their own country only resell the development plans back to the original countries it stole from. “In Africa, data protection isn't much of an issue. However, the need to use data to build businesses in essentially remote areas is essential because the digitalization in these countries will be a large boom." St-Pierre says, "So it's less about personal data protection rather than being able to protect the use of the technology that they develop”. One could compare the rush to protect R&D or development plans as preventing the threat of a third wave of colonization. Cybersecurity in R&D and industry plans prevents dominant countries in trade from trapping developing areas into a dependence for their own data and own plans for growth. The new scramble will be for data and R&D means developing cities must take new measures in cybersecurity to protect their progress, before someone else steals the idea.
Private and Public Sector
It's difficult to say who is more vulnerable to developing cyber attacks, between private and public sector. St-Pierre suggests that although different sectors remain equally vulnerable, the public sector (governments) may find difficulties as their adjustment to cyber attacks must take more bureaucratic steps. “The battle for R&D plays a role but in governments - bureaucracy creates a lot of hurdles for it to be applied properly, so they're always a step behind.” However, this concern still remains minuscule compared to the main cyber warfare attacks between countries such as China, the US, Russia, North Korea, and Iran. In comparison, sophisticated cyber militias are much better prepared all around for such attacks.
Sophisticated Cyberwars
In comparison to smaller cyber wars, the other cyberwar is the ongoing phenomenon of attacks between more developed militias, such as the US, Russia, China, Iran, and Israel. Governmental or industrial espionage hack systems to de-power critical infrastructure to societies such as power grids, banks, or energy facilities. This was done in a malware attack that made cyberwars a global concern. In 2010, US and Israeli governments allegedly used redefined piece of malware to hack into Iran’s nuclear facilities with a worm called the Stuxnet Virus. Another famous case is the data breach from Wikileaks. Wikileaks is a organization website that published thousands of documents regarding classified US government information to the public. Some information leaked included CIA methods hacking into phones, and devices, over 250,000 classified US embassy cables, and disclosed information on the war in Afghanistan and Iraq.
The general attitude that large nations have with offensive cyber warfare tactics is to get away with it and assume no responsibility unless proven guilty. This new level of weaponry creates opportunities for military powers to flex militia power and cyber power over other nations without facing automatic repercussions, as long as the identity of the attacker remains anonymous.
The New War on Data
Within these governments, the lives of everyday citizens may seem relatively unaffected unless in the case of an industrial power outage. But harmful cyber attacks are not limited to industrial system hacks or ransomware attacks. The new growing concern is the information people are putting out everyday in their daily lives, which is data. Data has not been classified yet threat or weapon, but it's already being harvested and traded between companies. Data drives everything, including every business decision, which is why it's so valuable. However, there have now cases of companies and political figures targeting personal information, to create and implement content to stimulate behavior modification. The famous cases of data being used as a political tool became uncovered in the Case with Cambridge Analytica. When speaking about the the weaponization of personal information, St-Pierre shares his concerns, "The last five years have clearly demonstrated how -like with Cambridge Analytica and other companies- how they influence how people vote. So there already is a weaponization with that information. But can you reach through that data, can you whip up support for conscription or drafts for certain causes that could lead to war? We know how to target certain groups, so weaponization is there."
User Consent? Targeting Citizens Based on Data
International scandals such as Cambridge Analytica have unveiled the untapped potential of harvesting user data for companies and political campaigns. Targeting users based on data is not fully considered a cyber threat, but citizens are victims their information being harvested and traded without consent. It brings questions on how the new market of data science infringes on human rights and privacy as the individual way of life and behavior is increasingly easy to target, hack, and attack. St-Pierre says, “If you want to start an uprising in a certain area of the world and have these messages targeting specific groups, and the information is set up in a way that all these people only need a trigger they can react to, then you can start something else. It is massive the weaponization of that type of data.”
Future of Cybersecurity
The international community has struggled to keep up with the rapid pace of internet developments. Now the international law must create a common foreign policy on personal data. St Pierre says, “The biggest issue is having the common standard and common policy. The technological gap between - NATO countries- is so big that it’s hard to have a harmonized policy.” To combat threats, cybersecurity is one of the fastest growing careers to meet new security demands. While governments struggle to find a common policy, data rights jobs are a high demand job. According to the most recent LinkedIn Emerging Jobs report says cybersecurity jobs have had a 30% annual increase in job demand in 2020. Other jobs that made the list were in the same sector which included AI specialists, data and cloud engineers.
Solutions in Policy
Still the real question relies on how countries will react to new policies based on data privacy. Sovereign data rights in cybersecurity should be addressed differently between nations because of the different political or economic interests that will fuel cyberattacks or warfare. St-Pierre says one of the main concerns is how the difference in data rights protection will affect already existing security agreements. He uses the recent GDPR law as an example of the shifting relationship between the EU's view on data policies."If the US feels that their partners aren’t in a position to protect American interests, then they will put pressure on the EU. For 50 or 70 years the EU has depended on the US for defense and security in Europe. That has created both complacency and laziness. How do you catch up to someone already so advanced? How would Europe deal with the Chinese and the Russians without the US security backup?”
Conclusion
New sovereign data rights will establish user ownership of their data rights, without infringement from other companies obtaining this sort of information. Middle grounds such as block-chain and GDPR laws are great incentives to decentralize traditional methods of obtaining personal data. Such innovations can limit the future of cyberwars from weaponizing data to extreme levels. In a future where sovereign data rights are a priority to both government and users alike, policies can be placed with innovations to make users can feel secure while navigating in the interconnected world.
Full Interview
Erin: You have been working in counterterrorism for the past 25 years. What was it like experiencing the growing threat of cyber warfare within counterterrorism and security. When exactly did this become a mainstream issue in security? How has it influenced the focus of your business structure 20 years ago versus now?
Yan St-Pierre: "Well obviously, once the internet became mainstream. I would say the biggest jump was when smartphones hit the market, because being on a desktop or computer felt very different, (cyber wars) felt more about something out of a movie. But when smartphones came in, it became more personal and became more of a priority and started to affect people more personally.,Then obviously the issues around Iran and the support of terrorism, this is where the idea of of possible cyberterrorism attack really emerged. All the more after 2014, when the idea of a cyber caliphate emerged and became a bigger priority. But for us (At MOSECON) it’s more about a global and multifaceted strategy than mere cybersecurity per se."
So would the more part within the storage is within your communications ? That's online? Then you have someone working in cyber security in this branch
"Yeah, someone that sets it and makes sure its remains encrypted. But even then you try to use as many buffers as possible to make sure that the information is secure. It’s not about fraud or anything, it's about making sure the information stays as confidential as possible, especially when we work with heads of state or governments. We want to make sure that it doesn't leak.
Can you provide an example of a specific example of how you have changed your tactics with cybersecurity has that been something that has been an increasing concern for your work?
“Unfortunately I cannot mention specific cases. We do have some, but I won’t mention them.
I can say is regarding certain areas, like Northern or West Africa, (Sahel, Nigeria) have a lot of incidents where it (cyber warfare) involves money, wire transfers or certain spending or the shutdown of critical infrastructure. What we’ve learned over the years is that hacker collectives are not one group. They do it to be paid or for kicks very often. So in terms of allegiance, they will go from whoever pays best and whatever fits their interests. This is where it involves us because we see them working sometimes with different terrorist organizations or groups. This becomes another threat against governments in terms of terrorism. We’ve had cases where there’s a power grid that's being shut down, or working in areas with a lot of refineries, or just areas where some individuals are targeted then suddenly all electronic devices are without signal in a specific area.”
So in the case of Northern Africa, do you think those most vulnerable are the private companies or governments?
"All of them are on the same level because the vulnerabilities remain the same. It depends on how serious you take them. You could say in some respect, governments are actually more vulnerable than the private sector because the private sector directly relates the loss. So this means loss of reputation, loss of finances and resources. One of the biggest concerns within the private sector may be security for R&D (Research and Development). For example, countries like China may try to hack their research to get patents and have them registered in China, then these companies lose their innovations. So the battle about R&D plays a role. In governments - bureaucracy creates a lot of hurdles for it (cybersecurity) to be implied properly, so they're always a step behind. However it's very specific areas within governments that are targeted which allows them to better prepare. So obviously defense and security sectors will be better prepared than the education sector. Healthcare is better prepared because hospitals are critical infrastructures. So this vision helps governments to compensate on many different levels (for bureaucracy). But the threat level actually remains the same."
Interesting
"The loss is immediate (for private companies), but you can act right away. If you know you have an issue that could lead to loss of clients or whatever, it will be worked on. Some countries are more aware, Germany is not one of them. The so called "der Mittelstand" (middle class) companies are very reckless when it comes to cyber security. But in the US or the UK it's a bigger issue compared to France, Germany or Holland. It changes per country."
Have you seen the rise of cyber warfare also not just between nations but within extremist organizations or general conflict zones? Have you seen cases of this? If so how has it developed?
"There are two different ones when you talk about cyber warfare. There is the one going on for years that's between the United States, Israel, Russia, China and Iran. That war is ongoing every minute of every day. Most people don't really notice it, aside from some headlines. The other one that comes from extremists isn't necessarily cyber warfare. It's more in the field of cyber security because yes it's cheap and easy, but the application is difficult. Trying to target a power grid or something specific to control. There are lots of Youtube videos where you can see this. But it’s not that easy because people are aware of such attacks. So, it will be more about trying to attack certain accounts or the reputation of certain individuals. This more about leaks, access to certain information rather than a classic type of attack. This is more about accessing information and how you manage it. I guess this is what the so called cyber caliphate where other organizations link themselves to Al-Qaeda or other organizations. They will go for very specific elements, and bring something into the light that creates damage. Or it may be about theft. But the full out cyberwars are the ones going on between US Israel, Iran, China, and Russia."
So you think cyber warfare isn't very present within extremist organizations ?
"It’s the same thing with chemical and nuclear warfare. There’s a desire and race for it. But between the idea and application, the gap is still too big. This is where organizations hire some hackers to do work. Oftentimes they’re very unreliable... These aren’t specialists that are dedicated and loyal to the cause. You're essentially working with guns for hire. So there is a degree of unpredictability and it’s always very short term, so you cant prepare something big. There is damage but it's low range and under short circumstances. So the desire is there but it's not yet possible to imply fully yet. Just look at all the difficulties the Russian cyber services have had the last few years. Every time there’s been a major attack or they’ve tried to do something it messed up somehow. The anonymity you were referring to isn't really there. A lot of the attempts have backfired because it's hard to imply. If you rely on people that do this as a hobby (for hire hackers) then you end up with slightly larger issues."
And you think that applies for different conflict zones? Not just extremist organizations?
"Absolutely. The interest has to be there. Just because it's a conflict zone there's a need for cyber aspect to be targeted. Sometimes it's just more basic stuff. Of you take Northeast Nigeria and the cyber involvement with the Lake Chad region. the involvement is about destroying communications towers, limiting communications, or making sure communications between parties is not intercepted. Also the so called ‘fanboys’ of these extremist organizations talk so much online they are easy to track."
So, you'd say there's not really a defense mechanism because it is so sporadic
"There is one, but it's not really implied. You know there is the capacity to conduct a cyber strike, somehow. But because the threats aren't very understood or because of current contexts, it hasn't become a priority. So they know about it, but they aren't aware of it to the point of acting on it-which translates into not having a policy or defense mechanism if you know that you have one."
What would be the criteria for you to give different governments or companies policy and security advice?
"That's a daily question. It’s about making the decision-makers- be it with governments or companies-understand the short term issue. Because if it doesn't affect the short term issue we can talk about long term issues as long as you want. Nobody’s interested."
You spoke of different propaganda strategies and countries with loopholes they had supporting extremist organizations such as the Muslim brotherhood. Is there ever some sort of relationship between governments and extremist organizations to hire them as hitmen to make cyber threats.
"Yes, there are so many cases and it’s all about the proxies. I mentioned Iran but Saudi Arabia and Iran in Yemen, everyone gets involved so it's not just the proxies on the ground but also the proxies online, or the proxies as lobbyists. So if there's a way you can conduct or put pressure on an opponent while looking as though you are not involved, - that's the best way to go. This is where the use of cyber teams or personnel comes into play. Some countries are more direct, the larger militia the larger the cyber command."
How does defense for cyber warfare vary from NGO, governments, private organizations? Such as resistance movements and government cyber terrorism or opposing militias such as in Latin America and the Middle east.
"Unless NGOs are seen as an opponent -and that happens rarely- it’s usually private sectors or governments. NGOs would be threatened depending on the work they do. Is it an NGO or a protest movement? If someone sees them as a protest movement then they're vulnerable to attacks from the far right and other aspects. If you see them as an NGO just trying to do simple work they sort of fall off the grid. Greenpeace is an example of this. But typically you can’t make money or use ransomware with NGOs because they have no money."
Now let's talk about how cyber warfare can create a shift in sovereign data policies. Data just surpassed oil in value in 2017. What is the future of cybersecurity threats, in the interconnected world?
"I remember 2004, there was a company out of Atlanta that was mandated to create a 40 page file on every person on the planet. That was in the wake of 9/11 where the mindset of “how do we determine who’s dangerous and who’s not” began. That mentality stayed within security and political circles, only now with capacities that couldn’t be imagined ten or fifteen years ago. This is where the fine line between security and liberty would apply. From a commercial standpoint, citizens themselves need to decide what they want to share on a platform. But If policymakers decide that having access to all that data is important to determine if someone is dangerous or not, it will come down to that criteria. For example, in the United States, it's considered bad if someone has bad credit. Does that mean you're a dangerous person? Not really, but the idea is,“If you have bad credit, maybe you’re vulnerable to fraud or corruption”. It’s really an elaborated mindset, but it's the one that justifies saying that poor credit needs to be included in somebody's profile to qualify as dangerous or not."
How does information stay private between corporations if data information is being sold from company to company? It would seem that private organizations may be easier to hack than militias or governments. What do you think are the defense policies and data rights policies that should be placed to better protect civilians personal data?
"That is a very US specific case of course , the EU put data protection laws and they are a bit more stringent. Unless the consumers dictate the change, it won’t happen. I think we both know a lot of people would say “I have nothing to hide” or how do you prioritize rights with needs. You know what Amazon is doing with your data isn’t good, but to be able to get a book for your class in three hours because you need it."
But do you actually think Cyber security would actually ever use that cyber warfare and use people's personal data as warfare?
"Absolutely. It's not just about facial recognition. This is what the last five years have clearly demonstrated how -like with Cambridge Analytica, and other companies- influence how people vote. If through that data, can you whip up support for conscription or drafts for certain causes that could lead to war? If you use that data and put it in the context of 2002, 2003 in the USA to try to drum up support for the invasion of Iraq. Can you frame it in a way so that when you see it now day to day with the polarization that we see today is a result of that? We know how to target certain groups, so weaponization is there. If you want to start an uprising in a certain area of the world, and have these messages targeting a specific groups, and the information is set up in a way that all these people only need a trigger they can react to, then you can start something else. It is massive- the weaponization of that type of data."
Do you think governments or extremist actively look for that type of data? Or you think behavior modifications are also based on the idea of how predictable demographics are.
"They already do go for the data. The typical facebook person shares everything. You get to learn every habit, every tendency, expression, so you can build a reliable profile to target people. You know who you can target for fraud, you know who is more vulnerable in their ideas. It’s all about attacking vulnerabilities. Of course governments and organizations will argue otherwise, but they are all tapping into that data. It’s all about the target audience. If that target audience can create insecurity then you use it."
In reports, national security seems to be investing more money and resources into developing more offensive cyber warfare operations rather than defense mechanisms. So now we have a race for cyber warfare tactics. Should governments be investing in more offensive or defensive strategies?
"Depends on your philosophy. The American position has often been “A good offense is the best defense.” Then, there are some viewpoints that are very European that say, ”Well, having a fortress, you are safe”. It's about finding a balance. Do you need offensive capabilities as a deterrent? or do you need them for actual offensive purposes to carry out a text? That frames the security policy."
The USA classified cyber warfare as a terrorist threat that could constitute military retaliation in 2011. Where would the retaliation militia attack be if there are partnerships between nations militia and cybercriminals? Is this the recipe for more war?
"That's a difficult question. The biggest issue is having the common standard and common policy. The technological gap between - just as an example, NATO countries- is so big that it’s hard to have a harmonized policy. All these companies- Facebook, Amazon, Google- are all American companies. So it's okay the US to say, “If our infrastructure gets attacked, our foreign policy says that we will invade countries.” That infrastructure makes them vulnerable, so they need to have that policy."
Do extremist groups see the new market of data as a power over the government? What could extremist groups potentially do with personal data in different nations?
"In Africa for example, data protection isn't much of an issue. However the need to use data to build business in remote areas is essential because the digital boom in these countries will be large. So it's less about personal data protection and more about being able to protect the use of the technology that they develop."
Are you clients drawn to your firm rather than bigger companies for these reasons?
"One of the reasons we draw so many people as one of our major clients put it - ”We represent nothing.” The fact that a Canadian runs a German company with Germans, Nigerians, and Brits means we don’t represent certain country interests. So we end up in areas where we have that access but don’t represent a threat. Because we don’t represent specific interests, our clients know that whatever advice we give them is designed to save lives and try to limit a conflict as best as possible."