Fidelis Cybersecurity
Fidelis Blog


When a Duck Isn’t a Duck: A National Security and Criminal Cyber Battlefield

Recent attacks on Hillary Clinton, CIA Director John Brennan and Department of Homeland Security Secretary Jeh Johnson reveal the conflicting issues involving federal and law enforcement agencies. In the private sector, the fallout from the highly publicized JPMorgan Chase breach demonstrated how divisions can erupt when a company and law enforcement clash about how to handle an investigation.

JPMorgan’s staff has deep roots in the Department of Defense and National Security, and they viewed the breach as a national security issue. The FBI and Secret Service, representing law enforcement agencies, regarded the breach as a traditional criminal matter. The FBI even secured indictments for the breach. As with the recent breaches of highly ranked government officials, both camps are 100% correct.

Having been a police officer and detective for nearly a decade, I understand the theft of information and associated financial gain is definitely a law enforcement issue. But, having spent over a decade working in the DoD space, I also recognize the huge risk to national security that resulted from the JPMorgan breach.

Unfortunately, in some cases, cybercrime is often viewed with less criticality than a physical crime or attack. I experienced this firsthand when investigating criminal cases. Our computer crime unit was fairly well-funded and equipped compared to some of our peer organizations. But it was always a challenge to get additional equipment or software, not to mention manpower to keep pace with our needs.

Sentencing differed, too. I saw that sentences for a crime that occurred in cyberspace differed substantially from those involving a robbery. Of course there are differences in these types of offenses, but even so –  a felony should not receive a sentence that would be considered minimal for a misdemeanor offense.

In the national security arena, law enforcement does not view cyber espionage or attacks in the same light as a kinetic attack. This makes obvious sense in physical attacks where life is lost. And I am sure that the temporal proximity between the attack (the cause) and the inflicted damage (the effect) plays a part in this perception as well. But readers make no mistake: cyber-attacks can result in the loss of life based on their effect.

So to the question is “When is a Duck not a Duck”? Let’s compare a traditional law enforcement issue versus a national security issue of a physical attack. Take an armed robbery, which is undoubtedly a focus of law enforcement – compared to a theoretical terrorist attack, which is clearly a national security focus.

Armed Robbery Terrorist
Instrumentality Knife or handgun Bomb
Conspirators Usually a sole actor Usually multiple people involved
Planning Opportunistic and little plan Longer-term coordination with in-depth plan
Scope of Victims Usually one or two As many as possible
Motivation Financial gain Political statement or militaristic attack

It is pretty easy to identify the difference between these two types of attacks. However, it is not easy to pivot from conducting an armed robbery to conducting a terrorist attack.

Here’s an example of a cyberattack for criminal gain, versus one for espionage.

Criminal National Security
Instrumentality Computer Computer
Conspirators Usually multiple people involved Usually multiple people involved
Planning Longer-term coordination with in-depth plan Longer-term coordination with in-depth plan
Scope of Victims As many as possible As many as possible
Motivation         Financial gain Political statement or militaristic attack

The picture is not as clear in cyberspace. They follow similar steps except for the motivation. This area is deceiving because the criminal event can turn into a national security event in short order.

Looking back at the JPMorgan breach, consider the scenario if the attackers changed financial data, rather than actually stealing financial information. The pivot between the two is not a herculean effort, but compromising data integrity of one of the largest U.S. banks would cause an economic tsunami of people rushing to pull their cash out – risking volatility in the stock market, and far-reaching consequences in financial stability. All of this is possible by changing some bytes as opposed to taking some bytes. This may be seen as a doomsday scenario, but this form of a malicious act is a very real possibility.

The same disruptive attack can hit other major industries including energy, transportation and healthcare. This shift from stealing information to compromising data integrity is not a huge move, yet many security organizations are finding out too late – when the damage is already done. A security breach initially may look like a duck, and quack like a duck, but it may not be a duck.

-Mike Buratowski

Stay up to date on all things security

Subscribe to the Threat Geek Blog