Foreign powers and non-state actors alike use cyberattacks because they are effective at disrupting both the global market and the economies of developed nation-states.
Cyber threats pose perhaps the greatest threat to financial markets and the economic sector today. Multiple well-regarded firms and organizations in the financial world, from the U.S. Federal Reserve to the Economist Intelligence Unit to Protiviti, all rate cyber threats and attacks as some of the most pressing challenges to the world economy in 2022 and in the near future.
The financial services company Allianz Global Corporate & Specialty surveyed individuals across firms in the industry—real estate, investment banking, and others—and found that cybercrime and other such attacks were seen as the greatest risks they faced. The company writes, “The COVID-19 pandemic has heightened opportunities for attackers, with new vulnerabilities being exploited by new tools” while an analysis of insurance claims by Allianz showcases that “cyber incidents, including crime, are the top cause of loss for companies, producing the most expensive insurance claims.” Additionally, third-party attacks have increased in prevalence since December 2021, and the Russian invasion of Ukraine and associated global sanctioning of the Russian Federation raised the risk of retaliatory attacks.
Foreign powers and non-state actors alike use cyberattacks because they are effective at disrupting both the global market and the economies of developed nation-states. In response, firms often rely on increasing their information security (INFOSEC) posture to defend themselves from intrusion and attack. But this is merely reactive; more proactive approaches are available based on practices already in use by the law enforcement and intelligence communities.
The problem is that the common measures have relied on approaches used among four of the so-called five disciplines of intelligence: signals, human, geospatial, measurement-and-signature, and open source. But these four rely on the target entity doing something. One must wait for the enemy to send a signal in order to perceive it. This results in a passive, reactive posture.
The fifth of these disciplines is the most overlooked and is perhaps the oldest method of gathering information on an adversary: human intelligence (HUMINT).
Veteran intelligence professional Mark Lowenthal defines HUMINT in his book Intelligence: From Secrets to Policy, as an intelligence discipline that “largely involves sending clandestine service officers to foreign countries, where they attempt to recruit foreign nationals to spy.” This discipline can be utilized in various different ways utilizing human sources, most notably through “human sources who are able to sit in leadership or inner circle meetings and report on plans and intentions and policy decisions, provides a unique perspective into what a country really wants to do.” The use of HUMINT therefore gets ahead of the target entity’s actions and introduces avenues for more proactive approaches to cyber threats.
But to properly implement HUMINT, one must be incredibly deceptive. Naturally, cyber threat actors are unlikely to share the intricacies of their operations with anyone out of fear of exposing themselves. Consequently, intelligence personnel must disguise themselves as fellow hackers or threat actors to infiltrate the various moderated and unmoderated forums and chat rooms where such threat actors ordinarily gather. Such tactics are similar to how undercover police officers, investigators, and intelligence analysts analyze terrorist groups by monitoring online chatrooms and blogs to gather information on and sometimes manipulate individuals, tactics, and potential attacks.
Such approaches are not confined to government actors. They are also available to institutions desiring to better protect their clients and their own business lines. Ensuring that one’s own platform is secure before messaging with hackers is key, as it helps one’s participation in these high-risk and clandestine conversations go undetected while discovering the activities of threat actors and mitigating the risk of blowing one’s own cover. Ensuring that the analyst or investigator’s real intentions are hidden is of the utmost importance as, without that, the investigation will go nowhere.
Eva Prokofiev, a former Israeli military intelligence officer and former cyber intelligence analyst at both Accenture and Deloitte, expanded upon this line of thinking. She writes that the use of avatars is of great importance to cybersecurity strategies because it allows cyber threat analysts to “have an unlimited number of identities and can rapidly create new, assumed identities seamlessly—without requiring the kind of complex operations and extensive resources needed for classic HUMINT.” By doing this, it allows for additional concealment of one’s identity and for their operations to be better protected. Such avatars can be used in conjunction with one another.
According to David Siman-Tov and Avi Tal, both veterans of Israel’s military and civilian intelligence apparatuses, writing in the journal Military and Strategic Affairs published by the Institute for National Security Policy Studies at Tel Aviv University:
“Cyber intelligence and Signals Intelligence (SIGINT) provide intelligence for HUMINT for locating and recruiting, accessing and handling, and gaining operational opportunities, in addition to providing an umbrella of security for its activity” and in a cyber setting HUMINT collectors and analysts are able to provide SIGINT analysts with the ability to “intercept and monitor intelligence and gain access to information channels, databases, and end-user equipment that is not provided by the Internet and by the new type of agents”.
There are advantages to using HUMINT to conduct cyber intelligence gathering, improve cybersecurity, and identify and access new and emerging threats. But it is best for cyber intelligence analysts and others to operate with a national security mindset. Individuals seeking to hold financial institutions for ransom or steal sensitive information are not necessarily attacking individual firms so much as the whole industry within a nation. Therefore, cybersecurity experts should gather information on the threat’s daily operations, tactics, and missions to serve the whole network.
By using HUMINT in cyber intelligence operations, this provides analysts with a wealth of information available on new threats, individuals, parties, and their operations, which allows for multiple benefits.
First, it allows financial institutions and companies as a whole to anticipate cyber threats and attacks that may come up, in addition to identifying new and emerging threats, frauds, and scams, and understanding how money laundering acts better are created, implemented, and function in process. While this could be understood from an academic standpoint, either by reading of past money laundering cases and incidences, seeing this in action as described by perpetrators and theoreticians would serve incredibly well for analysts, managers, and directors looking to better improve their systems.
Second, it enables an additional source of information for inclusion in reports and databases. Having verbal information and testimony from the source of individuals who practice this kind of activity from the opposing side allows for a deeper understanding of threat actors’ backgrounds and capabilities, enabling something akin to a psychological profile. While that would help law enforcement more than it would financial institutions, it would allow for further information that can help identify if a threat actor is working in concert with an organized group of hackers for a foreign power or is working individually.
By engaging with a more militarized national security methodology to better halt risk, internally protect software and hardware, and engage with international industries, the financial sector can improve its operations and overall be able to better protect against cyber intrusions and attacks and mitigate risk.
Alan Cunningham is a PhD student at the University of Birmingham’s Department of History in the United Kingdom. He holds an MA in International Relations from Norwich University and a BA and BS from the University of Texas at Austin.
The views expressed in this article are those of the author and do not necessarily reflect those of of any of the author’s affiliations, including educational institutions, past and present employers, or volunteer associations, the U.S. Army War College, the U.S. Army, or the Department of Defense.
Photo Credit: Image by GarryKillian on Freepik
I’d propose that a more active risk management framework is already in the works across industry in response to these threats. I think we will see active penetration testing written into the code, which will itself include much stronger cryptography and security measures. I am interested to see how or if a quantum “firewall” will become a thing to protect more valuable digital assets.