Cyber Competition and Nonstate Actors in a Data-Rich World

Editor’s Note: This is an excerpt from “Policy Roundtable: Cyber Conflict as an Intelligence Contest” from our sister publication, the Texas National Security Review. Be sure to check out the full roundtable.

Last year I got a parking ticket for lingering too long in a limited zone. Parking tickets are not sufficient reason to declare war on a city’s thinly veiled vehicular taxation scheme for the absentminded. And yet I wanted to.

So instead of dutifully filling out the online payment form, I started searching for ways to make my payment submission equally tedious and arbitrary. I envisioned mailing $60 worth of pennies originally intended for the Coinstar. But I was stymied: They’d hidden the physical mailing address on their website.

What they failed to hide, however, was just about everything else. After clicking around, I discovered unfettered access to all the other tickets issued through the city’s online payment system, complete with time, date, car data, and the name of the parking enforcement officer who issued each ticket. Technically, parking tickets are public data. But these weren’t just a few lines of data: They were photographs of everyone’s cars, value of the tickets, license plates — anything a person would need to conduct open-source intelligence on the ticketed and ticketers alike.

If intelligence competitions are about “intel” — data, information, and the knowledge one can glean from it — then cyber actions, as agreed upon by this roundtable of thinkers, are decidedly an intelligence competition. What no one has argued thus far, however, is how this competition is just as much about nonstate actors as it is about states. States are not the primary agents in cyberspace. Nor are they the primary players conducting intelligence competitions within the cyber domain. That domain is a collective space in which tech firms, individuals, informal group hacking collectives, and citizen-led counter surveillance organizations coexist, confound, conflict, and collide to the detriment of all.

The internet is a sociotechnical construction — part machine, part human, part cat meme. It is an ever-churning, belching, and expanding mass of connectivity, data-capable devices, data-collecting devices, and data storage devices. It extends from my back pocket to your refrigerator, Poughkeepsie’s municipal parking ticket database, the president’s iPhone, and a PlayStation 4 streaming on Twitch. The cyber competition between states debated by my colleagues is a subcomponent of a melee-style grindhouse where nonstate actors complicate the capacity of states to dominate cyber interactions.

My colleagues acknowledge the importance of nonstate actors in cyberspace. Jon Lindsay argues that the nonstate world influences and also emulates the elements occurring in state-on-state intelligence interactions. Joshua Rovner’s five elements of an intelligence contest needn’t necessarily be constrained to states: They contain generalizable reasoning for analyzing adversarial behavior. Rovner really only narrows the scope when he defines an intelligence contest as “part of an open-ended competition among rival states.” Even Michael P. Fischerkeller and Richard J. Harknett do not deny the agency of nonstate actors in their interpretation of persistent engagement.

It is only Michael Warner — the historian — who declares allegiance to the unique status of states by defining  intelligence as a “sovereign” affair, noting “that intelligence is that set of activities, when we consider strategic purposes, that is both secret and sovereign.” Sovereign, in Warner’s sense and in most security research contexts, is the state.

My intent is to play on a second meaning of sovereign — as one who is not subject to a ruler. Scholarship on cyber competitions between states is often analytically hide-bound to the traditional elements security scholars are accustomed to looking at. We are driving with the rearview mirror. According to Lindsay, we may accidentally be learning “more about the institutional context of intelligence and cyber security in the United States than the intrinsic definition of either one.” I will aim to keep us pressed up firmly against the windshield, a few millimeters from the world, as our empirical cases comes at us like tiny gnats hitting the glass. In doing so, I will refuse my colleagues the benefit of the mirrors and the rear window for just these few pages because these are my pages, and herein I will play — like a crazed Paul Feyerabend — because it is my right.

I will drag this conversation downward, away from the rarified air of international relations theories, codified practices of spy craft, and historical referents that emphasize either state power or state intelligence systems. Instead, I will point to three general truths (though there are likely many more) that confound the usefulness of giving states analytic primacy in the intelligence competition in cyberspace. These truths are: the proliferation of data-generating consumer electronics and services; the proliferation of tools that enable capture, analysis, and use of data; and the inevitable clash of competing interests for all that data.

Connecting Cheap = Data Rich

The state monopoly in targeted and mass data collection is over. For at least three decades, and perhaps longer, the sophisticated tools necessary to surveil targets and analyze mass data have proliferated in the public sphere, often disguised as consumer services and products: Amazon Alexa, Nest, Wi-Fi-enabled Barbie, Keurig coffee makers, and anything that has a radiofrequency identification chip in it.

The global appetite for connecting ourselves and our objects has produced vast swaths of data that make it easy to track, trace, and understand others as targets and at scale. Connective devices present a simple trade-off: Pay less now, and give up your data in exchange. Happily we connect, sending our data zooming out into who knows where, stored however, and kept for … hard to say, really. And, yes, the NSA and associated Five Eyes countries have pathways into these data troves, but let’s be clear about the nature of this relationship: Governments are negotiating and breaking in behind the scenes. They are not the owners or managers of this data.

Independent Researchers = NSA Exquisite Tools? Nah, I’m Good …

While the United States and its allied intelligence agencies certainly hold the premier tools and access to sensitive or valuable data, exquisite tools aren’t necessary for cyber competition. With all this data flying around, all it takes is an enterprising coder to access and organize it. In the 21st century, government data leaks tend to come in two flavors: leakers tapping into the existing streams of government data — the Edward Snowden types — and researchers finding openly available data on the internet and innocently pointing to it. Individuals and small teams can aggregate masses of data by leveraging cheap tools and moderate expertise.

While the first is a matter of government employee management and malice, the second is a fact of the new era and is both legal and often fabulously political. Military bases suddenly became findable via heat maps of Strava fitness tracker data. Industrial control systems of faraway places are findable via the search engine Shodan. These systems are more than simply findable; they’re also manipulatable, as hacker Dan Tentler discovered — his work on Shodan revealed traffic control systems, ice rinks in Denmark, and a French hydroelectric plant that he could manipulate from his desktop. If fitness trackers and industrial control systems are too rich for your technical expertise, don’t worry — there’s an app you can download to spy on people’s cell phone locations. Yes, that includes the iPhone, for all you Android haters out there. There’s actually a competitive market for free spyware, just as long as you offer up more data.

Spaghetti Politics

Spying is everyone’s game now. It is effectively the intelligence version of Audrey Kurth Cronin’s “use of force” argument in Power to the People. Cronin argues that militaries prefer that the diffusion of military capabilities be kept under their control. But sometimes social change and adoption overtakes the state’s ability to maintain that monopoly — the democratization of violence, as it were.

Cyber and intelligence is particularly befuddling because of its spaghetti nature — interconnected, overlapping, and messy. While states would prefer it be left to geographic boundaries, the interests of businesses, individuals, and governments don’t align consistently, or predictably, with national borders. Some telecommunications firms cooperate with states while others don’t. Some electronics manufacturers privilege consumer privacy. Others do not. Hacking collectives like Anonymous wax and wane in their political views every four or five operations. If the lines of effort were distinct in some way, then states could compete with one another while everybody else could play their own game. But lines of effort are not that clear-cut. All of Rovner’s five elements of an intelligence competition occur inelegantly, confoundingly, on top of one another, throughout the broader context of the greater global competition for data.

In 2018, as Amazon negotiated with the Pentagon on a contract for its JEDI cloud software, WikiLeaks published a global map and a 20-page internal memo of the company’s Web Services operating facilities and data colocation sites. In short, WikiLeaks doxed Amazon. While it was unclear who leaked the information, WikiLeaks had been in a standoff with Amazon and other global data management companies for years. The situation was problematic for Amazon, which would have preferred those sites go unnamed; for the Defense Department, which was in the process of finding a cloud management system; and for anyone whose data may be stored in those highly sensitive sites, which (given Amazon’s profile in data storage) could include large portions of the global population. The conflict is cross-cutting and extremely political, and it created political blowback at every level. To be clear, it isn’t just states that are actively trying (covertly or openly) to shut down WikiLeaks’ capacity to publish data. The standoff here is a triad between the state, data center managers who hold all sorts of secrets — legal, financial, military, and political — and WikiLeaks’s own survival. WikiLeaks is pursuing its own political agenda collecting, analyzing, and using intel to (in Rovner’s words) “to undermine adversary morale, institutions, and alliances.”

These aren’t rare cases. Data the Defense Department would consider highly sensitive (and would likely classify) is readily collectable and analyzable. A new study of the novel coronavirus has emerged from an organization called Govini, which specializes in data science analysis for national-level problems. The report and the publicly available map titled COVID-19 Impacts on the Department of Defense illustrates COVID-19 outbreaks across the United States and identifies which U.S. military bases are at risk, utilizing bullet points for readiness, power projection, and modernization. The caption under the map reads:

Govini used its decision science and machine learning platform to analyze COVID-19 infection growth rates, medical facilities, contractors, defense supply chains, place of performance, and military installations to provide this prognostic view. The map highlights in red those areas where companies in the Defense Industrial Base are particularly vulnerable to COVID-19. For more information contact info@govini.com.

A few things to note. First, it is highly unlikely that this sort of analysis would have been conducted so quickly by any agency within the Defense Department. Second, even if this sort of analysis was eventually done inside the Defense Department, the classification levels associated with this kind of heat map would ensure that almost no one within the department would be able to read it or distribute it (particularly under current conditions, where most civilian staff telework due to the novel coronavirus and lack access to secure email and the browser network system). But more importantly, the competitive business environment among data analysis agencies selling their wares to the Defense Department involves getting noticed and getting contracts before other analysis firms. The primary way to do this is to publish reports and analysis publicly, even if it makes the Defense Department nervous.

The private sector is faster, less constrained, and more agile with these tools of mass analysis. It is unclear how the Defense Department can keep up.

Your Coffee Maker Is Spying Too

Let’s consider the firms that are producing internet-enabled technologies for mass consumption. In 1998, Keurig (owned by Keurig Dr. Pepper) began producing coffee pods and brewers. Four years ago, I bought a base model Keurig with almost no functionality — the cheapest possible one — for approximately $50. When you turn the machine over, you will notice an internet port. There is no current function for this port. However, Keurig designed these ports into their coffee makers in anticipation of future market developments. Rather than remold the machine or provide new production specifications for that port, Keurig opted to design it into the machine in order to ensure future capabilities should they emerge.

Perhaps this example is too cute by half. Or perhaps it is an example of a firm thinking strategically and emplacing data collection capabilities to ensure future competitiveness. While it is definitely not (in Rovner’s words) “a campaign to pre-position assets for future collection in the event of a conflict,” it is a case of a pre-positioning that consumers generally cannot detect.

This matters in real terms for national security. One of the most disruptive denial of service attacks in history — the Mirai botnet — leveraged tens of thousands of internet-connected devices against the domain name service provider Dyn in October of 2016. The diffusion of Internet of Things devices becomes its own vulnerability, as they are sold cheap and purchased by the millions. Internet of Things attacks can be leveraged by a simple handful of actors and then reused by a whole other set of actors for other purposes. The Mirai botnet wasn’t the first time that code had been leveraged. It had a predecessor: A prior attack had been conducted on a slightly smaller scale (though still 100 times larger than any other in history) on OVH, a cloud computing provider in France in September 2016. The origins of the malware and the OVH attack had nothing to do with states, violent extremist organizations, or even criminal syndicates. The OVH attack was conducted by three U.S. students playing a game called Minecraft. The savvy undergraduates assembled malware that would rock the East Coast and leave intelligence agencies scrambling. That initial piece of malware continues to plague the internet.

For the three students involved, the malware was intended to sabotage other Minecraft hosting sites, causing an increase in traffic and therefore increasing their income collecting from that traffic. It was easily “a contest to disable adversary capabilities through sabotage.” Once that malware was publicly shared, plenty of other malicious actors took up the tool to use it for additional acts of sabotage.

Conclusion: Moving Beyond States

The tools of intelligence competition are available to everyone. The battle space for intelligence competitions grows by the minute. The holders of the tools and the space itself is everyone. Although my colleagues do not define an intelligence competition so narrowly as to consider only state-on-state interactions (they sometimes also consider nonstate actors like the Islamic State), my argument is more than an attempt at distinction without difference. It is a front-end assessment of who holds data, who collects it, who has the capacity to interpret it, and who can leverage effects with it.

Everyone is here together. This is the actual landscape of the competition, within which my colleagues’ state-based analyses are taking place. State-based cyber competition does not hold a monopoly. It is a tiny parcel of larger competition that often uncomfortably intervenes in state efforts to play their spy games.

If cyber competition among states is an intelligence competition, then we must ask, are states the dominant players? Who are the other players? For the purposes of this thought experiment, I answered “no” to the first question, and for the second question, “Just about everyone who wants to be.”

The theoretical development is what comes next. If we are to adhere to Rovner’s five elements, it may make sense to consider who has the greatest competitive advantage in each category. For example, on the part of competitive data collection and analysis, the private sector mega-data management companies hold the trophy. Those firms do not necessarily have adversarial relationships with U.S. adversaries. However, this does not mean that they are neutral. They simply have other kinds of politics and other kinds of adversaries.

Defining cyber competition as an intelligence competition should also make us revisit notions of cyber sovereignty, surveillance, and privacy. Too easily do we sweep this away under the rug of domestic legal considerations or technology policy, leaving it as a matter for advocates rather than academics. But recall again Cronin’s observation that the social context of this technology has surpassed the state’s dominion over it. Retreating to Waltz and parsimony is the wrong idea.

It is unclear to me exactly how to steer this ship. As I said before, there is likely no unified theory that will usefully capture this intelligence competition. The purpose of this piece is to begin a conversation about intelligence, competition, and the boundaries that may have changed in the transition to a newly open fabric of “sousveillance” — where the watched are watched and wait quietly for opportunities to leverage their secrets. As social scientists, we should be cautious that our attempts to bound what is and isn’t the purview of governments doesn’t result in extremely conservative or status quo-seeking policy behavior; nor should they constitute a retreat from the hard-won elements of liberalism that value the individual citizen.

Insofar as we are in a global intelligence competition, our cup runneth over — into everything else. And the recent empirical record bears this out painfully: Snowden, the Shadow Brokers, Manning, Assange, Bellingcat, WikiLeaks, and anything associated with White House leakers. The dynamics we seek to explore, even if they exist only between states, will be at a minimum mediated by all of these additional practitioners of the use and abuse of data and data-enabled devices.

Privileging states is an exercise in both analysis and tool creation. Political science, in particular International Relations theories (big I, big R), tend to privilege the state as its primary unit not only because they are frequently the primary agents of interaction but also because there is applicable policy value in thinking about how states can conduct themselves among one another. Yet cyberspace, no matter how many times we scream “whole of government,” is not owned, operated, or ruled by states. States are not sovereign on the internet, at least when it comes to intelligence competitions. Privileging states in thinking about cyber is folly. It distracts us from resolving hard policy issues by reducing social media’s dysfunctional influence to Russian meddling or major systemic vulnerabilities in data management to Chinese intellectual property theft. It leads to incomplete and hypermilitarized policy solutions that are costly, potentially escalatory, and fundamentally unhelpful to pressing back against the swollen gnat swarm of data-driven devices. Our windshields are peppered with the evidence. Now, somebody turn on the wipers, and let’s get to work.

Dr. Nina Kollars is associate professor of the Strategic and Operational Research Department and a core faculty member in the Cyber & Innovation Policy Institute (CIPI). She holds a Ph.D. in political science from The Ohio State University, a masters in international affairs from the Elliott School at George Washington University, and a bachelors from the College of Saint Benedict/Saint John’s University. Kollars conducts research in cyber security, future warfare concepts, and military technological integration, specifically the methods and networks through which white-hat hackers produce security at the national and global levels. Her forthcoming manuscript leverages more than four years of research in and around the U.S. hacking community. She is a fellow at the Atlantic Council, a former fellow of the Modern War Institute at West Point Military Academy, a research analyst for the Congressional Cyber Solarium Commission, the former viceroy of the D.C.-based Cigars, Scotch, and Strategy, a fellow at the Krulak Center at Marine Corps University, and currently teaches the Gravely Advanced Research Projects Group within the Center for Naval Warfare Studies.

Image: U.S. Air Force (Photo by Tech. Sgt. R.J. Biermann)