Times change and bring about knowledge and understanding that affect perceptions. Changes in perceptions leads to changes of behaviors in individuals, nation states, special interest groups and society. The most notable change that the cyber world introduces, is a collapse of trust.
The contents of this study explores whether human behaviors and social norms are carried forward to a novel domain such as cyberspace. Even though cyberspace may not be new to the X or Y generation, it is now for the first time in human history, an additional space that an entirely new generation Z is born into. With a new generation, many of whom have been exposed to a considerable amount of time playing simulated computer war games, are entering adulthood where real strategies and actions have real consequences. One must wonder how this incubation in cyberspace will affect behaviors in space-time. The scope of this review is focused on the psychological, social and behavioral consequences that cyberspace and cyber-security bring about.
A common thread in the literature is that Cyber-security is so novel that reliable, complete, accurate and adequate research is not only hard to find, but raises the question of whether a sufficient amount of people are capable of conducting research on this complex and esoteric topic. A second cause for concern is that research is limited to a Western governance perspective , which introduces bias, ironically a preferred method used to deceive victims in cyberspace.
The only group that undoubtedly have an abundant source of information on cyber-security are the world’s military’s. However due to the nature and sensitivity of this information it is almost never acknowledged or publicly demonstrated, remains classified, and therefore unattainable . This is one of the many faces of cybersecurity that is able to mask its true nature, and is a primary attribution factor. A second feature of cyber-security that is as enigmatic as it is descriptive, is the Internet. Describing and understanding the vastness of the Internet is comparable to that of an infinitely possible set of consequences in the space-time construct.
Several authors have describe the internet as a function of the “Information Revolution” where communications flow without boundaries, from handheld devices to global networks, to cars, to computers, to super computers, and as of 2014 also quantum computers that have the potential to render all cryptological systems obsolete . With the expected growth of mobile phones usage reaching 2 billion in 2015 , there are many affected stakeholders, even when they are unaware of the psychological effects.
Psychological effects of loaded language
One article addresses the need to monitor vocabulary used in “management guru” literature. Quigley, Burns and Stallard warn that special interests groups are using language to influence society when overstating the threat or using tropes to further political or financial interests. It was found by these three psychologists that scientific articles or technical studies refrained from injecting loaded language into the literature, and diverges from media and privately sponsored articles promoting cybersecurity threats to consumers. This is evidence that the body of knowledge in the arcane cyber world is experiencing its own growing pains, while the internet continues to grow exponentially .
Using appropriate language and terms are important for several reasons. The first is that the internet is for the most part information based. This means that messages are moving between actors and recipients within vast cyberspace, and at just short of the speed of light. The messages are consumed by recipients, and passed along by recipients who then in turn become actors. People interpret language in different ways influenced by their background and experiences, geographic location, socioeconomic group, age, gender and affiliations. According to research, humans find it difficult to process false information, and in response find alternative meanings to process the data that they are consuming. Humans are more likely to continue with regular activities when they have no reason to believe that they cannot trust the source of information, but their behaviors change when they feel a suspicion of distrust . Trust is a centerpiece of human relationships and is the focal point of this literature review.
An example of loaded language is found in the article by Jang-Jaccard and Nepal and highlighted in their opening statement “The exponential growth of the Internet interconnections has led to a significant growth of cyber-attack incidents often with disastrous and grievous consequences”. According to Quigley, Burns and Stallard “disastrous consequences” is more appropriate to describe a catastrophe typically associated with a natural disaster, which truly has devastating consequences to human life. Similarly, “grievous consequences” implies that there are mortal dangers to a human life or grave bodily harm, a far fetched idea given that the internet is virtual and information based. Pongani agrees with Quigley, Burns and Stallard that there are very little efforts made to understand the cognitive vulnerabilities associated with cyber-attacks, and virtually no systematic methods employed to evaluate the cognitive, perceptual, and behavioral characteristics of either friendly or adversary forces .
Consideration of human and social factors in a cyber-world
Cyberspace is a hotbed of activity and virtually nobody is excluded from its stakeholder profiles. From the dawn of the information age we have become increasingly dependent on technology. To understand the behavioral consequences of the cyber world, it is necessary to explore the state of mind of several key stakeholders, and the fragility of a virtual network that connects these stakeholders. Technology changes with the times and have a significant impact on how people interact with each other. Technologies have changed dramatically while costs have lowered making it far more accessible.
Individuals and society
Cyber-attacks on individuals can take many forms. Cyber-bullying is when a person is publicly shamed, humiliated or constantly subjected to emotional abuse. These victims can experience severe psychological trauma leading to extreme measures that have previously resulted in suicide or mass violence towards others. The worrisome factor of this type of cyber weapon is that it can be employed in social engineering tactics by a larger adversary with greater aspirations and malicious goals. Cyber weapons are inexpensive and does not require significant resources to be effective . However when organized groups apply even slightly more resources they can execute asymmetric conflict with a great advantage over unsuspecting, well organized groups. In these attacks the element of deterrence disappears because of the anonymity attribution of cyberspace, the difficulty of location determination, and the difficulty of identifying perpetrators altogether . The advantage of anonymity, incentives, and lack of deterrence controls, have a psychological emboldening effect on adversaries, whether individual or groups.
About half of the literature identified youth as a primary stakeholder of adversarial cyber activity and popular Russian cyber-security firm Kaspersky Lab reported in 2008 that over 43,000 malicious files were targeting social media sites . Security Company Symantec interviewed 20,000 people across 24 countries, and 69% reported being the victim of a cyber-attack in their lifetime. Symantec calculated that 14 adults become the victim of a cyber-attacks every second, or more than one million attacks every day. The rest of the literature either focused on military or protective services, and a minority of the reviewed literature identified the elderly as a primary stakeholder.
Social networking is a newer form of internet activity, but is arguably the most popular of all internet activity . Facebook reported 1.44 billion users in the first quarter of 2015 . The Internet phenomena gives rise to new interactive communication strategies where marketing of ideas, including political ones, are a two way consultation making users believe that they are taking part in decision making, even when they are being misled by the communicating party. This method is employed by advertisers, political and special interest groups, and adversaries alike to deceive, confuse, and mislead participants.
With the advent of social networking, where incalculable amounts of personal identifiable information is shared willingly, the self-definition of the individual and how it interacts with the interest of the state is taking on a new dimension . Camp explains in her book reviews that freedom of expression and self-definition, combined with the feeling, but not the reality of anonymity, can change self-conception on a large scale. We have seen firsthand the influence of social behavior change during the Arab Spring where messages were spread via social media in the Middle East and North Africa, toppling the most brutal of regimes.
Social networks are not limited to individuals. Nation states and similar interest groups also form networks that are founded on behavioral values . These relationships are virtual in nature and not constrained by geographic space which changes the field of play for many states that may have been disadvantaged by their geographic location, previous regional or international tensions. Nation states’ social networks are equally vulnerable to, and actively contributing to, a new trend of social behaviors emerging in the Internet age. The use of cyber-bullying tactics to inflict intentional damage is used by individuals and nation states and frequently compared to weapons in traditional kinetic warfare. It is also social networking that gives rise to the behaviors that opposing entities employ to deceive targets.
Most articles identify that the economy and critical infrastructures are dependent on computer networks and information technology . It is therefore not surprising that nation’s states have a vested interest in securing the infrastructures that provide and maintain essential services to its citizens. There is consensus between the authors that infrastructure, including electricity grids and healthcare systems are targets of terrorist, sabotage and information warfare, even when they agree on the risk factor . However this uncertainty in cybersecurity is driving a cyber-race comparable to that during the space race and the Cold War . In the same vein the public sector and critical infrastructure providers rely on network technology form the private sector, and ownership of networks varies across nation states from entirely private to entirely governmental with all possible variations existing across the globe .
Deception as preferred modus operandi
English cosmologist and physicist Stephen Hawking is famously quoted: “I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We’ve created life in our own image.”
Perhaps an unintended consequence of software development is that engineers can design viral, destructive and rogue code. Malware for example, which was developed initially as an experiment to highlight security vulnerabilities, is now a preferred weapon to attack computers, and used to steal private information such as financial data and user credentials . Government and corporate websites are constantly under attack. Of these, Trojans make up over 60% and simulate, as the name suggests, employs an ancient Greek military strategy. Botnets are programs that are installed unknowingly on a victim’s computer and is capable of creating a distributed network that facilitates illegal activity including distributed denial of service attacks .
Social engineering is perhaps the most recognized modus operandi in cyber space. Social engineering uses deception tactics to maintain regular circumstances while taking advantage of unsuspecting victims. Victims that fall prey to the social engineering attacks experience their social networking accounts turn into vehicles for sending spam to their friends, or the victim’s computer is re-purposed into a Zombie that is controlled remotely . The victim may not realize this and their credibility or reputation is damaged, or that its computer is used in cyber activity. As these tactics become more sophisticated in their efforts to appear as trustworthy users, a collapse of trust in private companies and service providers may morph into distrust of regulators and suspicions of government overall. Trust management and policy integration is not surprisingly an active area of research in the academic cyber community .
Trust is the common theme in the literature partially because almost all cyber-weapons use deception tactics to achieve its goals. Despite this, statistics shows that an insider threat where a trusted employee, friend, or ally deceives its unsuspecting group members, is still the most effective tactic to gain access to information resources . Whether friendly or adversarial, cyber weapons are evolve through time capitalizing on new approaches and can easily modify existing malware signatures to exploit existing technologies .
Social consequences of cyber-security
The Internet has many dark faces. Despite this characteristic, the anonymous nature of the Internet is also the root cause of the social phenomenon that has changed how human beings communicate, how emergencies are handled, and military’s operates .
The threat of cyber-security has had an enormous impact on the collective psyche of the actors in the security world. The current discourse is that the Internet architecture has reached a point where it is no longer able to cope with needs and requirements. Instead the internet protocol and routing mechanisms are constrained by compliance policies where algorithmic optimization is no longer possible . There is a desire in the international community to redevelop the internet architecture towards a trustworthy computer base (TBC) where error-correcting code can replace legacy insecure systems and to increase confidently and integrity despite insecure communication channels . This desire to redesign the internet based on a global security design that can respond automatically to “correct errors” or defend against attacks, gives rise to the most concerning consequence of the Internet and related cybersecurity. Those who seek to dominate the Internet in this way, may very well seek to dominate the world. Research identifies that cyber-activity to be “unconstrained by geography and distance” and that it is difficult to identity and prosecute due to anonymous nature of the Internet . This may explain why the United States Department of Defense has indicated in their long term strategy to redevelop the foundations of the Internet altogether. A conclusion made from the literature review point to the psychological nature of human beings who tend to focus on low probability, high consequence events. A symptom of this is visible in the use of loaded language to describe overestimated or overstated threats, comparable to advertising and marketing techniques that inflate benefits or the true value of products. The psychological response to these overstated threats can be as severe as seeking to control the world’s only free information source.
Cyber warfare is defined in the book Cyberwarfare as “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption” and correlates with other definitions including “the use of computer networks to disrupt, deny, degrade, or destroy information resident in enemy computers and computer networks, or the computers and networks themselves” . Information warfare is defined as a private person hacking systems for private gain or countries initiating attacks to glean information and damage a country’s infrastructure .
Cyber warfare requires significant amount of expertise and resources to launch a full scale attack and is presumably backed by nation states, such as the military, sponsored contractors, encouraged such as patriotic hackers or tolerated in the case of international crime by a state . The United States, Israel, Iran, China and Russia were referenced most in all of the articles.
The most referenced attack was that of Stuxnet, and there are many usual suspects, but no accountability or prosecution, due to the clandestine nature of cyber warfare . Stuxnet is a clear example of unintended consequences where a disproportionate number of computers in Iran were affected outside of the nuclear facilities, along with a significant number of computers in Pakistan, India, and Indonesia. It is estimated that over 100,000 computers were affected of which 40,000 were outside of Iran . The specific target was equipment made a German manufacturing giant Siemens. These countries are all allies of the United States, one of the prime suspects of the attack.
Several other examples are given in the literature and includes the attack on DOD computer systems, known as “Solar Sunrise,” initially traced to Israel and the United Arab Emirates, believed to be planned by operatives in Iraq. However after an investigation it was concluded to be teenagers in California. Similarly the “Night Dragon,” attack targeted five multinational oil companies and stole gigabytes of highly sensitive commercial information. This attack was traced to an internet address in Beijing, and mostly of Chinese origin. But despite evidence of its origin, it was impossible to conclusively attribute the attack, and Chinese officials claimed they played no role. Several authors referred to a recent cyber-barrage on Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country’s row with Russia about the relocation of an elaborate Soviet-era grave market and war graves . Russia was also singled out for their suspected attacks on Georgia prior to the invasion of this Caucuses nation, yet this and the Estonian attacks remain ambiguous . In 2008, a simulated exercise code-named “cyber storm” was conducted by the Department of Homeland Security leading to a gap analysis and recommendations to strengthen its security controls .
These incidents of defensive and offensive cyber warfare indicate that even when evidence of illegal and destructive activity with political motives exists, and even when a highly likely adversary was identified, that individuals and nations are not willing, or not able, to bring those to justice. Furthermore, it highlights the willingness of governments, individuals and special interest groups to engage in such activities, tolerate others who do to avoid a conflict or interruption of economic benefits, and not pursue legal retribution, public and open dialogue. Instead they choose to continue with covert warfare. This is reminiscent of the espionage age during the Cold War and indicative of power imbalances within the global social order. The perception that Western philosophies, laws, justice, and hard evidence cannot be retrofitted to serve a furtive, elusive, and ever murkier cyber space. Nationalism develops and used to influence or attract individuals who are willing to conduct these activities in service of their country and they consider this a patriotic duty . Anyone that contests this are characterized as traitors as in the case of Julian Assange, Chelsea Manning (born Bradley Manning), and Edward Snowden who have all suffered the wrath of the United States military after exposing illegal cyber activities and serious war crimes.
Apart from the departure of moral principles as a behavioral consequence addressed by Danks and Danks, nepotism within allies also surfaces as countries with similar short term goals use highly destructive weapons, knowing that these weapons are made to reproduce following viral models, and cause maximum damage to networks that are by virtue of design interconnected with networks in neighboring countries. These behaviors are contributing to a power landscape change discussed in Lehmann, Rolfsen and Clark’s article. The authors predict the development of international cyber regimes comparable to the power hungry regimes of the last century. Covert operations by nation states generate enormous suspicion among allies and foes at macro level, and individuals and their friends at micro level, and between special interest groups who seek to expose the truth. This suspicion of each other leads to an anxiety giving rise to a new and emerging form of conflict in cyberspace .
Cyber-warfare is considered “non-obvious” warfare where “the identity of the warring side and even the very fact of warfare are completely ambiguous” . A lack of accountability and secrecy is becoming the rule of thumb in cyberspace, and is not characteristics that one ascribes to Western philosophies. Yet Western nations seems to be most actively involved as they were in chemical, biological and atomic weapons in the past. One may draw the conclusion that the Cold War was interrupted only slightly after the fall of the Soviet Union, and has since regained momentum as a result of technological advancement and a massive power gap that information technology has revealed.
Further on the topic of departure from the principles of law and justice, weapons in cyber warfare need to be designed with specific consideration of future uncertainties, whether defensive or offensive. All historical weapons, whether biological, kinetic, atomic or chemical were designed for use in attacks or defenses against an adversary. However in cyberspace “defense” and “offense” is not well defined, and by virtue of the vehicle that deploys these weapons, they are automatically triggered in future hypothetical scenarios. Given that there is a significant amount of psychological research on individual’s prediction bias to suggest humans do not maintain the positions that they predict they would have, when the time comes around to take action in the face of uncertainty . This psychological bias affects one’s endorsement of predicted behaviors during unfamiliar circumstances brought on by crisis. The question begs then if our cyber weapons and their trigger conditions can withstand such bias when they are automatically invoked. In particular when such attacks or defenses would last mere minutes having long term consequences. Because of the connectivity attribute of the Internet, consequences span further than intentional network and infrastructure damage, and includes unintended damage to social cohesiveness within that network, as well as anxiety and suspicion among allies, governments and individuals.
Previous research suggested that groups of actors within a network become polarized when influenced by patterns of social relations . This means that social networks change as actors within the group changes perceptions or relations with other actors. These relationships are either developed within a geographical region, or by mutual interest. Suspicions of each other’s intentions or relationships with other actors influence the network balance, leading to opposing views that are typically dominated by a few heavyweights and those that benefit from their relationships to the dominating actors .
The moral implications of cyber warfare
Danks and Danks explain that there is no moral precedent for cyber weapons, particularly those that are triggered automatically. Nor are there any treaties, controls, physical or virtual policy countermeasures similar to those developed after the Cold War when U.S., Soviet Union, U.K., France, Iraq and South Africa experimented with biological weapons . The open questions are if automated responses to combat cyber-attacks constitute an act of war in itself, or may serve to escalate an attack to a full scale war, whether cyber or kinetic . They crux of the issue is whether individuals or countries can be held accountable for decisions made when developing a counter attack strategy using the cyber weapons discussed earlier, and especially if these were designed to trigger automatically, and in defense of a suspected cyber-attack. The psychosomatic responses of affected stakeholders during an automated response, including those with extraordinary power such as the military and executive branch or government, are being questioned given that these are not publicly disclosed or debated. Danks and Danks ask if it is “ethically permissible” to conceive, create, and maintain cyber arsenals consisting of the same tools and techniques that its adversaries use to conduct illegal cyber-activities. The authors are primarily concerned about human “(in)ability” (sic) to accurately predict and maintain their own future reactions in a crisis .
It is not news that the Internet has changed our connectivity, our preferred methods of communication, and our perceptions of privacy. We have shortened our sentences, our words, created new forms of human expression, and altered our perceptions of our friends, our enemies, our citizens and ourselves. It is therefore also not surprising that the Internet and the threat of cyber viruses have had a psychological effect on our leaders. In several of the papers a rise of cyber powers are discussed and often compared with power struggles of the past century. The authors agree with other articles that a cyber-war is inevitable, and there is a common evaluation in several papers that the cutting edge weapons developed in the information age compares with biological weapons chemical weapons used in World War I , atomic weapons of World War II and probably more closely with the covert tactics and treaties of the Cold War . Danks and Danks consider this comparison from an ethical perspective and question whether any weapon of war that have the capability to damage infrastructure outside of the intended adversary target network, is ethically permissible. They argue that an automated response to a cyber-attack may trigger a series of responses from both sides that may have far reaching consequences because cyber weapons can attach itself to any host in any affected network, including hospitals, air and road traffic systems, critical infrastructure, private company networks, and even individuals.
People have always been afraid of what they do not understand. This uncertainty may lead to assumptions that result in overestimated consequences in a risk assessment. This article finds that human beings are not able to accurately predict their own behaviors in future scenarios, in particular during a crisis. Consequently, decisions taken based on these overestimated consequences may raise questions of morality and accountability, especially in the case of automated security defenses as discussed in this article. Automated defenses as a counter attack, occurs without confirmation or investigation of the adversary, can spread to 100’s of million computers anywhere in the world, and destroy infrastructure of innocent victims.
Many believe that a nation state sponsored, adversarial cyber-war has been raging for decades. In the literature review, the threat of such warfare is described as having the “most devastating consequences” for which there should be a “most swift and decisive action”. This reaction invokes the most concerning discourse by stakeholders which is to treat cyber warfare as a national security issue that is not open for public debate or even disclosure; a serious departure from Western democratic philosophy.
A new social consequence of cyberspace is the formation of independent actors in social networks with no affinity for any nation state or known political cause. These groups behave like mercenaries and pirates of cyberspace. These groups share the common interest that they perceive to be philanthropic, to serve social justice, or vigilantism when it is perceived that justice was not served by the authorities. For these reasons it may be necessary to re-frame the cyber-security discourse and allow access to information so that independent, scientific research can be conducted. Trust, collaboration and co-creation of new Internet policies can replace suspicion, secrecy, and deception in the current cyber climate.