Psychological Attacks in a CyberSecurity Emergency

Disclaimer: This content is the result of my having survived several emergencies of varying effect sizes. Most of these ideas are rules of thumb, and not canned answers. As in any emergency your best outcome will be if you keep calm, consider many options, and flow from plan to backup plan as required.



Psychological attacks, also known as social engineering, are designed to give the attacker access to critical infrastructure machines and to halt rapid response of clean-up during a cyber emergency. What better way to perpetuate the emergency than by psychologically disabling key personnel and leaders who are in a position to notice an attack and coordinate a response?

The flavor of psychological attack that I have witnessed are designed to incite panic, disrupt sleep, and confuse. The main idea here is to push a person psychologically off-balance and keep them off balance for an extended period of time. In order for the attack to be successful, it must be ongoing. If the attacks can be disrupted, the target has a rest period in which to recover.

Interestingly enough, these attacks are somewhat related to cons used for defrauding a person, however their intensity, specificity and duration far exceed normal cons. Similar to a con, a psychological attack may well require a team of agents for each targeted personnel.

I have observed the following psychological attacks.

  1. Control someone's access to information about the world using deliberately biased reporting of search results.
  2. Wake someone at the same time every night, using more than one disruption whenever possible. The goal is to condition a panic attack in the middle of the night and to maximally disrupt the sleep cycle.
  3. Mess up the network time just a little, perhaps by 10-15 minutes which will throw of the circadian rhythm of the entire population.
  4. Introduce problems into the water supply, particularly compounds or pharmaceuticals that would help induce panic. Note that some of these compounds may typically be used to treat water and make it safe to drink. However, if computer control of the water purification devices is compromised, harm may result.
  5. Conditioning of panic or anger via remote device (i.e. cell phone, laptop, wireless or satellite). This must be used in combination with another attack, such as a cyber attack that initially induces fear or anger.
  6. Observe someone very closely and arrange agents to confirm every negative idea or fear that is expressed out loud. This is psychological exposure therapy on steroids with the intent to incite fear and panic, rather than reduce it. Key personnel may give up trying to prevent attacks if their negative predictions are constantly reinforced... if the worst-case brainstorm always seems to come true, an unconscious fall back is to stop planning and preparing for the worst-case.
  7. Turn someone into a cyber-mercenary.
  8. Turn someone into a white-hat hacker.


Homework

  1. Reach out, reach out, reach out. To family and friends and the trusted people in your social network.
  2. Consider medications to help with anxiety.
  3. Consider exercise to help with anxiety.
  4. Maintain a routine to help fight disruptions to the circadian rhythm.
  5. Consider breaks from your routine to fight stress.
  6. Stay safe.
  7. Check on your neighbors and friends.
  8. Remind everyone to breath.
  9. If you are key personnel, consider trying to locate an interim replacement so that you can rest. But make sure that your replacement can integrate into a trusted local social network.
  10. Consider visiting family for a vacation. Be very responsible with your electronics if you visit a more secure location.
  11. Swap funny stories with friends about the worst threats you have received. If someone is blackmailing you, consider coming out about your fear instead of caving to the threats.
  12. When you don't know the source of the attack, it is natural to blame the people closest to you whom you should be able to trust. Try to dismiss some of the blame or assign some of it to computers, rather than to people. If someone is failing to perform perfectly in their job, consider that they may have been heavily targeted, particularly if they are key personnel.
  13. Document the methods of attack and your responses. It may feel like you are writing the play-book for a future attack, or revealing vulnerabilities in previous attack methods that could be strengthened. However, if you were used to sharpen the attackers skills, then you cannot be alone in being targeted.
  14. If you are the target of a virulent cyber-attack, it may be necessary to provide all your work-arounds and security innovations for free to the community. This may be the only way to distinguish yourself from the attackers, to build trust, to establish that you were attacked, and to protect both your reputation and health. You may consider yourself conned into doing security work, and conned out of the results of your effort by impressment into a unacknowledged cyber-war that you did not start or continue. (Particularly if you are a minority, the severity of your attack will never be acknowledged. Also, beware of having too much understanding or the technical details, as you may then be accused of being an attacker.)
  15. If you do provide your innovations free to the community, you will follow in the long-standing open-source tradition and be a hero. Memorize the following: "Men may not get all they pay for in this world, but they must certainly pay for all they get. If we ever get free from the oppressions and wrongs heaped upon us, we must pay for their removal." --Fredrick Douglass


This struggle may be a moral one, or it may be a physical one, and it may be both moral and physical, but it must be a struggle. Power concedes nothing without a demand. It never did and it never will. Find out just what any people will quietly submit to and you have found out the exact measure of injustice and wrong which will be imposed upon them, and these will continue till they are resisted with either words or blows, or with both. The limits of tyrants are prescribed by the endurance of those whom they oppress. --Fredrick Douglass, 1857

© 2015-2021 Intrepid Net Computing. All rights reserved.