Psychological Attacks in a CyberSecurity Emergency
Disclaimer: This content is the result of my having survived several emergencies of varying effect sizes. Most of these ideas are rules of thumb, and not canned answers. As in any emergency your best outcome will be if you keep calm, consider many options, and flow from plan to backup plan as required.
Psychological attacks, also known as social engineering, are designed to give the attacker access to critical infrastructure machines and to halt rapid response of clean-up during a cyber emergency. What better way to perpetuate the emergency than by psychologically disabling key personnel and leaders who are in a position to notice an attack and coordinate a response?
The flavor of psychological attack that I have witnessed are designed to incite panic, disrupt sleep, and confuse. The main idea here is to push a person psychologically off-balance and keep them off balance for an extended period of time. In order for the attack to be successful, it must be ongoing. If the attacks can be disrupted, the target has a rest period in which to recover.
Interestingly enough, these attacks are somewhat related to cons used for defrauding a person, however their intensity, specificity and duration far exceed normal cons. Similar to a con, a psychological attack may well require a team of agents for each targeted personnel.
I have observed the following psychological attacks.
- Control someone's access to information about the world using deliberately biased reporting of search results.
- Work-around: Use more than one information source about the world: (i.e. multiple media sources, multiple search engines, etc.)
- Wake someone at the same time every night, using more than one disruption whenever possible. The goal is to condition a panic attack in the middle of the night and to maximally disrupt the sleep cycle.
- Work-around: learn to relax and sleep despite the noise. Recall that in most cases the attackers cannot be violent without provoking a law-enforcement response and their own arrest.
- Try going back to sleep after drinking warm milk or reading a boring book. (Do not watch a movie.)
- Mess up the network time just a little, perhaps by 10-15 minutes which will throw of the circadian rhythm of the entire population.
- Work-around: set the time on your watch and ignore network time
- Be patient if colleagues show up for meetings late.
- Introduce problems into the water supply, particularly compounds or pharmaceuticals that would help induce panic. Note that some of these compounds may typically be used to treat water and make it safe to drink. However, if computer control of the water purification devices is compromised, harm may result.
- Observe your water consumption. If you are constantly thirsty, this is a good sign that your water is tainted. One should be able to survive on ~8 cups of water a day, provided that it is clean. Also observe your pet's water consumption or lack there-of.
- Work-around: drink bottled water or use a ceramic filter.
- Remember that juicy fruits, and other foods contain a surprising amount of water.
- Conditioning of panic or anger via remote device (i.e. cell phone, laptop, wireless or satellite). This must be used in combination with another attack, such as a cyber attack that initially induces fear or anger.
- Work-around: relax, slow down, try not to get too upset about anything
- Being attacked and targeted is scary. Remember that you have friends and family that are less effected. Reach out to them. Pick up the phone and call. Hang out with friends. Swap stories about the worst attacks and laugh a little.
- Observe someone very closely and arrange agents to confirm every negative idea or fear that is expressed out loud. This is psychological exposure therapy on steroids with the intent to incite fear and panic, rather than reduce it. Key personnel may give up trying to prevent attacks if their negative predictions are constantly reinforced... if the worst-case brainstorm always seems to come true, an unconscious fall back is to stop planning and preparing for the worst-case.
- Work-around: "There is nothing to fear except fear itself." -- F. D. R.
- Recognize this happening. Relax. Slow down. Laugh. If you have some idea of the identity of the watchers, then try to connect with them by talking directly to them. Tell them that you respect them.
- Hang out with trusted friends. Make sure that your friends make it home safely at night.
- If you trust one person, try trusting the people that they trust, to see if you can expand your community.
- Avoid isolation.
- Turn someone into a cyber-mercenary.
- If the attackers can keep key personnel off-balance long enough that they become desperate (i.e. financially, health, or security), then those personnel might commit a fatal mistake by which blackmail becomes effective.
- Bargain with desperate key personnel, particularly computer scientists, police, military, and leaders, in an effort to turn them into agents.
- If blackmail or bargaining doesn't work, then spread mis-information and hope the confused key personnel will spread that mis-information unknowingly.
- Work-arounds: ethics, ethics, ethics. Do not lie, cheat, or steal, even when desperate. Double check information for accuracy. Repeat only the most reliable gossip and share it with trusted people.
- If someone tries to threaten you directly or indirectly, realize that most threats are vacuous. Ground yourself in relaxation, family, and trusted friends. You are not alone.
- Avoid passing on threats or implied threats based on mis-information. Help people keep their jobs, instead of firing them. Be patient and kind.
- Turn someone into a white-hat hacker.
- Attackers attack and engage a computer scientist in defense and security.
- Attackers can employ attacks for which they do not know a defense, and wait until their target produces a defense, which the attacker than then employ for their own security.
- Work-arounds: delegate your security to the appropriate network administrator.
- Attack for the work-around: make sure that appropriate network administrators are overworked by attacks and responsibilities.
- Work-around for attack for the work-around: report the attack to the next level of network administrator for the network layer that your computer resides in.
- Attack for the work-around for the for the attack for the work-around: make sure to encourage technology bubbles by growing your organization and introducing beta software faster than your ability to provide IT and security resources.
- Permanent Fix: remove the incentive for cyber-war at the nation-state level, by having politicians proceed with diplomatic solutions.
- Successful cyber-attacks would require the impressment of many computer professionals into security and systems administration, as the attack would be designed to saturate the response capacity of the profession.
- Keep in mind that minorities make particularly attractive targets for turning into white-hat hackers. They already suffer from the 'ton of feathers' associated with constant bias and discrimination, and their requests for resources and support are typically denied.
- Keep in mind that minority populations within a nation make particularly attractive targets.
- Reach out, reach out, reach out. To family and friends and the trusted people in your social network.
- Consider medications to help with anxiety.
- Consider exercise to help with anxiety.
- Maintain a routine to help fight disruptions to the circadian rhythm.
- Consider breaks from your routine to fight stress.
- Stay safe.
- Check on your neighbors and friends.
- Remind everyone to breath.
- If you are key personnel, consider trying to locate an interim replacement so that you can rest. But make sure that your replacement can integrate into a trusted local social network.
- Consider visiting family for a vacation. Be very responsible with your electronics if you visit a more secure location.
- Swap funny stories with friends about the worst threats you have received. If someone is blackmailing you, consider coming out about your fear instead of caving to the threats.
- When you don't know the source of the attack, it is natural to blame the people closest to you whom you should be able to trust. Try to dismiss some of the blame or assign some of it to computers, rather than to people. If someone is failing to perform perfectly in their job, consider that they may have been heavily targeted, particularly if they are key personnel.
- Document the methods of attack and your responses. It may feel like you are writing the play-book for a future attack, or revealing vulnerabilities in previous attack methods that could be strengthened. However, if you were used to sharpen the attackers skills, then you cannot be alone in being targeted.
- If you are the target of a virulent cyber-attack, it may be necessary to provide all your work-arounds and security innovations for free to the community. This may be the only way to distinguish yourself from the attackers, to build trust, to establish that you were attacked, and to protect both your reputation and health. You may consider yourself conned into doing security work, and conned out of the results of your effort by impressment into a unacknowledged cyber-war that you did not start or continue. (Particularly if you are a minority, the severity of your attack will never be acknowledged. Also, beware of having too much understanding or the technical details, as you may then be accused of being an attacker.)
- If you do provide your innovations free to the community, you will follow in the long-standing open-source tradition and be a hero. Memorize the following: "Men may not get all they pay for in this world, but they must certainly pay for all they get. If we ever get free from the oppressions and wrongs heaped upon us, we must pay for their removal." --Fredrick Douglass
This struggle may be a moral one, or it may be a physical one, and it may be both moral and physical, but it must be a struggle. Power concedes nothing without a demand. It never did and it never will. Find out just what any people will quietly submit to and you have found out the exact measure of injustice and wrong which will be imposed upon them, and these will continue till they are resisted with either words or blows, or with both. The limits of tyrants are prescribed by the endurance of those whom they oppress. --Fredrick Douglass, 1857
© 2015-2021 Intrepid Net Computing. All rights reserved.