Cyber Threat Actor Cultural and Psychological Factors: Part 1
Cross-posted on https://www.cybersecuritytrainingco.com
Why do cybercriminals do what they do? It’s a simple question and it often evokes a simplistic answer (e.g. for the money), however, common sense dictates the root cause is (unsurprisingly) much more complex. Former New York Police Department Commissioner Patrick Murphey said, “the root causes of crime [are] poverty, unemployment, underemployment, racism, poor health care, bad housing, weak schools, mental illness, alcoholism, single-parent families, teenage pregnancy, and a society of selfishness and greed.” Murphey made this statement in 1985, well before the Internet became a cornerstone of society and the launchpad for exponential growth in on-line crime.
This series of posts explores the potential applicability and value of using existing cultural data elements in combination with mainstream psychological profiling methods to enhance how investigators profile cybercriminals. The series begins with a review of forensic psychology and traditional criminal profiling and then drills down on each of the factors. It also includes a case study of Marcus Hutchins, the British security researcher known for temporarily stopping the WannaCry ransomware outbreak and his subsequent arrest in Las Vegas following DefCon for his alleged role in the Kronos banking malware. The series will also include a bulleted summary quick-reference sheet of cybercriminal profiling traits and characteristics derived from more than 70 academic, government and industry sources.
Despite the many complexities the internet has introduced to society cyber crime investigators still perform the fundamental tasks of collecting evidence (e.g. from computing devices, data and networks) and establishing a perpetrator’s intent. But before we have an investigation we must have a crime so it’s important to level set on what makes a crime a crime and what is required to establish guilt.
Just as in traditional crimes, there are four elements that must exist for a cybercrime to exist: the actual act – or failure to act if under duty to do so – referred to as actus reus, a conscious decision to harm or deprive another or mens rea, attendant circumstances or conditions that are necessary for the crime to be committed, and harm to person or property. Three out of four of these are generally supported by (often difficult to obtain) physical evidence and are important elements of digital forensics. However, when it comes to mens rea it gets a bit more challenging not just because it relies on determining the culpability (i.e. state of mind) of a perpetrator but it’s required to establish guilt in a criminal trial. To make matters more challenging, consider that the perpetrator may be on the other side of the globe and often is a nameless, faceless entity.
Some legal systems rely on the categorization of mental state into general intent and specific intent. However, there is inherent confusion on how to describe what the differences are so some legal systems have transitioned to the Model Penal Code (MPC), a four-tiered classification for establishing malice. The MPC defines culpable states of mind into four hierarchical categories:
acting purposely - the most blameworthy (i.e. most severe punishment) category whereby the defendant made a conscious decision to act
acting knowingly - the defendant was almost certain their actions would cause the intended outcome
acting recklessly - the defendant made a conscious decision to ignore any and all known risks
acting negligently - the defendant had the capacity to know the risks but consciously decided against learning them
strict liability – the least blameworthy (i.e. least severe punishment) category. It foregoes the need for a guilty mind and states that the mere fact the defendant committed the crime is adequate to determine their state of mind. This classification is an extension of the traditional MPC and is used as sufficient evidence by the prosecution that the defendant committed the crime regardless if they feel culpable.
So, how do you determine the mental state of a nameless, faceless entity? Offender profiling is one of the methods used by forensic psychologists to identity criminals. Forensic psychology is any way in which psychology can aid in any stage of the criminal justice process. Offender profiling is defined as a technique for identifying the major personality and behavioral characteristics of an individual based upon an analysis of the crimes he or she has committed. (Douglas, Hartman, Ressler, & Burgess, 1986).
The role of forensic psychology can be seen in the Oscar-winning movie Silence of the Lambs (1991) where FBI Agent Clarice Starling (actress Jodie Foster) is forced to confide in an incarcerated and manipulative killer in order to get his help on catching another serial killer, Dr. Hannibal Lecter (actor Anthony Hopkins), who skins his victims. Another example is the US TV series Criminal Minds (since 2005) that explores the cases of the FBI Behavioral Analysis Unit (BAU), an elite group of forensic psychologists and offender profilers.
Mindhunter, a new Netflix series, is based on the writings of best-selling author Mark Olshaker. It tells the stories of legendary FBI profiler John Douglas who pioneered offender profiling during the inception of the FBI’s Behavioral Science Unit in 1974. Douglas along with the late Robert Ressler and Roy Hazelwood are credited with leading the evolution of criminal profiling into the modern-day, computer-based science we know today.
The two major types of offender profiling are inductive profiling and deductive profiling. (Bartol & Bartol, 2013) Inductive profiling uses investigative psychology, a statistical approach to profiling using known behavioral patterns and demographic characteristics shared by criminals. Deductive profiling uses a combination of forensic evidence, crime scene analysis, victimology, personality traits / characteristics, social characteristics, technical know-how, and motivating factors. With a better understanding of the cultural and psychological factors (e.g. personality traits / characteristics, social characteristics) that influence the life and actions of a cyber threat actor investigators may be in a better position to profile and identity suspects, establish attribution, and potentially contribute supporting data to the prosecutor’s case.
The following factors will be covered in subsequent posts:
National Culture – Six dimensions of national culture per the research completed by Professor Geert Hofstede, Gert Jan Hofstede, Michael Minkov and their teams
Cybercrime Law – The current state of legislation as reported by the United Nations Conference on Trade and Development
Rule of Law – Measures of how the rule of law is experienced and perceived by the general public across the globe as reported by the World Justice Project
Poverty and Unemployment – Quantitative data reported by the CIA World Factbook
Crime and Quality of Life – As reported by on-line survey firm Numbeo
Myers–Briggs Type Indicator® (MBTI®) – An introspective self-report questionnaire with the purpose of indicating differing psychological preferences in how people perceive the world around them and make decisions
Case Study: Marcus Hutchins
Hare Psychopathy Checklist Revised (PCL-R) – A psychological assessment tool most commonly used to assess the presence of psychopathy in individuals
Case Study: Marcus Hutchins
Academic Research Papers – More than 70 research papers on human behavior and/or cybercriminal psychology
A summarized quick reference is provided of findings about cybercriminals
In part 2 we will review the cultural factors in depth and map them to potential use in cybercriminal profiling.