Approaches in Network Strategic Security Modeling
fitness can be understood as a service (or services) of some kind that a
node provides, which is appreciated by the other nodes over comparable services that other nodes
Arquilla and Ronfeldt (2001) give an
interesting description of what robustness of distributed and scale free network means from a security
“The network as a whole (but not necessarily each node) has little to no hierarchy; there may be
multiple leaders. Decisionmaking and operations are decentralized, allowing for local initiative and
autonomy. Thus the design may sometimes appear acephalous (headless), and at other times
polycephalous (Hydra-headed).” (Arquilla & Ronfeldt, 2001:9)
this research considers networks foremost as technological
networks where social actors are involved as the organizers ‘behind’ the technology
Cares conceives security organizations as networked organizations. Hierarchical organizations that
take decisions and distribute commands in a top down fashion represent methods of intervention that,
according to Cares, represent an outdated ‘centralized industrial age approach’. Contemporary
security organizations adjust to the network topology of security treats and become networked
organizations themselves. Security organizations become hubs in a security network that are able to
detect, observe, take decisions and organize interventions against threats themselves.
Security organizations that adjust to distributed network principles gain flexibility and effectiveness in a
way that Cares associates with a wolf pack, a set of relatively autonomous units that is able to attack a
target from all sites where it shows beneficial.
It would be interesting to find out what more attempts security organizations have undertaken to lure
suspected criminals into territory where the security organizations can exert juridical power and what
techniques have been used for the trickery. Interesting question would also be how effective and
structural techniques like this can be
, a distinction was made between manual
(hacking) and automated interventions (worms).
nodes (hosts) and edges (infrastructure)
. The fitness of a node was earlier in this paper defined as the ability of a node
to provide a service of some kind that is appreciated by other nodes. This definition should be
extended with the condition that a node must be able to protect its services to a level that security
issues don’t cause the other nodes to withdraw from the use of the services.
One of the
successful branches of cybercrime that the Center has to counter, according to Het Parool, is that of
criminal gangs that produce and deliver infected computers to the hardware market. The computers
are supposed to become part of a botnet as soon as they come on line.
Het Parool mentions botnets, but it is not hard to envision other cybercrime and cybersecurity
applications for in advance prepared computers
The idea that computer devices are systematically prepared for serving criminal networks in the
assemblage process – instead of on line software contamination – is new to this research.
The case of Shadowcrew illustrates how security organizations infiltrated a hub where cybercriminal
networks were active in selling and purchasing black market products and services, but the security
activities were directed at information gathering on operators so that they could be legally prosecuted
A problem in designing strategic models for fighting cybercriminal networks with rhizome like
properties is – and this is actually a very fundamental problem – that the full topology of the network is
not known, because it has not appeared at the surface of the internet yet. So how then can security
organizations determine 15% of crucial hubs or the order of clusters that have to be deleted to
disintegrate a network? The rhizome perspective on cybercrime poses a bit of a dark, at least
pessimistic view on the possibilities of security organizations to be – especially in the long term –
effective in taking down cybercriminal networks. The volatile distilled, hydratic rule if one node is down,
another will arise seems to predict and endless loop of cybersecurity actions that only generate new
4.6 Fear as a side effect of interventions
Another remark has to do with this research’s impression that fear for prosecution and security
intervention stimulated the disconnection of other hubs in the network after the closing of
MegaUpload.com. The hubs itself (FileSonic, RapidShare) did not malfunction; the operators refrained
from serving the public. And this is not the sort of effect the Barabási model predicts. The model states
that a network will disintegrate because its internal robustness is broken and exchange cannot take
place any longer due to failing connectivity, not because the spirit of the remaining operators is flawed.
Fear for prosecution or interventions otherwise does seem to be a real side effect of security
interventions, independent of the time span it takes in effect.
-editor’s note fraud triangle corner ^^
4.7 The relative ease of disintegrating a star network
Esthost Botnet can be
considered a success in the light of the security organizations efforts, but the disintegration does not
really make a case for involvement of the strategic models. Yes, the security organizations fully
disintegrated a cybercriminal network by taking out the major hubs. And no, the network was a relative
simple star network that lacks the robust complexity that the strategic models are designed for.
4.8 Luring into the unknown
greatest effect of this operation on the hacker scene is probably that hackers think twice before they
accept an invitation for a job interview in the US.
4.9 Targeting Communication
How interventions in communication networks can be organized and what techniques can be used –
and are in use – other than exposing personal information on the internet, seems a terrain to explore.
Kott (2007) for example mentions the cascading failure that was discussed in previous chapter as an
overloading technique for a router network can also be applied in organizational decision making.
“When one decision-maker is overloaded, the effects spill over to other decision-makers in the
organization (particularly through an increased number of erroneous decisions made by the
overloaded element) and cause the deterioration of their performance as well.” (Kott, 2007:125)
If and how network calculations can be applied in communication interventions, and if and how the 5-
15% rule or the Girvan Newman apply to communicative interventions can be considered too
The reflection on the cases did not find any convincing ‘proof’ of the use and presence of strategic
models. The next chapter will try to find an explanation for it. What the reflection did find though are
some interesting questions on network interventions and cybersecurity, that will summarized here.
Can the distribution of protection techniques (firewalls, antiviruses) be understood from a
network structural perspective in which the size of a hub corresponds with its protection level?
If so, how does the size of a node translates into its security level? If not, from what kind of
(business) logic does the security level of organizations spring?
How do commercial sales and distribution processes of computer equipment contribute to the
formation of cybercriminal networks?
How are professional hacker-squads organized? Is the phenomenon of hacker squadrons that
are employed in government service on the rise?
How can network analysis be deployed in Stuxnet like cyberweapons?
How does a discipline for Psychological Warfare look as sub discipline of cybersecurity?
How do rhizome features of cybercriminal networks contribute to its persistency?
5 Resilient, resistant Networks
network analysis is indeed not used directly in interventions in a way
the strategic models suggest, that is, by calculating and recalculating an order of nodes or bridges that
should be targeted in order to disintegrate the network.
The use of network analysis seems to be restricted to research of cybercriminal networks in a variety
of ways. Thread identification, exchange pattern analysis and monitoring of cybercriminal product and
service development are suggested.
The respondents seem to consider the benefits of network analysis as a complementary tool to other
research tools and techniques. One of the respondents sees a complementary use for network
analysis and computer forensics. Other respondents consider network analysis more like a kind of
meta-tool that provides a general overview of hostile networks. One professional brings out: “It gives
an essential overview of the working area in order to conduct proper investigation.” Or as another puts
it more practical: “You can’t detect and fight the threat if you do not possess a proper picture of the
network and its components.”
5.1 Ways of resistance
Endurance of an attack seems to be the most basic form of resistance and resilience against a
security intervention. When devices, connections and operators are not paralyzed or destroyed, they
can simply draw back activities, hide, sit still, and wait until the attacks are over.
After enduring an attack networks can start recovering the damage that has been done to a network
post-attack recovery regimes to recover as smooth as possible from
Study the network to learn its vulnerabilities and better understand cascading failures
Undertake efforts to monitor and detect network breakdowns in real time
Build up stock replacement parts for critical facilities to reduce offline time in case of attack
Develop and test contingency plans for cases of network breakdowns
Improve the network architecture to produce subnets and clusters
Encourage the research and production of backup systems
5.1.4 Putting up defenses
As discussed firewalls and virus scanners form the most basic defense against intrusions and attacks
in a network on a technical level. Another type of defense system is made up by the so called Intrusion
Detections Systems (IDS)
Human operators that are physically attacked by security organizations (interventions by arrestment
teams for example, or black ops) can involve physical defenses against security teams. The amount of
physical violence that participants are willing to use is at stake
Networks may protect themselves against security interventions by counterattacking the organizations
that are targeting them. Counterattack can be directed at the edges, the machines or the human
operators and the communications of the intervention teams. In short, hostile networks that are under
attack can use all intervention techniques that are discussed until so far to counter attack – and
5.2 Resources of Resilience
When resources lack, resilience will drop and the network is likely to be more sensitive for security
attacks and disintegration
Or to put it differently,
networks depend for the resources on the connections they maintain with other networks.
The following works out this idea by considering two types of network relations that enable resources
5.2.1 Rhizome topology as resource feature
Anonymous network by simply intending or declaring themselves as nodes
to the hacktivist network. Anyone can become a participant in the hacktivist collective anytime,
anywhere. The only condition for nodes to gain a practical sense of connectivity to the collective
seems the ability to connect to other nodes and hubs that represent and contribute to the
communication of the network collective. Any world citizen with a computer device, an internet
connection and a basic understanding of the operations of discussion fora, IRC chat, network
browsing, and software installation can meet this condition.
5.2.2 Operation Payback
This ease of connection provides a hidden pool of resources within the network for counterattack is
illustrated by the historical operations of internet collective Anonymous against PayPal, Visa and
Mastercard in December 2010
5.2.3 Connections between networks
Besides the hidden parts of a network that provide resources for a network’s resilience, a network is
strengthened by the connections it maintains with other networks. A network does not stand alone; its
viability and self-defense depends on the connections it is able to successfully build and maintain with
The case of WikiLeaks can be taken a bit further to illustrate the weight and the diversity of the
interconnectedness of a network with other networks. Not so much that this research considers
WikiLeaks a criminal organization without reservations, but because WikiLeaks is an organizations
that keeps a lot of security organizations busy.
5.2.4 The Networks of WikiLeaks
Several interconnected networks can be detected in and around the organization of WikiLeaks. The
networks do not stop for physical and organizational borders; they enclose nodes from countries and
“We need people of all colours, creeds and stripes. We need people from all over the world. We need
people with local knowledge for every locality. We need speakers of all tongues, jacks of all trades,
friends and supporters, writers and readers, creators and critics, artists and coders, builders and
teachers, architects and preachers, financiers and promoters, lawyers and advocates, journalists and
editors, thinkers and activists, coordinators and leaders, the proud and the humble, dreamers and
pragmatists, online and offline. We need citizens who are prepared to act as citizens of the world.”
(Wikileaks, Portal:Volunteers, 2012)
The Call to Arms makes clear that the volunteer network embraces volunteers of all kinds of functions
and expertise, or at least, that they are welcome
Next to its publication and volunteer network the financial network that was already mentioned makes
up for resources of WikiLeaks.
The donation network of WikiLeaks seems to span a worldwide network
A network that can finally be detected as constituent to WikiLeaks is the technical network that makes
up for its website and digital communications
5.2.5 A model for interconnected networks
, to invoke the
formulation at the beginning of this paragraph: to convey an impression how networks provide
resources for each other and how they contribute to each other’s resilience.
The case of WikiLeaks illustrates how networks that are structured around different types of exchange
(publications, money, webhosting, et al) interact with each other and over that interaction constitute
the full scope of the network
5.3 Concluding remarks: towards a multilayered re-conception of networks
The theoretical perception of a network’s resilience as a function of the interconnectedness of different
networks has consequences for both network theory and research. On a theoretical level the most
important consequence seems to be that a network can only be understood as a well-defined and
bordered entity up to a certain level.
The proposition of this thesis is to consider all involved networks as ‘the’ network and to perceive the
different socio-technological subnets as different layers that make up for that network. A multi-layered
approach in which networks are represented as kind of ecological entity in which different networks
grow on top of each other and ‘feed’ each other seems to provide a theoretical framework that can be
elaborated to systemize this network conception
One of the consequences of this multilayered re-conception of a network is that for effectively fighting
cybercrime an understanding of networks is needed that extends beyond the digital realm of the
Who are the people that contribute to the network? In what
Two ways have actually come forward in which metric calculations are undermined
First, in the case of a rhizome network only parts of a specific layer are known and
involved in the calculation.
Second, if nodes retrieve resilience from exchange from different layers in the network, the nodes gain
qualities that are not well represented in the initial topology and the metrics that are used to express it.
*Hostile nodes can gain strength or be replaced during an intervention; and these dynamic features are
not adequately taken in by the strategic models.
1. Security organizations use strategic models to disintegrate a cybercriminal network;
2. A networks resilience interacts with and resists disintegration attempts;
3. Interconnected resource networks provide resilience to a network;
4. The actual delivery and enablement of resilience depends on the condition of the links that
5. To increase the success of attempts to network disintegration, interventions can aim to affect
the conditions of resource exchange.
Post moved from Tumblr