I was running a resilience exercise with a client recently when someone asked about the scenario we were using to test the client’s cyber incident management plan. “What’s the ‘dark web’? Why haven’t our spy agencies done anything about it?”
In the scenario, a malicious employee had stolen a large amount of data from their employer utilising a ‘hacker-for-hire’ service they’d found on the ‘dark web’ using Tor (the onion router) - software that enables anonymous communication over the internet. The dark web is an ungoverned and seemingly ungovernable area of the internet where you can browse and communicate with complete anonymity.
Policing the dark web
Journalists, activists and campaigners in the US, Europe, China, Iran and Syria rely on Tor to maintain the privacy of their communications and avoid reprisals from government. But people engaged in terrorism, cybercrime, child abuse and drug dealing are increasingly using it1.
To answer my client’s question, I explained the National Security Agency (NSA) and UK Government Communications Headquarters (GCHQ) have devoted considerable efforts and resources to infiltrating the service. But, in response, activists who want to stop governments ‘spying’ on people are developing a wide range of tools to thwart that infiltration. They’re advocating the use of strong cryptography and privacy-enhancing technologies – software that ensures complete anonymity – and believe this will enable social and political change. Inevitably criminal groups and terrorists also use those tools to commit illegal acts undetected.
The widespread availability of dark web forums dedicated to freely sharing privacy-enabling technologies, intrusion software and exploitable code means global law enforcement agencies face an uphill struggle. There’s a growing number of technically-savvy ‘amateur hackers’ carrying out cyber-attacks, though as yet they’ve had little impact2. But for businesses that means even the average customer could buy a cyber-attack service anonymously – or possibly learn to conduct their own cyber-attack – without being caught.
What you can do to become ‘cyber-resilient’
The sheer complexity of the dark web means it’s unlikely hacktivist groups will be regulated any time soon. In the meantime, it’s clear that criminal groups are arming themselves with freely-available technologies that are making their job even easier, and their victims’ job all that more difficult.