A hacker has been jailed in the UK over his role in a massive cyberattack in Liberia in 2016, in a case which is likely to be a sign of things to come as hackers for hire become ever more available—and affordable.

Daniel Kaye, a 30-year-old dual UK–Israeli citizen and self-taught hacker, pleaded guilty and was sentenced to two years and eight months in prison for perpetrating a months-long cyberattack on a Liberian telecommunications company. Kaye has previously been charged and received a suspended sentence in Germany over a related hacking operation which affected German internet users.

Kaye used a method known as distributed denial of service (DDoS), which essentially works by swamping a system with so many requests that it crashes. In order to generate a large enough number of requests, Kaye took control of hundreds of thousands of internet-connected devices using a variant of the Mirai strain of malware. Mirai was used by another hacker in October 2016 to commit the largest ever DDoS attack, which took down a major chunk of the US internet. The malware infects vast numbers of poorly secured devices, including everything from routers to smart fridges, and strings them together into a ‘botnet’ that can be centrally directed to attack a single target—often without the owners of the infected devices being any the wiser.

Kaye’s botnet was not as big as the one used in the October 2016 attack on the US, but it was still one of the largest ever amassed. In November 2016, he began offering his botnet up for rent under his hacker nom de guerre, BestBuy.

By this stage, Kaye had already been approached by a senior executive at Cellcom, a Liberian telecommunications company, and hired at a rate of £7,800 (A$14,075) a month to attack rival telco Lonestar. According to the UK’s National Crime Agency, the November 2016 attacks were so large that they affected internet access across Liberia and caused millions of dollars’ worth of damage.

Then Kaye got cocky. Deciding his botnet wasn’t big enough, he attempted to take control of hundreds of thousands of Deutsche Telekom internet routers. In the process, he reportedly knocked more than 900,000 German users offline, including Cologne’s main sewage facility. Then in January 2017, his botnet launched attacks against three British banks (he later said that someone else had used his botnet for the attack and UK prosecutors dropped those charges). Kaye again attempted to take control of routers, this time in the UK. He knocked 100,000 British internet users offline and drew the attention of UK authorities in the process.

Kaye was arrested in February 2017 in London’s Luton airport. He was extradited to Germany, where he received a suspended sentence for knocking out the Deutsche Telekom routers. He was then passed back to UK authorities and convicted there. The head of the NCA’s National Cyber Crimes Unit, Mike Hulett, described Kaye as ‘one of the most significant cyber criminals arrested in the UK’.

Beyond Kaye’s individual conviction, however, this case is likely to be a sign of things to come. It incorporates (at least) three trends that will become increasingly important in the coming years, not only for policing cybercrime, but for national security and defence.

The first is the growing industry of hackers and hacking tools for hire. Hacking is increasingly available as a paid service and the cost is dropping all the time. The employee at Cellcom was able to hire Kaye for $14,000 a month to do millions in damage to a rival. Kaye’s services were affordable partly because he was using a variant of someone else’s malware, Mirai, and didn’t need to create bespoke cyber tools for the attack.

Tools which were previously accessible only to governments or high-level hackers are increasingly becoming available in off-the-shelf, relatively easy to use formats, meaning that hackers don’t need to be as skilled to operate them and therefore can’t charge as much for their services. A 2018 joint operation involving Europol and 11 countries including Australia took down an entire online marketplace geared specifically towards hiring out botnets for DDoS attacks.

Relatively low prices have made hiring a hacker a financially viable option for a range of actors, including organised criminals, political activists and countries without their own offensive cyber capabilities. For security and intelligence agencies, the lowered bar will radically change the landscape of potential cyber threats.

Second, the sheer size of the botnet which Kaye was able to assemble is an ominous sign for the future. More and more of the devices in our daily lives are connected to the internet, from our washing machines to our toothbrushes. They’re often poorly secured and highly vulnerable to attackers, and can be taken over without alerting the owner. Kaye’s original botnet was made up primarily of infected Chinese-made Dahua webcams.

The proliferation of poorly secured internet-connected devices enables the assembly of ever larger botnets, which in turn allows criminals to launch ever more powerful DDoS attacks. Kaye’s 2016 botnet was made up of hundreds of thousands of devices, but today single botnets are commandeering millions of infected computers. The phenomenal increase in scale has serious implications for the ability of governments, agencies and corporations to defend their systems against sustained DDoS attacks.

Third, Kaye’s case demonstrates the incredible capacity of poorly controlled cyberattacks to cause global collateral damage. What began as a case of corporate sabotage in Liberia ultimately knocked hundreds of thousands of people, businesses and at least one piece of major infrastructure offline.

The devastating NotPetya ransomware attack in 2017 is another example. In that case, malware allegedly used by Russia to attack Ukraine escaped and spread, causing hundreds of millions of dollars in damage around the world and impacting critical services including hospitals. As the power of the available cyber tools grows and the skill and cost required to operate them reduce, the risk of catastrophic unintended consequences from DDoS attacks will only become more severe.

Kaye’s prosecution is a success for international collaboration between law enforcement agencies on cybercrime, but it should also be taken as a warning sign. The growing marketplace of hackers for hire, combined with increasingly powerful and easy-to-use forms of malware, has major implications for the future of cybercrime, national security and counterterrorism.

The ghosts of social media accounts past have come back to haunt millions of people this week, with the release of user credentials for 360 million MySpace users being released for sale online. Selling stolen credentials can be a lucrative business, and reseller LeakedSource.com has reportedly added 1 billion records to its database in the past month. One high profile victim was Facebook founder and CEO Mark Zuckerberg, who has been caught red handed breaking the cardinal rule of password security and reusing the same password for multiple sites (yeah I know…we all do it). Zuckerberg’s Twitter and Pinterest accounts were hacked using the password ‘dadada’, which also appeared as one of 100 million LinkedIn credentials leaked last month. If you want to check if any of your old accounts have been compromised, click here.

The annual Shangri-La Dialogue devoted a dedicated special session to cyber issues for the first time over the weekend. William Saito, special adviser on cybersecurity to the Japanese Cabinet noted that Japan was focussed on defending infrastructure critical to the 2020 Tokyo Olympic games from cyber threats, while the head of Singapore’s Cyber Security Agency David Koh highlighted the ability of malicious cyber actors to take advantage of the seams in regulation between countries to avoid punishment. One of the largest barriers to greater cooperation on cybersecurity is the different objectives of major international states for the future of the internet, which former US National Intelligence Officer for Cybersecurity Sean Kanuck noted means that ‘it probably isn’t a surprise that the accomplishments to date have been modest’.

US Defense Secretary Ash Carter also noted the growing anxiety in the Asia–Pacific about China’s actions in cyberspace at Shangri-La. These comments echoed Carter’s speech to the US Naval Academy on 27 May, which moved beyond the usual calling out of Chinese cyber espionage and linked China’s behaviour in cyberspace to its actions in the South China Sea. His criticism at the Academy also had a heavy trade focus, saying that Chinese regulation of digital trade undercuts the principles of the global system from which China has benefitted. It’s likely Carter’s message was also intended to hit home before the Sino-US Strategic and Economic Dialogue in Beijing this week, where cyber issues were also high on the agenda. The Wall Street Journal has a good summary of new Chinese cyber regulations here and there’s a more in-depth discussion of Chinese cyber laws from The Diplomat here.

The NATO conference in Warsaw next month will focus on the alliance’s cyber capabilities and threats. German Major General Ludwig Leinhos, head of the Bundeswehr’s fledgling Cyber Command, told reporters that he expects that NATO will officially designate cyberspace as an operational domain of warfare. NATO’s refocus on Russia has brought with it attention on Russia’s asymmetric capabilities including cyber capabilities. However, despite warnings of a new arms race by figures such as Mikko Hypponen, a US Defense spokesperson told Russian news outlet Sputnik this week that due to Russian actions in Ukraine, the US has no plans to discuss cyberspace with the Russian military.

There have been renewed calls in India to stand up a Cyber Command, first promised in 2013 after a cyber espionage campaign targeting Indian government officials was reported by FireEye. The group, suspected to be a Pakistani APT previously observed by FireEye, used spear phishing tactics to dupe officials into opening a Microsoft Word document that dropped a malicious payload called BreachRAT, opening a backdoor to the users information. ASPI has previously commented on the slowness of India’s implementation of its 2013 National Cyber Policy in the 2015 Cyber Maturity in the Asia–Pacific report.

On a final note, make sure to check out ASPI’s latest publication, Agenda for Change 2016: Strategic choices for the next government released yesterday. The International Cyber Policy Centre has summed up the key cyber issues facing the next government and made five key recommendations them to quickly address critical  cyber policy challenges, and to take a leading role—regionally and globally—in overcoming cyber threats:

1. Effectively implement the recently announced Australian Cyber Security Strategy.
2. Deliver an international cyber strategy. Appoint an ambassador who will be able to hit the ground running and quickly engage internationally. Increase the budget for capacity building in line with regional aspirations outlined in the international strategy.
3. Devise a strategy to fill IT skills shortages in the immediate short-term (<2years).
4. Ensure that the government’s threat information sharing centres are accessible, productive and effective. Removing red tape around security classifications and access to information will be crucial, as will providing threat information that’s timely, relevant and actionable.
5. Release a publicly accessible Defence Department policy on how cyber operations, both offensive and defensive, are governed and integrated into broader Defence activities. This will support the coherent development of those capabilities, assist efforts to shape international cyber policy in line with the whole-of-government strategy and maintain a rules-based global order as outlined in the 2016 DWP.

Late news just in, New Zealand has announced that it has an offensive cyber capability in its new Defence White Paper, released today. Defence Minister Gerry Brownlee told media that New Zealand has developed the capability to deter cyber interference in critical defence networks. In case you missed it, Jim Lewis has explained the rationale for such capabilities for ASPI here, and on The Strategist earlier today.