The Cybereason XDR Platform quickly detects chains of behavior that are either rare or present a strategic advantage to an attacker, allowing analysts to stop attacks before they cause damage...
March 22, 2022 |
For over a decade I have become a leading specialist in “Cybertrauma” and have created a theory as to why we behave in cyberspace in the way we do and have authored several peer-reviewed articles, am currently completing my Ph.D. in this area, and regularly present on this topic to assist parents and professionals in supporting the children and young people they work with or helping cybersecurity professionals understand the element of human behavior that is omitted from 99% of the books, training and research they have been exposed to to date.
Jason Hong is a professor in the Human Computer Interaction Institute, part of the School of Computer Science at Carnegie Mellon University. He works in the areas of usability, mobility, privacy, and security, and his research has been featured in the New York Times, MIT Tech Review, CBS, CNN, Slate, the World Economic Forum, and more.
Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.
Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:All Posts by Malicious Life Podcast
Catherine Knibbs is a clinical and academic researcher, consultant in the fields of cyber trauma and online harms and adult trauma psychotherapist. As a therapist and researcher, she often meets people who fell victim to cybercrimes – but cannot let go of the mental pain:
“[Catherine] I worked with a lady in the beginning of lockdown, actually. In fact, there’s been a lot of people that I worked with during lockdown because that seems to have increased this issue. One particular lady became so worried and moved into her imagination of people being in her house, in her devices that what she would actually do is unplug things. And, for example, she would take the router to bed on a night time. So she would actually try and prevent any kind of electrical activity by removing the connection from the outside of her home to the inside of her home. And this is very similar to people who have been violated in sexual violence and rape. That what they then try to do is carry out activities that help protect them and they may not look logical to the next person who’s listening or watching or working with them. And of course, this for me is one of the biggest areas that’s misunderstood in terms of cyber related”
For much of Human history, PTSD – Post-Traumatic Stress Disorder – wasn’t an officially recognized mental illness. The ancient Greeks wrote about soldiers who returned from battle suffering from nightmares and flashback-like dreams, and similar accounts can be found in manuscripts from the middle ages and even in Shakespeare’s plays – but even as recently as World War I, shell-shocked soldiers were mocked or even beaten up by their commanders.
Awareness of the devastating effects of PTSD rose in the 2nd half of the 20th century when psychologists began to study Holocaust survivors and later veterans of the Vietnam war. Even then, when in 1980 PTSD was officially included in the third edition of the American Psychiatric Association Diagnostic and Statistical Manual of Mental Disorders – better known as the DSM – it was assumed that the traumatic events leading to PTSD must be catastrophic in nature: human made such as war and torture or natural disasters such as earthquakes and hurricanes. Only later were less “dramatic” events such as rape, rejection, serious illness, and the like included in the DSM as stressors that can lead to PTSD.
But what about cyber-related events? In our day-to-day conversations, we naturally tend to emphasise the technological aspects of cyber security. Psychology, when discussed, is usually focused on the various “vulnerabilities” of the human psyche – those that make us vulnerable to Social Engineering. The damage from a cyber attack is usually counted in Dollars and Euros: psychological damage to the victims is rarely discussed, if at all. So, is there a psychological and emotional toll to cyber-attacks? Can scams, hacks, and breaches lead to Post-Traumatic Stress Disorder?
John Gibson was a good man. The 56 years old Pastor from New Orleans was popular among his students and colleagues at Leavell College for his great sense of humour, and for his willingness to fix cash-strapped students’ cars for free – and help anyone whose car broke down on the highway. He had a beautiful wife – Christi – and two great children. “The quintessential good neighbour,” as he was later described by his University’s president.
But John Gibson also had a secret. For the past 25 years, he was struggling with sex addiction. It was a burden shared only by him and his wife Christi, who was aware of husband’s troubles.
In 2015, a service called Ashely Madison was hacked. We covered this story in-depth in episodes 31 and 33 of our podcast. Over 60 gigabytes of stolen data were leaked – including intimate information regarding Ashley Madison’s users. Names, emails addresses, and even home addresses were suddenly made public.
But the thing that made the Ashley Madison hack so devastating was the nature of this particular dating platform: it was a dating website for married people. Within days, thousands of extramarital affairs were exposed to the internet’s prying eyes – and to various heartbroken spouses.
One name that was exposed in the breach was – you guessed it – John Gibson.
On Aug. 25, 2015, Christi came home from work. Usually, John would have been in the kitchen, preparing supper – but he wasn’t there. When she entered the house, she found John’sn body laying motionless on the floor, and a suicide note beside his body that told her the whole story. From the Washington Post:
“He struggled with addiction and with depression and those were two things that he couldn’t — as much as he was willing to help other people and do for other people — he couldn’t conceive that somebody would help him and do it for him in that kind of situation,” Christi said. “The shame of this really was just more than what he could take.”
John Gibson wasn’t the only casualty of the Ashley Madison hack. Kristen Brown, a journalist who covered the story wrote,
“In the U.S., at least, the worst of the fallout seemed to happen in the south, where small community websites and blogs published the names of locals who used the site. Sometimes they were organised by zip code, making cheating neighbours especially easy to find. In Alabama, Mississippi and Louisiana, conservative Southern politics, religion and the nature of close-knit rural culture turned the internet into a small-town pillory.
[…] Among the rubble of the Ashley Madison hack, I’ve counted at least three suicides, two toppled family values evangelists, one ousted small-town mayor, a disgraced state prosecutor and countless stories of extortion and divorce. The blast radius of a database dump, it seems, is very large indeed. . . .”
This is probably just the tip of the iceberg. Identify theft, financial scams, data leaks, or online blackmail – all of these cyber crimes can damage the victims’ mental well-being, to put it mildly. There isn’t enough available research regarding the mental health toll of cybercrimes, but a recent study conducted by the Identity Theft Resource Centre, dealing especially with victims of identity theft online, can shed some light on the troubling consequences. 70% of those surveyed by the Identity Theft Resource Centre said they experienced trust issues and felt unsafe after their identity was stolen. 59% of all respondents said they struggled with sadness or depression. 85% reported sleep disorders and 57% reported physical symptoms like headaches.
The trouble with formal definitions of PTSD is that when it comes to human psychology, there’s rarely such a thing as ‘one size fits all.’
“[Catherine] My experience comes from cyber to begin with, moving into the world of psychology and psychotherapy and actually being able to marry those two worlds up together. I’m noticing that when I’m working with both victims and of course the few perpetrators because as I said, I tend to work with victims, not perpetrators, that mental health is not fully understood by the audience of human beings enough as it is. And of course, mental health is not a one size fits all. It’s not like -’This is what depression looks like and this is how it presents, and people with depression will do XYZ’. It’s very much akin to the world in which I work in functional health, which is what we call an N equals one experiment. It’s about each person has their own history.”
Knibbs explains that the main factor affecting cyber-related trauma is the anonymous part of most cybercrimes. In most cases, the victim will never know the identity of the attacker.
“[Catherine] Being a trauma psychotherapist, one of the things I’ve noticed with many of the victims that I work with is they will behave in a very similar way to a real trauma in terms of, for example, burglary or assault. However, there is this quite often unknown perpetrator aspect to the trauma. And that can often result in people becoming obsessed with the ‘who is this person? Why did they do this to me? What did I do to upset them?’ Given that this is very different to if, for example, there was a burglary and the police could find fingerprints and then they could arrest the perpetrator – with a lot of cyber activity, of course, we know that you never get to find out who the person is. And so the mechanisms of imagination are so vast for many of us that people will go into their own fantasy about why this happened to them. And more often than not, it can lead to processes that are very similar, actually, to paranoid delusions and thinking about what was that the person, what did I do wrong. And people might even well, in fact, they do become quite scared of their own devices”.
Knibbs notes that PTSD can lead to a vast number of symptoms – affecting both our psychological and physical well-being.
“[Catherine] The symptomologies of these, as we call it in the diagnostic manuals, the symptomologies of post-traumatic stress would be intrusive thoughts, recurring nightmares, dysregulated, nervous system. You might have flashbacks to the time when. And of course, for people who have experienced any kind of crime against them, it is one of the things that we do. We talk about what’s happened to us. We say, oh, my God, did you know? And then… we will just keep repeating, repeating, repeating the conversation in order to try and process what’s happened to us”.
Another part of the complexity of cyber-related post-traumatic disorders is the fact that we cannot escape the digital sphere. A person suffering from trauma after a violent event in a public park, for example, might try to avoid that park or even all parks. But you cannot avoid the digital world:
“[Catherine] Now with post-traumatic stress, that can be intrusive into your daily life. So you might be, for example, just watching television, and there’s a noise outside, and that noise is an associative memory to an event. And of course, people who have had criminal activities against them with digital devices are not going to be able to live their lives without going near digital devices because that’s the world that we live in. There’s technology everywhere. And what that actually can do is literally make this PTS become deeply ingrained, and that can turn into something that we call complex PTS. And if you don’t exhibit the intrusive thoughts at the rate that the diagnostic manuals suggest, then I would be using the word trauma. And this is why I came up with the word cyber trauma because you might have had an activity against you, I don’t know, In 2020 and throughout 2020, you exhibit what we call normal behaviours. These cyber attacks can be very surreptitious and they can be very small in terms of what’s happening. But if, for example, you had your bank account and a small amount of money was taken, and then that happened again and again and , those events can actually build up to become something much bigger”.
Jason Hong is a Computer Science Professor at Carnegie Mellon University. He notes that although we tend to think of cybercrime as something that happens between strangers – a hacker targeting a far-away victim – there are actually many cases of cybercrimes between former romantic partners: another angle we discussed in-depth in one of our earlier episodes. These cases are more likely to lead to long-term trauma and even PTSD:
“[Jason]And the basic idea is that when a couple was together, a smart home was set up. So maybe it’s like an Alexa or the smart cameras or doorbells and other kinds of things. But later on, when the couple unfortunately split up, but the person who set up the smart home technologies in the first place, and it’s usually a guy, might still have access to all the smart devices. So you can imagine that if the woman is still in the house or the apartment and the guy can still see what she is doing with respect to Alexa, might be able to use the camera on the doorbell, on the smart doorbell to see when she comes in, when she leaves, who’s actually seeing her, and so on. You can imagine that can cause a lot of problems, too, especially if this victim doesn’t even know that it’s going on. And then if she discovers that it’s happening, that could lead to a huge loss of sort of sense of security. And it’s not just these smart homes, too. We’ve also had lots of these cases where an ex still had access to email or Facebook and so on. That can still cause a lot of kind of problems, too.”
As we try to understand the mental health toll of cyber activity – we should keep in mind that every coin has two sides. The other side of this particular coin is the perpetrators. Could hackers also develop PTSD symptoms?
Prof. Hong states that there isn’t any credible academic research as to the experiences of cybercrime perpetrators, but he believes that the mental health toll in these cases is minimal:
“[Jason] My best guess is that these activities actually have relatively little impact on the attackers themselves. Most of this is because of the medium of being online. It makes it really easy to miss kind of social cues, facial cues, gestures, mirroring and so on. And you’ve probably seen all these kinds of flame wars online that have happened because people misread these kinds of queues. But I think there’s another kind of major kind of aspect here which is that if you don’t see these other people face to face it’s hard to think of them as actual living, breathing human beings that can be negatively impacted by what you do. So if you don’t see those other people it’s easy to just assume the worst about those other individuals or you sort of shrug it off because you’ll probably never interact or see that person ever again. So to some extent it feels like it might be a game for some of these attackers that if you’re playing a video game and you’re harming a digital character in the computer game, well, that’s not a really big deal because it’s not real”.
During her interviews and conversation with hackers, Catherine Knibbs noted a distinct mentality: a mostly shameless and guiltless criminal experience.
“[Catherine] What’s really important is we don’t actually know the psychological toll Of somebody who is consistently carrying out attacks on another person. Now, given that a lot of this is happening in the cyber world and right now in the wild, wild west of crypto, There isn’t a connection with the victim. And that’s mainly because we don’t see the victim online. We don’t get in contact with them. We see numbers, we see names, we see contract addresses. And we don’t actually have an indication as to what that impact might be over time. Until somebody sits down with known perpetrators, and has a long conversation about what happened, how it happened. And for me, one of the things I’ve heard from many of the well known hackers. And one of the things that I’ve talked with only a couple of perpetrators, because I do tend to deal with victims, is when they’ve carried out their behaviours in terms of stealing from people or manipulation in order to get monetary gain. One of the things that they present with is they don’t seem to have the same level of guilt and shame that a victim might do. Now that’s not to say that they don’t experience guilt and shame. However, what we do know about people who carry out attacks that hurt other people is that they are detached from empathy, sympathy, connection, being in touch with the fact that their actions can have serious detrimental effects on the other person. And this is where many years ago, this online disinhibition effect theory came”.
Both Knibbs and Prof. Hong agree that we still don’t know enough about the mental experience of cyber-crime perpetrators. Naturally, finding these hackers is not an easy task – especially when we’re talking about state-run operatives. It’s not like Russia or China will let outside psychologists examine their prized cyber fighters. And if these countries do conduct internal research about the mental well-being of their personnel – this research is likely to remain hidden for a very long time.
But research of this kind is vital for our understanding of the interaction between the cybersphere and the people operating in it. Think of the young hacker conning people for money, ignorant to the fact that psychotherapy could help them. Think of the state-run hacker targeting another nation’s water supply. Think of his finger twitching just before he types one last malevolent command. Does he need our help?
As our lives become more and more digital and cyber-attacks become more common , it becomes clear that the mental consequences of cybercrimes need to be explored. But for that to happen, there’s one major challenge that we, as a society, still need to overcome: Shame.
A few days ago I asked our podcast’s followers on Twitter to share their stories of mental hardships due to cyber related events. Here’s one such story sent to me by a listener who wished to remain anonymous.
“I have a story to tell of my sister. She fell victim to social engineering. She received a call from “her bank” stating that they found someone had hacked her and they needed to lock the account and move the funds. […] She’s a student nurse and had just received funding for her tuition and living costs for the year and she lost it all. She didn’t know what to do and she felt super foolish, so she didn’t tell anyone. She took out a loan to cover the loss, [and] this loan was a payday loan with massive fees and 18% interest. She defaulted on that and […] eventually she was [heavily] in debt […]. At this point, feeling ruined and seeing no way out she attempted to take her life. This thing entirely broke her.
Thankfully she wasn’t successful in her attempt, the story then came out and I sold my house and paid off her debts. Happy ending ultimately but the butterfly effect of the scam was insane. Worse still, I’m a CTI analyst, she knew the work I do and how I could help but the shame she felt stopped her from coming to me. We could have handled it so very easily but instead, the shame led to such an extreme escalation.”
Prof. Jason Hong tells a different but similar story.
“[Jason] The general thrust was that my friend met a woman online who said that she lived in another country. They started to chat online romantically, and after a few weeks, she casually mentioned how she was investing in Bitcoin and she could teach him how to make enough money so that he could visit her face to face. So she convinced him to invest just a small amount of money first so that he could get comfortable with this website and see how the site worked overall. And after a few days, he actually got a really high return. And so what this supposed partner suggested next is that, well, if you could invest a lot more money – a large part of his life savings, in fact – if he could invest a lot of money into this site, then he could make a really large return and then they could really visit each other. So he did this. And unfortunately, it’s a really large part of his life savings. And I really wish that my friend had talked with me about this first because there are a lot of red flag warnings here. So, for example, my friend did try to do video chatting with this woman, but video, for example, never worked on her side. So ended up being only text messages or voice. But essentially after he put in his entire life savings and this person disappeared and the website, of course, was fake and he lost all of his money”.
Obviously, this is not a fairy tale. Many online scams and hacking attempts make use of romantic guises. Think of all the good-looking women sending you friend requests or desperate emails. But the story of Prof. Hong’s friend did not end with the lost money and the broken heart.
“[Jason] So it’s been sort of a huge ordeal for my friend and so it affected him psychologically in many ways. One is that it led to a large loss of trust in people. From a societal perspective, it’s hard to have a working society without trust and these kinds of online scams really undercut that whole notion of trust in other people and in society. Also led to a lot of embarrassment for my friend over falling for the scam. It took a lot of effort for me to communicate with them to try to understand what was going on, why he was feeling so down and so unhappy and a lot of anxiety and anger over having lost so much money for falling for a scam”.
Shame, guilt, feeling of powerlessness and even a feeling of betrayal. These emotions kept following Prof. Hong’s friend everywhere – like clouds lording over his mental health. But as Prof. Hong explains, it took a lot of effort for his friend to communicate these feelings.
Shame over mental health issues is nothing new, of course: it is only in the past few decades that we started having open and honest conversations in the public sphere about depression, anxiety, and like – but we rarely encounter such openness when it comes to cyber-attacks. If our house gets broken into, we know we’re allowed to feel violated and threatened. Society finds it completely understandable for victims of burglary and theft to experience all these emotions – but that’s not necessarily the case with cybercrimes. Shame and concealment are problems that we need to address if we wish to ease the suffering of cyberattacks victims.
The Office for National Statistics in the United Kingdom reports that by June 2020, there were 94 victims of cyber fraud for every 1,000 people in England and Wales. A 16% rise in 12 months – mostly before the COVID-19 pandemic. That’s almost one in ten people.
These statistics reveal a new reality. Vast numbers of people fall victim to various hacks and frauds. These people were betrayed, robbed of their money, humiliated, or frightened. Many of them will probably carry the mental consequences of these events for a long time.
Is society aware of this new pandemic of cyber-related trauma? Are we sympathetic enough to the victims of these new crimes? Think of those World War I soldiers lost in an endless battlefield, carrying never-ending flashbacks and caught in a bottomless pit of pain, guilt, and shame. A new war is being waged online. With countless malicious hackers, state-run operations, and fraudsters on the loose – a lot of people can get caught in the crossfire.