We have let our fears obscure how terrorists really use the Internet.
About 31,300. That is roughly the number of magazine and journal articles written so far that discuss the phenomenon of cyber terrorism.
Zero. That is the number of people that who been hurt or killed by cyber terrorism at the time this went to press.
In many ways, cyber terrorism is like the Discovery Channel’s “Shark Week,” when we obsess about shark attacks despite the fact that you are roughly 15,000 times more likely to be hurt or killed in an accident involving a toilet. But by looking at how terror groups actually use the Internet, rather than fixating on nightmare scenarios, we can properly prioritize and focus our efforts.
Part of the problem is the way we talk about the issue. The FBI defines cyber terrorism as a “premeditated, politically motivated attack against information, computer systems, computer programs and data which results in violence against non-combatant targets by subnational groups or clandestine agents.” A key word there is “violence,” yet many discussions sweep all sorts of nonviolent online mischief into the “terror” bin. Various reports lump together everything from Defense Secretary Leon Panetta’s recent statements that a terror group might launch a “digital Pearl Harbor” to Stuxnet-like sabotage (ahem, committed by state forces) to hacktivism, WikiLeaks and credit card fraud. As one congressional staffer put it, the way we use a term like cyber terrorism “has as much clarity as cybersecurity — that is, none at all.”
Another part of the problem is that we often mix up our fears with the actual state of affairs. Last year, Deputy Defense Secretary William Lynn, the Pentagon’s lead official for cybersecurity, spoke to the top experts in the field at the RSA Conference in San Francisco. “It is possible for a terrorist group to develop cyber-attack tools on their own or to buy them on the black market,” Lynn warned. “A couple dozen talented programmers wearing flip-flops and drinking Red Bull can do a lot of damage.”
The deputy defense secretary was conflating fear and reality, not just about what stimulant-drinking programmers are actually hired to do, but also what is needed to pull off an attack that causes meaningful violence. The requirements go well beyond finding top cyber experts. Taking down hydroelectric generators, or designing malware like Stuxnet that causes nuclear centrifuges to spin out of sequence doesn’t just require the skills and means to get into a computer system. It’s also knowing what to do once you are in. To cause true damage requires an understanding of the devices themselves and how they run, the engineering and physics behind the target.
The Stuxnet case, for example, involved not just cyber experts well beyond a few wearing flip-flops, but also experts in areas that ranged from intelligence and surveillance to nuclear physics to the engineering of a specific kind of Siemens-brand industrial equipment. It also required expensive tests, not only of the software, but on working versions of the target hardware as well.
As George R. Lucas Jr., a professor at the U.S. Naval Academy, put it, conducting a truly mass-scale action using cyber means “simply outstrips the intellectual, organizational and personnel capacities of even the most well-funded and well-organized terrorist organization, as well as those of even the most sophisticated international criminal enterprises.”
Lucas said the threat of cyber terrorism has been vastly overblown.
“To be blunt, neither the 14-year-old hacker in your next-door neighbor’s upstairs bedroom, nor the two- or three-person al-Qaida cell holed up in some apartment in Hamburg are going to bring down the Glen Canyon and Hoover dams,” he said.
We should be crystal clear: This is not to say that terrorist groups are uninterested in using the technology of cyberspace to carry out acts of violence. In 2001, al-Qaida computers seized in Afghanistan were found to contain models of a dam, plus engineering software that simulated the catastrophic failure of controls. Five years later, jihadist websites were urging cyber attacks on the U.S. financial industry to retaliate for abuses at Guantanamo Bay.
Nor does it mean that cyber terrorism, particularly attacks on critical infrastructure, is of no concern. In 2007, Idaho National Lab researchers experimented with cyber attacks on their own facility; they learned that remotely changing the operating cycle of a power generator could make it catch fire. Four years later, the Los Angeles Times reported that white-hat hackers hired by a water provider in California broke into the system in less than a week. Policymakers must worry that real-world versions of such attacks might have a ripple effect that could, for example, knock out parts of the national power grid or shut down a municipal or even regional water supply.
But so far, what terrorists have accomplished in the cyber realm doesn’t match our fears, their dreams or even what they have managed through traditional means.
But so far, what terrorists have accomplished in the cyber realm doesn’t match our fears, their dreams or even what they have managed through traditional means.
The only publicly documented case of an actual al-Qaida attempt at a cyber attack wouldn’t have even met the FBI definition. Under questioning at Guantanamo Bay, Mohmedou Ould Slahi confessed to trying to knock offline the Israeli prime minister’s public website. The same goes for the September denial-of-service attacks on five U.S. banking firms, for which the Islamist group “Izz ad-Din al-Qassam Cyber Fighters” claimed responsibility. (Some experts believe the group was merely stealing credit for someone else’s work.) The attacks, which prevented customers from accessing the sites for a few hours, were the equivalent of a crowd standing in your lobby blocking access or a gang of neighborhood kids constantly doing “ring and runs” at your front doorbell. It’s annoying, to be sure, but nothing that would make the terrorism threat matrix if you removed the word “cyber.” And while it may make for good headlines, it is certainly not in the vein of a “cyber 9/11” or “digital Pearl Harbor.”
Even the 2007 cyber attacks on Estonia, the most-discussed incident of its kind, had little impact on the daily life of the average Estonian and certainly no long-term effect. Allegedly assisted by the Russian government, and hence well beyond the capacity of most terror organizations, the attacks merely disrupted public-facing government websites for a few days. Compare that with the impact of planes crashing into the center of the U.S. financial system, the London subway attacks or the thousands of homemade bomb attacks that happen around the world each year.
Even when you move into the “what if” side the damage potential of cyber terror still pales compared with other types of potential terror attacks. A disruption of the power grid for a few days would certainly be catastrophic (though it’s something that Washington, D.C., residents have lived through in the last year. Does the Pepco power company qualify as a cyber threat?). But, again, in strategic planning, we have to put threats into context. The explosion of just one nuclear bomb, even a jury-rigged radiological “dirty bomb,” could irradiate an American city for centuries. Similarly, while a computer virus could wreak havoc in the economy, a biological attack could change our very patterns of life forever. As one cyber expert said, “There are [cyber] threats out there, but there are no threats that threaten our fundamental way of life.”
Better than fixating on an unlikely hack that opens the floodgates of Hoover Dam, in assessing cyber terrorism we should look at how terror groups actually use the Internet. The answer turns out to be: pretty much how everyone else uses it. Yes, the Internet is becoming a place of growing danger and new digital weaponry is being developed. We must be mindful of forces that would use malware against us, much as we have used it in offensive operations against Iran. But the Internet’s main function remains to gather and share information across great distances with instant ease.
For instance, online dating sites and terror groups alike use the Internet to connect people of similar interests and beliefs who otherwise wouldn’t normally meet. Similarly, online voices — be they restaurant bloggers or radical imams — are magnified, reaching more people than ever. (Indeed, the Internet seems to reward the more extreme with more attention.) Al-Qaida, denied safe havens by U.S. military operations after 9/11, spent the next decade shifting its propaganda distribution from hand-carried cassette tapes to vastly superior online methods. The last video that Osama bin Laden issued before his death was simultaneously uploaded onto five sites. Counterterrorism groups rushed to take them down, but within one hour, the video had been captured and copied to more than 600 sites. Within a day, the number of sites hosting the video had doubled again, each watchable by thousands.
Beyond propaganda, cyberspace allows groups to spread particular knowledge in new and innovative ways. The same kinds of tools that allow positive organizations such as the Khan Academy to help kids around the world learn math and science has given terrorist groups unprecedented ways to discuss and disseminate tactics, techniques and procedures. The recipes for explosives are readily available on the Internet, while terror groups have used the Internet to share designs for IEDs instantly across conflict zones from Iraq to Afghanistan.
Online sharing has helped such groups continue their work even as drone strikes and other global counterterror efforts deprive them of geographic spaces to teach and train. And what terror groups value from the Internet is the same as the rest of us — reliable service, easy terms and virtual anonymity — which complicates the old way of thinking about the locale of threats. The Taliban, for example, ran a website for more than a year that released propaganda and kept a running tally of suicide bombings, rocket attacks and raids against U.S. troops in Afghanistan. And yet the host for the website was a Texas company called The Planet, which rented out websites for $70 a month, payable by credit card. The company, which hosted some 16 million accounts, wasn’t aware that one of them was a Taliban information clearinghouse until it was contacted by U.S. authorities and shut the site down.
This gaining of knowledge is not just about the “how” of a terror attack, but even the “who” and the “where” on the targeting side. Groups have used cyberspace as a low-cost, low-risk means to gather intelligence in ways they could only dream about a generation ago. For example, no terrorist group has the financial resources to afford a spy satellite to scope out targets from above with pinpoint precision, let alone the capability to build and launch it. Yet, Google Earth filled in just as effectively for Lashkar-e-Taiba, a Pakistan-based terror group, when it was planning the 2008 Mumbai attacks, and for the Taliban team that planned the raid earlier this year on Camp Bastion in Afghanistan.
What this means when it comes to terrorism is that, much like in other areas of cybersecurity, we have to be aware of our own habits and uses of the Internet and how bad actors might take advantage. In 2007, when U.S. Army helicopters landed at a base in Iraq, soldiers reportedly used their smartphones to snap photos and upload them to the Internet. The geotags embedded in the photos allowed insurgents to pinpoint and destroy four of the helicopters in a mortar attack. The incident has become a standard part of experts’ warnings. “Is a badge on Foursquare worth your life?” asks Brittany Brown, the social media manager at Fort Benning, Ga.
A growing worry here is that groups might use social networking and Kevin Mitnick-style “social engineering” to seek information not just about hard targets, but human ones. After the bin Laden raid in 2011, an American cybersecurity analyst wondered what he could find out about the supposedly super-secret unit that carried it out. He was able to find 12 current or former members’ names, their families’ names and their home addresses. This information was acquired not as the result of leaks to the press, but rather through the use of social networking tricks (for instance, tracking people and their network of friends and family by their appearances in pictures wearing T-shirts with unit logos or through websites that mention BUDS training classes). In similar experiments, he uncovered the names of FBI undercover agents and, in one particularly saucy example, a pair of senior U.S. government officials who opened themselves up to potential blackmail by participating in a swinger site. The analyst uses the results of such exercises to warn his “targets” that there was more about them on the Internet than they realized — a useful reminder for us all.
Ultimately, in making a global risk assessment, we have to weigh an imagined future, in which terror groups unleash a cataclysm via computer virus, against the present reality, in which they use information flows to inform and improve their actions in the physical world.
So what does that suggest for cyber counterterror efforts?
A Double-Edged Sword
“It seems that someone is using my account and is somehow sending messages with my name,” emailed one person who fell for an online trick. “The dangerous thing in the matter is that they [his contacts replying to what they thought was a genuine email] say that I had sent them a message including a link for download, which they downloaded.”
We can all empathize with this fellow, whose story was captured by Wired magazine’s Danger Room blog. Many of us have gone through the same experience or received similar warnings from friends or family that someone’s hacked their account and to be aware of suspicious messages. The difference is that the person complaining about being hacked in this case was “Yaman Mukhadab,” a prominent poster inside what was supposed to be an elite password-protected forum for radicals, called Shumukh. Before he sent out his warning to the forum, the group had been engaged in such activities as assembling a “wish list” of American security industry leaders, defense officials and other public figures for terrorists to target and kill.
Mukhadab’s cyber hardships — induced, of course, by counterterrorism agencies — illustrate how technology remains a double-edged sword. The realm of the Internet is supposed to be a fearful place, perfect for terrorists, and yet it can also work for us. Some counterterror experts argue that instead of playing a never-ending game of Whac-a-Mole — trying to track and then shut down all terrorist use of the Internet — it might be better to take advantage of their presence online. “You can learn a lot from the enemy by watching them chat online,” Martin Libicki, a senior policy analyst at the Rand Corp., told the Washington Post.
While the cyber era allows terror groups to easily distribute the playbook of potential terrorist tactics, techniques and procedures, it also reveals to defenders which ones are popular and spreading. If individuals and groups can link up as never before, so too do intelligence analysts have unprecedented abilities to track them and map out social networks. This applies both to identifying would-be cyber terrorists designing malware as well as those still using the bombs and guns of the present world.
In 2008 and 2009, U.S. intelligence agencies reportedly tried to attack and shut down the top terrorist propaganda websites on the anniversary of 9/11, to try to delay the release of a bin Laden video celebrating the attacks. In 2010, however, they took a different tack. As Wired magazine reported, “The user account for al-Qaida’s al-Fajr media distribution network was hacked and used to encourage forum members to sign up for Ekhlaas, a forum which had closed a year before and mysteriously resurfaced.” The new forum was a fake, the equivalent of an online spider web, stickily entangling would-be terrorists and their fans.
The following year, a similar thing happened to the Global Islamic Media Front, a network for producing and distributing radical propaganda online. GIMF was forced to warn its members that the group’s own encryption program, “Mujahideen Secrets 2.0,” shouldn’t be downloaded because it had been compromised. More amusing was the 2010 episode in which al-Qaida in the Arabian Peninsula posted the first issue of Inspire, an English-language online magazine designed to draw in recruits and spread terror tactics. Excited terrorist readers instead found the pages replaced by a PDF for a cupcake recipe, reportedly put there by hackers for British intelligence agencies. One can imagine deadlier forms of information corruption, such as changing the online recipes of how to make a bomb, so that a would-be bombmaker blows himself up during assembly.
We can look at the digital world with only fear or we can recognize that every new technology brings promise and peril. The advent of reliable post in the 1800s allowed the most dangerous terrorists of that time, anarchist groups, to correspond across state borders, recruiting and coordinating in a way previously not possible, and even to deploy a new weapon: letter bombs. But it also allowed police to read their letters and crack down on them. So, too, today with the digital post. When it comes to cyber terrorism versus the terrorist use of cyberspace, we must balance chasing the chimeras of our fevered imaginations with watching the information flows where the real action is taking place.
The image people often have is plane-loads of these [jihadists] flying out, but that’s the wrong image: It’s people filtering out in dribs and drabs.