NATO Science for Peace and Security Series
This Series presents the results of scientific meetings supported under the NATO Programme:
Science for Peace and Security (SPS).
The NATO SPS Programme supports meetings in the following Key Priority areas: (1) Defence
Against Terrorism; (2) Countering other Threats to Security and (3) NATO, Partner and
Mediterranean Dialogue Country Priorities. The types of meeting supported are generally
“Advanced Study Institutes” and “Advanced Research Workshops”. The NATO SPS Series
collects together the results of these meetings. The meetings are co-organized by scientists from
NATO countries and scientists from NATO’s “Partner” or “Mediterranean Dialogue” countries.
The observations and recommendations made at the meetings, as well as the contents of the
volumes in the Series, reflect those of participants and contributors only; they should not
necessarily be regarded as reflecting NATO views or policy.
Advanced Study Institutes (ASI) are high-level tutorial courses to convey the latest
developments in a subject to an advanced-level audience.
Advanced Research Workshops (ARW) are expert meetings where an intense but informal
exchange of views at the frontiers of a subject aims at identifying directions for future action.
Following a transformation of the programme in 2006 the Series has been re-named and re-
organised. Recent volumes on topics not related to security, which result from meetings
supported under the programme earlier, may be found in the NATO Science Series.
The Series is published by IOS Press, Amsterdam, and Springer Science and Business Media,
Dordrecht, in conjunction with the NATO Public Diplomacy Division.
A. Chemistry and Biology Springer Science and Business Media
B. Physics and Biophysics Springer Science and Business Media
C. Environmental Security Springer Science and Business Media
D. Information and Communication Security IOS Press
E. Human and Societal Dynamics IOS Press
Sub-Series E: Human and Societal Dynamics – Vol. 34 ISSN 1874-6276
Responses to Cyber Terrorism
Centre of Excellence Defence Against Terrorism,
Amsterdam • Berlin • Oxford • Tokyo • Washington, DC
Published in cooperation with NATO Public Diplomacy Division
Overview of the Workshop Papers
In the introductory, first chapter of the ARW (see the chapter on “The History of the
Internet”), Clare Cridland notes that the Internet was originally developed in the U.S.
for military purposes. With ARPANET, the Defense Advanced Research Projects
Agency (DARPA) created a network for sending packets of information with no central
hub, so that communications could be more resilient during a devastating war. The idea
of security was, therefore, part of the original idea of the internet.
However, an entirely different ethos took over after the US Department of Defense
relinquished the project to the burgeoning computer and software companies in the
1990s. The architects of the worldwide network saw it, and wrote of it, in terms of the
centuries-old struggle for freedom of thought and expression. Clare Cridland’s
description of the internet also evokes this theme: “New media in the early 21st century
is a participatory, user-driven information environment, far from the linear platform of
the mass media that delivered information through a ‘gatekeeper’ to a passive mass
audience. These outlets … were capital intensive and … somewhat privileged. In
contrast, new media, driven by technological change in telecommunications, has
undermined this sphere of knowledge ownership … However, we’ve been here before.
‘Counter-culture’ always used ‘grassroots media’ (folk songs, posters, leaflets, public
meetings) rather than the more traditional mass media of radio and television to
Contrast this triumph of the common people, then, with the altogether more
pessimistic comments on the freedoms the internet offers by Prof. Seymour Goodman
in the third paper of the ARW (see his chapter “Critical Information Infrastructure
Protection”). Prof. Goodman is the chairperson of the Committee on Improving Cyber
Security Research at the National Research Council, advising the U.S. Congress. Much
of what the professor had to say, and this was reflected also in the Working Groups of
the ARW, had to do with the vulnerabilities in the globalized net to abuse by terrorists,
and the need for CIIP (Critical Information Infrastructure Protection).
It is clear that the “current technology asymmetrically favours the attacker, and
provides them with great non-linear leverage. The attackers can put their innovations
into practice more quickly and effectively than the defenders.” However, when much of
the network is outsourced, or owned by companies in a variety of countries, defence is
left to the end user. As Seymour Goodman writes, “most of the 200-plus connected
countries have little or no national cyber security capabilities.” The users are often
unaware of the seriousness of the risk. Frequently networks controlling important
infrastructure are not ‘air-gapped’, or separated, carefully enough from the worldwide
internet. If one employee’s computer is not air-gapped, perhaps due to negligence, this
is enough to create the route for a determined and skilled attacker to gain entry to the
Professor Goodman’s chapter in this book also contains a wide range of
recommendations for national and international action. He begins with general
measures, which would be equally relevant to protection against accidents, disasters,
crime, or different forms of conflict than terrorism. Emergency response systems,
including ones with an international dimension, must be in place; SCADA systems
must be made more secure, with security as “a factor to be considered over the entire
life cycle of any system that is part of the CII”; and countries “must build cadres of
capable defenders” including national-level CSIRTs (Computer Security Incident
On the issue of legal measures against cyber terrorism, Seymour Goodman
mentions the need for international conventions, as well as effective national laws. The
conventions would relate to three areas: crime and punishment, infrastructure
protection, and arms control. In each case he gives examples already in place which
could guide developments in combating cyber terrorism. Among these, the agreements
on civil aviation are the best model for developing a similar legal and institutional
framework for CIIP. However, it will be difficult to gain acceptance for a CIIP
convention, especially as every country would have to sign up, otherwise measures
protecting the network could simply be by-passed. Such a convention could be under
the umbrella of the UN, and it would involve the creation of an organization to build
and certify national capabilities.
Phillip Brunst’s paper (see the chapter “Use of the Internet by Terrorists”) is a
highly analytical overview of the subject. This kind of paper is highly valuable for
those considering an appropriate legislative approach to combating terrorists’ use of
cyberspace. The overview covers both of the distinct aspects which emerged at the
ARW: cyber terrorism proper, and the issue of terrorist use of the internet for
communication, propaganda, researching targets, etc..
After discussing the advantages of cyber attacks for the terrorist (anonymity, low
cost, etc.), types of cyber attack are analyzed. In general, attacks on IT systems may
take the following three forms: (1) Hacking attacks on individual systems, (2) Denial of
Service (DoS) attacks, usually by bombarding a computer with messages so that it
cannot process anything else, and (3) ‘hybrid attacks’ which combine one or both of the
above with a conventional terrorist attack like a bombing.
(1) Hacking can be further analyzed into three types. The hacker can shut down a
computer, although here the administrator can usually recognize the problem
and restore the system rapidly. There are also so-called ‘defacements’, which
alter the information on the victim computer. Typically these are easily
recognized, especially if a hacker places a notice saying “you have been
hacked by …”. Potentially more disruptive are defacements which subtly
change figures or other information. Thirdly, there is the possibility of
introducing ‘Trojan horse’ programmes. These are silent operations, and aim
to pass undetected by virus scanners. They gather data from the target
computer (typically bank details in cyber crime) and relay it to the hacker.
(2) Distributed Denial of Service (DDoS) attacks are an effective way of putting
computers out of action for a period of time. DoS attacks bombard a computer
with vast numbers of messages, occupying all its processing capability.
‘Distributed’ attacks make use of worldwide networks of computers (so-called
‘bot-nets’, from their use of ‘robot’ software) infected with a virus which
allows them to be ‘zombies’ controlled by a ‘bot-master’. These viruses have
become very common. Terrorists would not have to control such systems. The
services of a bot-net, typically used for mass mailings, can be hired for prices
ranging between 150–400 US dollars per day.
(3) Hybrid attacks combine one or both of the above with a conventional terrorist
attack. For example, a terrorist group might combine a bombing with a DoS
attack to hamper the work of the emergency services.
Terrorists might also target the physical hardware of IT communications, like the
‘bundles’ of cables, or the so-called ‘peering points’.
All the above types of attack would harm IT data and lead to economic losses. A
more fatal kind of cyber attack is now discussed in security circles, namely attacks on
the newly-developed SCADA systems, which usually run on well-known operating
systems like Windows. Many companies now use SCADA systems to monitor and
control production or supply processes. It is clear that, if such a system is hacked, there
is a considerable danger of the kind of loss of life associated with ‘conventional’ forms
Phillip Brunst recommends measures to encourage companies to invest more in
security. Secondly, referring to Article 35 of the CoE Convention on Cyber Crime, he
sees a need for the establishment of designated communication paths within countries
and between countries to fight digital attacks. On the issue of the terrorist presence on
the internet, he sees efforts to block terrorist communications as bound to fail. These
communications should be monitored for intelligence (compare the chapters by Prof.
Gabriel Weimann and Yael Shahar).
Lt. Paul Everard attended the workshop to represent the NATO Computer Incident
Response Capability at the alliance’s European Headquarters in Belgium. His
presentation (see the chapter “NATO and Cyber Terrorism”) is an introduction to cyber
terrorism and the defensive measures NATO is taking.
Lt. Everard begins by giving numerous illustrations of cyber attacks to show what
directions cyber terrorism might take. There was the dramatic hacking of a SCADA
system controlling sewage in Queensland, Australia: “Symantec research highlighted
an Australian case where a disgruntled ex-employee, Vitek Boden, hacked into a
computerized waste management system in Maroochy Shire and caused millions of
litres of raw sewage to spill into local parks, rivers, and even the grounds of a Hyatt
Regency hotel in March 2000.”
If terrorists could replicate the destructive effects of the ‘Slammer Worm’ of
January 2003, they would score a great success in their terms. This computer worm
spread across the world in a matter of minutes, and the resultant disruption of banking,
airline, infrastructure and emergency services had a high economic cost. Lt. Everard
notes that “the safety monitoring system at a nuclear power plant was disabled for a
combined period of eleven hours.”
Paul Everard then focuses on the attacks that have been directed at NATO,
including attacks from Chinese hackers after NATO bombed the Chinese embassy in
Belgrade (1999), and a distributed attack on the NATO mail server on 09–10 August
2006, when “the attack was stopped by re-configuring the mail server to respond
correctly to the attempted e-mail relay traffic.” The organization has therefore long
been aware of its vulnerability to cyber attacks. It generally uses ‘off the shelf’
software, the vulnerabilities of which are well known to potential hackers. Also,
“although NATO’s internal networks are supposedly separated from the internet,
documents, messages and other data are being uploaded onto the internal network
With the approval of the North Atlantic Council, the NATO Computer Incident
Response Capability was added to InfoSec after 9/11. At present there is an Intrusion
Detection Systems project which will be at full operating capacity in 2008. The Prague
Summit of 21 November 2002 was attended by the leaders of NATO countries, who
signed a commitment to “strengthen our capabilities to defend against cyber attacks”.
The paper concludes that providing security can be seen in terms of the following
cycle: (1) Protect: this involves ‘system hardening measures’, and anti-malware support
for NATO projects. (2) Prevent: this means assessing and notifying vulnerabilities, as
well as conducting training and awareness-raising. (3) Detect: using intrusion detection
systems twenty-four hours a day, and checking incoming mail. (4) Respond: the teams
must be ready to respond to incidents at any time of the day or night. (5) Recover: a
recovery support service must be present, or available on-line, to ensure minimal
Both this NATO presentation, but particularly that of Ms Reet Oorn of the
Estonian Informatics Centre, Tallinn, referred to the massive DDoS attacks on the
Estonian government and institutions in April – May 2007. Ms Oorn gives a
fascinating eye-witness account of how the Estonian government fought back against
the attacks, when they were able to considerably increase their band width of their
computers (see the chapter, jointly written by Ms Reet Oorn and Ms Eneken Tikk, on
“Legal and Policy Evaluation: International Coordination of Prosecution and
Prevention of Cyber Terrorism”). The Estonians showed a united front, as government
equipment was supplemented by that of private sector companies.
Ms Oorn illustrates with detailed graphs and discusses the results of the assessment
conducted by her Informatics Centre. These showed that the attack was in two phases:
an initial phase of attacks was on a small scale, and seemed to be designed to test the
limits of the target computers. These attacks were associated with the 09 May WWII
victory anniversary important to pro-Russian Estonians, who were already protesting
violently about the prime minister’s decision to remove a statue commemorating
Russians heroes. The second phase was much more professionally organized, and hours
of bombardments by bot-nets had clearly been purchased.
In terms of the success of the attacks, it is generally agreed that Estonia, which has
some of the highest figures of internet use in the world, survived well. Two of the
biggest banks in Estonia came under heavy DDoS attacks, and on-line services were
unavailable for several hours. Attacks were also performed against critical routers at
the Internet Service Providers level, and this disrupted the government’s internet-based
communication for a short time. Some government websites experienced temporary
loss of service.
Two speakers at the ARW addressed the issue of whether legal controls can be
imposed on the internet. However, Ms Eneken Tikk (Faculty of Law, Tartu University,
Estonia), unlike Seymour Goodman, does not expect much of the UN: “One could
argue that the method of developing legal instruments that the United Nations has used
fails because it is too focused on building a consensus about … existing methods used
by terrorists. It cannot lead the fight against new methods (such as cyber terror). Thus,
we might consider using the United Nations experience as an argument to avoid an
overly reactive (rather than proactive) approach …” (see the chapter, jointly written by
Ms Reet Oorn and Ms Eneken Tikk on “Legal and Policy Evaluation: International
Coordination of Prosecution and Prevention of Cyber Terrorism”).
The Estonians’ paper contains incisive comments on the main legal instruments
concerning cyber attacks, relating these especially to terrorism. These address the
Cyber Crime Convention (ETS No. 185), which, with the Convention on the
Prevention of Terrorism (CETS No. 196), is “the most important international
instrument for fighting cyber terrorism and other terrorist use of the Internet.” However,
not enough states are party to this agreement, weakening it considerably. Also, “serious
threats to commit terrorist acts are not adequately covered either by this Convention …
this Convention should be evaluated with regard to its ability to cover technological
advances, particularly in the area of forensic investigative techniques (such as online
searches or the use of key logger software). In the fast-paced technological
environment of cyber crime, such evaluations, which frequently lead to revisions and
updates, are an absolutely normal process, especially when dealing with high risks such
as those posed by terrorism.”
In general, as with the other lawyers at the Workshop, Ms Tikk warned that
attempts at legal control of the Internet might lead to infringements upon civil liberties.
However, perhaps with the attacks on Estonia in mind, which led to almost no
prosecutions, she adds: “Should a decision to amend the Convention be taken, the
possibility of excluding the political exception clause for some of the Convention’s
offences might also be considered, especially in serious cases of data and system
The paper also gives details of amendments to the Estonian Penal Code, designed
to strengthen the hand of prosecutors if similar attacks come. Estonian politicians have
an initiative at the EU level to amend the Framework Decision on Attacks against
Information Systems 2005/222/JHA.
One other discussion of international law is offered by Police Superintendent Dr.
Süleyman Özeren. His paper (see the chapter “Cyberterrorism and International Co-
operation: General Overview of the Available Mechanisms to Facilitate an
Overwhelming Task”) discusses definitions and typologies of cyber terrorism. There is
a consideration of which of the available international organizations might most
effectively achieve “consensus-based, concrete, result-oriented co-operation”.
The papers mentioned so far examine cyber terrorism in the proper sense of the
term, and how to respond in terms of technology, awareness, and legal/political
measures. However, there is also the related question of responding to the terrorist
presence on the internet (so-called ‘terrorist contents’). Here the internet is not a
weapon, but an important tool for terrorists’ communications (co-ordination, training,
recruiting), and information gathering on the targets of planned attacks. The COE–
DAT Workshop included four fascinating papers on terrorist contents.
An undoubted expert on terrorist websites is Prof. of Communication Gabriel
Weimann, who from an early stage has been archiving literally thousands of terrorist
websites, from al-Qaida to FARC, and Hizbullah to the PKK (see the chapter
“WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet”). This project, based
at Haifa University, brings many different analytical approaches to bear on this
material, including link analysis, participant observation, language analysis, and case
Prof. Weimann’s paper reports on his project, with colourful illustrations from the
world of terrorist websites. The professor shows how, since 9/11, al Qaeda operatives
sharpened their internet skills and increased their web presence. When the Americans
drove al-Qaida from its camps in Afghanistan, the organization was dispersed and
forced to retreat into cyberspace. As Gabriel Weimann shows, they now make
extensive use of the internet, to the extent that they even rely upon it.
Also giving the ARW an account of a terrorist organization’s use of the internet,
Capt. Erdo an Çelebi has built up a wealth of knowledge, and uses a high-tech
approach, in his research on the terrorist Kurdistan Workers’ Party (PKK) (see the
chapter “A Case Study: the PKK and Cyberspace”). This is an exemplary study,
showing the amount of information that can be gathered from the Internet concerning a
single organization. It shows that the PKK has created, or is closely linked to, thirty-
eight websites. In addition to data and analysis, the paper gives some indication of the
style of the websites, and the way the PKK seeks to present itself to its various
Of particular interest is that fact that Erdo an Çelebi uses Ucinet software to
conduct various kinds of link analysis of the PKK-related sites. This technology
provides a method for demonstrating which sites were used by PKK leaders in the field,
and which are the main sites which propagate their message. This may have practical
applications: “Taking out these hubs will make the rest of the network individual
islands that have no connection to the others. The question in terms of counter
terrorism agencies is how many of these hubs have to be taken down to crash the whole
Other papers based on the phenomenon of ‘terrorist contents’ sought to give, in my
view, very contrasting practical responses.
Yael Shahar, of the Institute for Counter Terrorism in Herzliya, Israel, spoke on
“The Internet as a Tool for Intelligence and Counter-Terrorism”. Yael Shahar notes that
“The jihadi online presence is literally the physical brain of the global jihad movement.
The very openness and accessibility of this medium provides the intelligence
community with a wealth of material for foundation intelligence and analysis.”
Arguing that we should ‘tune in’ to, not try to shut down, these communications, she
pointed out that much can be learned from analysis of websites and chat-rooms about
the enemy’s situation, plans, and also weaknesses.
Shahar is also interested in exploiting these weaknesses for counter-terrorism
purposes, using the legally-shady method of ‘hacking back’, exploiting the same
anonymity and access from which the terrorists benefit. She reveals an armoury of
sowing dissent, countering propaganda, and secretly altering instructions on websites.
By contrast, Dr. Katharina von Knop proposes an open source response. Instead of
concentrating on breaking down the structures created by the enemy, here is a proposal
to build a new counter-structure. Her discussion paper (see the chapter on the
“Institutionalization of a Web-focused, Multinational Counter-terrorism Campaign –
Building a Collective Open Source Intelligent System”) focuses on the organizational
and management issues surrounding such a system. As she writes: “There is an intense
need to work on new solutions to develop effective and efficient counterterrorism
measures that follow the democratic process, values and freedoms. Knowledge
discovery, data mining techniques and data fusion play a central role in improving the
counter-terrorism capabilities of intelligence, security and law enforcement agencies.
… Having all the challenges in mind, this article will focus on the most important and
highly sensitive one, international cooperation. This contribution … highlights the most
important factors towards the development and institutionalization of an international
interagency collective open source intelligent system regarding the threat of Islamist
Dr. von Knop points out that, if such a co-operative campaign is to succeed, it will
need to be arranged in an innovative and flexible way: instead of a hierarchical
organization, there would be a network, and knowledge would be pooled. There would
be committee management, and a credit point system. Governments would be allowed
to use the resource only to the extent that they contribute good quality information and
The Collective Open Source idea is a well thought-out response to the challenge of
organizing international cooperation regarding terrorist contents on the Internet. It is a
cause for optimism that the speakers, coming from a variety of backgrounds, presented
so many practical ways in which to respond to the problem of cyber terrorism. A vital
next step is for the experts, with the support of governments and international
organizations, to agree on priorities and methods and to implement a common strategy.
Participants at the conference gained, perhaps, an impression of the form the
discussions between experts might take from the Working Groups that met at the end
of each day’s presentations. The answers that emerged from the Groups are compiled in
the last chapter of this book (see the “Summary of Working Group Discussions”).
Osman Aytaç, Col.
The History of the Internet: The Interwoven Domain of Enabling Technologies
and Cultural Interaction 1
Institutionalization of a Web-Focused, Multinational Counter-Terrorism
Campaign – Building a Collective Open Source Intelligent System. A Discussion
Katharina von Knop
Critical Information Infrastructure Protection 24
Seymour E. Goodman
Use of the Internet by Terrorists – A Threat Analysis – 34
Phillip W. Brunst
WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet 61
Cyberterrorism and International Cooperation: General Overview of
the Available Mechanisms to Facilitate an Overwhelming Task 70
Legal and Policy Evaluation: International Coordination of Prosecution and
Prevention of Cyber Terrorism 89
Eneken Tikk and Reet Oorn
The Internet as a Tool for Intelligence and Counter-Terrorism 104
NATO and Cyber Terrorism 118
Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 127
Summary of the Working Group Discussions 142
Author Index 145
2 C. Cridland / The History of the Internet
What brought the two technologies together was a project run by the US
Department of Defense’s Advanced Research Projects Agency (DARPA), which
focused research into computer connections and mass communications technologies. In
1968 DARPA called for tenders for a project called ARPANET, a system to connect
computers and transfer data ‘packets’ between them. Before this time, connections
concerned circuit switching as opposed to data transferral.
The concept of interconnected computers and some of the technologies supporting
a network had been devised a few years earlier. In 1964, the RAND Corporation
looked into a communications network that could link cities, states and military
establishments. The core issue was that the network had no central hub of authority and
so could be more resilient during a third ‘total war’, a war which, in the 1960s, was
expected to include the use of nuclear weapons.
After ARPANET’s first public demonstration in 1972, the service grew over the
following 18 years to connect new institutions, run email, newsgroups and limited
international communication. However, ARPANET was still very much an
institutionalised communication network. Running in parallel, similar academic
networks elsewhere in the world generally remained independent, constrained by the
inhibitive cost of international data connections. Meanwhile, in the public domain,
computers were generally only employed on routine work within companies or as game
players in homes. It wasn’t until the 1990s that the internet in its current form evolved.
Organisation of such a vast amount of data was becoming a key issue. Technical
solutions, such as the Domain Name System (DNS), transformed hard to remember
internet protocol numbers into easy to remember names. The Defense Data Network –
Network Information Center handled all registration services, including the top-level
domain addresses such as .mil, .org and .gov. Only in 1992, as non-defence and public
access grew, did the US Department of Defense stand back from the internet and
passed registration over to civilian contractors.
In the 1990s, the use of and applications available on the internet grew at an
astonishing rate, assisted by improving telecommunications infrastructure. With it
came the requirement to regulate protocols and domains to manage the enormous
increase in information. Bulletin Board Systems (BBS) were popular: a system where
users’ computers that were attached to modems left messages for reply on servers.
Hypertext, a concept dating from 1945, had been used in various networks as a method
of organising information.
But the real starting point for what became know as the World Wide Web (WWW)
was in 1993 through the development of graphical browsing – a web browser. Over
subsequent years, numerous web browsers were in place, and the directory system of
information sources was generally replaced by search engines that browsed for the
most relevant sites. Essentially, the internet was evolving into a popularity contest
between sites rather than a library or directory.
Innovation and market-led economics that drove a consumer appetite for new
technology played important roles in the development of the internet. Devices became
smaller in size and even portable, but also became larger in data storage and processing
capability. Prices of equipment and telecommunications costs steadily fell, making
devices more accessible to the public. Applications were being developed in two ways,
both top down by large software development companies, but also bottom up from
intensive personal users. It was this participatory culture of technological development
of the World Wide Web that brought about the largest changes in how the world
received its information.
C. Cridland / The History of the Internet 3
Democratisation in the ‘Information Society’
The revolution will not be televised
– Gill Scott Heron3
Pre-dating the internet, newsgroups and e-mail gave users the ability to exchange
information and pass it around without the need for a filter or mediator. As the internet
grew, so did the sources of information available to users. This ‘source bombardment’
has had a number of consequences for the traditional mass media of print and
broadcasters, as well as the actors who use it (such as politicians and advertisers).
The vast number of information sources available to an internet-enabled society
has seen a dilution of a single mass audience into multi-source, self-assessing
segments. New media in the early 21st century is a participatory, user-driven
information environment, far from the linear platform of the mass media that delivered
information through a ‘gatekeeper’ to a passive mass audience. These outlets – radio,
television stations and newspapers – were capital intensive and subject to varying
levels of government or government-inspired intervention or regulation. Information
ownership in the mass media was, therefore, somewhat privileged. In contrast, new
media, driven by technological change in telecommunications, has undermined this
sphere of knowledge ownership and the singular authority of mass media companies.
As a result, content ownership is becoming more complex. Bloggers and websites
present information in new forms from traditional, mass media sources that they can
link back to other websites. Widely available (and easy to use) editing software means
images and sounds can be edited into something completely different and re-published
in their new form. Downloading music and movies from site to site is an ongoing
challenge to copyright holders, just as copying (or ‘pirating’) music to audio cassette
once was, but the scale of the global proliferation of copying is unprecedented.
However, we’ve been here before. ‘Counter-culture’ always used ‘grassroots
media’ (folk songs, posters, leaflets, public meetings) rather than the more traditional
mass media of radio and television to message audiences. The alternative sources now
residing on the internet are merely offering new platforms to the old grassroots, and
potentially giving them a global audience.
Arguably, the growth in the popularity of alternative sources is also driven in part
by the demise of the large audience once afforded to the mass media. In the UK,
circulation figures for the national newspapers have been in a general decline since the
1950s, and television audiences are regularly no higher than eight million for the most
popular programmes, a fall of nearly ten million in the past twenty years. Academics
cite a number of reasons for this demise, from the availability of multi-platform
satellite and digital television stations that fracture the audience into smaller viewing
groups, to a perception that the content of the mass media is serving the interests of
advertisers and financial backers as opposed to audiences.
Heron’s song lyric became the title of the memoirs of Joe Trippi, the campaign manager of 2004 US
Presidential candidate Howard Dean. Trippi used a number of new media and grassroots platforms to
promote and raise money for Dean’s campaign.
From Jenkins, 2006.
4 C. Cridland / The History of the Internet
On-line Strategic Communications – A Bowl of Noodle Soup
The internet has enabled self-publishing, which means governments, companies,
special interest groups and individual members of the public have – in theory at least –
an equal voice. It is a place where narratives and counter-narratives compete for
attention, and a place where conspiracies unwind without media filtration. Equally, the
power of message interpretation is no longer with the mass media ‘gatekeepers’, but
with personal members of an audience. Both have significant consequences for anyone
engaged with public messaging.
Messages are now available multi-platform, being sent as digital audio, text or
instant messaging, to a number of static and portable devices. These can be sent
simultaneously from a single source to different receivers, or as unconnected multiple
sources. One no longer has physically to visit websites to gain information. Really
Simple Syndication (RSS) feeds can lead users, once they have subscribed to the feed,
not needing to visit a website at all. Memes (a term originally coined by a biologist and
evolutionary theorist to describe how cultural information propagates between minds),
are items that spread quickly across the internet via virtual word of mouth and self-
publishing. Meme tracker sites, such as ‘techmeme’ and ‘tailrank’, track the most
popular items on the internet.
The information age is like a bowl of noodle soup – a mass of communication
strands from sender to user floating in a soup of information. A user takes one strand at
a time, maybe several, depending upon how big the user’s fork is. The vast array of
sources means the audience, unable to digest them all at once, is now self-selecting
within their own agendas. Separating and recognising fact from an author’s opinion is
just one of the issues facing information consumers.
Audiences are constructing individual hierarchies of sources. Some place their
trust in the information received from mass media outlets over a blog or chatroom; for
others, the hierarchy is different, putting information gained from virtual contact above
that of the mass media. This is an evolving area of understanding, but it stems from
what sources are perceived to be important on which subjects to which members of the
audience. Local events in my street are important, but I wouldn’t find them reported on
a national radio bulletin (unless the event was particularly serious). Similarly, timely
news about my extended family elsewhere in the world would be achieved through
telecommunications – hearing and seeing them via the internet, perhaps – not through
the channels of the mass media. Arguably communications has always been thus, but
the connected environment has changed perceptions of what events are now important
Time Space Compression
The speed of information is wondrous to behold. It is also true that speed can multiply
the distribution of what we know to be untrue.
– Edward R. Murrow
Advances in telecommunications means that multiple channels and democratic
information is travelling faster across greater distances: geographical place is no longer
relevant. As audience members pick and choose their credible sources, nation-
statehood may not enter the equation as credible boundaries to information or
C. Cridland / The History of the Internet 5
communication control. The popularly of social networking is that friends in a physical
space (such as a school or workplace) can keep in touch virtually when they are
geographically separated. The mass media news agenda, too, ‘chases the sun’ across
the globe, with global outlets setting the day’s agenda in Australasia and chasing the
rising sun across the continents into the Americas. Indeed, searching the front page of
Google News at 0900GMT is more likely to consist of stories from Asia than if one
visited the site at 1800GMT when North American stories dominate. As Will King of
CNN once said, ‘it’s always prime time somewhere’.5
This is compounded by devices that converge new media platforms, such as a
mobile telephone with an embedded camera and an e-mail capability. Information can
be supplied instantly in a number of formats (or ‘cross-platform’). For the mass media
and those engaged in message campaigns, dominant narratives on traditional platforms
are challenged by alternatives at the same speed – in many cases, faster. Uploading a
message into the public sphere of the internet is now instant and it will be only a matter
of time before the quality of pictures improves to mass-media broadcast standard.6
The opposite of speed is also true. Information now has greater longevity in the
new media sphere through archiving and smart searching (the so-called ‘long tail’). In
the media and public sphere, after an initial burst of activity a piece of information is
replaced by new pieces of information and generally forgotten as the day progresses;
accessing certain platforms on the internet means that the first piece of information can
live on, and even re-emerge into the public sphere.
Terrorist Use of the Internet
What of terrorists, extremists and criminals and their use of the internet? I argue they
use the technologies available to them in the same way as any other group on-line.
Recruitment, fundraising, the promulgation of ideologies and ideas, through to
planning, co-ordination and publications are equally valid for a charity organisation or
a workplace as for a group engaged in criminal activities.
Fear of what opportunities the internet could provide a criminal is a similar fear
which was afforded to telephones, radio or television in their early inceptions (Furedi,
2006). For instance, the development of television during the late 1930s in the UK was
put on hold until the end of the Second World War. What the internet and mass
communications have changed is the ease of accessibility to broadcast messages to
The Future of the Internet
Globalisation, as defined by rich people like us, is a very nice thing… you are talking
about the internet, you are talking about cell phones, you are talking about computers.
This doesn’t affect two-thirds of the people of the world.
- Jimmy Carter
Cited in Campbell, 2004.
Arguably, some mass media outlets are willing to take a loss of picture quality over the immediacy or
alternative narrative of a story. This is illustrated by the UK broadcast media’s almost regular use of mobile
telephone pictures from witnesses and CCTV pictures.
6 C. Cridland / The History of the Internet
There are a number of scenarios that could affect the internet in the years to come,
ranging from flourishing success to collapse. Technological change will continue to
drive development, but so will government legislation and economics. There are parts
of the world where the national infrastructure is undergoing change and development,
from the availability of the one hundred-dollar laptop to digitisation and broadband.
The world use of the internet is still in the minority, at only 17.8% in June 2007
(around 1.1 billion people), but that is an increase of some 225% since 2000.7
Regulation and censorship of the internet will shape its future architecture. The
trans-national nature of global communications has proven difficult for nation states to
govern, and even the supranational European Union’s collective legislation of
television in the new multi-platform environment has been problematic. National
constraints in one country do not necessarily hold true in another, which may lead to
not one internet, but several running in parallel and operating with varying degrees of
filtering and censorship.
Economics is also a key influence. Disposable incomes in developed countries
have generally driven the internet’s guises, and should financial buoyancy begin to
slow or reverse, then the buying power of consumers may also slow down and the take-
up of converged devices or higher speed telecommunications may reduce.
The physical infrastructure of the internet could also be at risk. As users become
ever more reliant on networked computers in everyday life, telecommunications, power
supplies and hardware resilience become prime targets for hacking. An earthquake
knocked out an underwater telecommunications cable – and, therefore, the internet – to
parts of Japan for nearly a week earlier in 2007. Unreliable infrastructure has stifled the
development of the internet in many parts of the world, particularly in rural regions,
and such problems could be its undoing. Catastrophic failure of the internet could also
come from within as a malicious code or virus may be so virulent as to close down
servers or cause large scale communications damage.
After its beginnings as a tool to support the war fighter and assist civilian resilience, the
commercial incarnation of the internet and its supporting technologies has been a
significant driver of enormous technological change across the world. Many academics
judge these changes to be the most extensive since the invention of the telegraph. There
is now a generation of people who have not known a time without the internet as part
of their information space. We live in a congested, self-selecting media environment.
The public sphere has grown beyond recognition, giving individuals and groups greater
opportunities to communicate directly to a target audience.
But there is still a legitimate role for the multinational conglomerate mass media.
Surveys in 2006 have shown ‘traditional’ media sources are considered to be more
credible than new media sources, although some argue that this position is continually
eroding. Additionally, such organisations are one step removed from the content that
appears on-line, instead the businesses own the platform, the host site and the
telecommunications providers. Traditional mass media is not in a twilight age, but we
Internet World Stats from June 2007, accessed from http://www.internetworldstats.com. The highest
penetration of the internet into a population is in North America, Australasia and Europe. The largest number
of users is in Asia, Europe and North America.
C. Cridland / The History of the Internet 7
live in a noisy message environment, and the internet is forcing all of us engaged in
delivering and consuming messages to be somewhat more selective about the ones we
wish to influence us.
Campbell, V (2004), Information Age Journalism, London, Arnold
Freedman, D (2006), ‘Internet Transformations: ‘old’ media resilience in the ‘new media’ revolution’ in
Curran, J. and Morley, D (eds), Media and Cultural Theory, London, Routledge, pp 275-290.
Furedi, F (2006), Culture of Fear Revisited, London, Continuum
Kember, S (2006), ‘Doing Technoscience as (‘new’) media’ in Curran, J. and Morley, D (eds), Media and
Cultural Theory, London, Routledge, pp 235-249
Jenkins, H (2006), Convergence Culture, New York, New Yorkshire University Press
Nacos, B (2007), Mass Mediated Terrorism: The Central Role of the Media in Terrorism and
Counterterrorism, 2nd edition, Lanham, Rowman & Littlefield
Ryan, J (2007), Countering Militant Islamist Radicalisation on the Internet: A User Driven Strategy to
Recover the Web, Dublin, Institute of European Affairs
Quotes from http://www.brainyquotes.com
K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 9
Islamist radicalization in recent years.1 Intense investments have been made to prevent
classical terrorist violence but the western countries remain highly vulnerable to cyber
attacks against the computer networks that are critical to national and economic
security. The growing complexity and interconnectedness of these infrastructure
systems, and their reliance on computers, not only makes them more vulnerable to
attack but also increases the potential scope of an attack’s effects. The fear which has
prompted the governments to pump significant resources into protecting the critical
national infrastructures (CNI) is that al-Qaeda is determined to use cyber terror to cause
damage which leads to loss of life and economic catastrophe. One type of online
operational activity is the use of hacking techniques to sabotage Internet sites – what
the Islamists term “electronic jihad”. As part of this activity, Islamist hackers attack
websites of those whom they consider their enemies with the aim of damaging morale,
and they attempt to hack into strategic economic and military networks with the aim of
inflicting substantial damage on infrastructures in the West. Many Islamist websites
and forums have special sections devoted to the topic of electronic jihad, such as the
electronic jihad section in the Abu Al-Buhari forum.2 These developments require
effective and efficient counter- and antiterrorism measures.
The dry textbook definition of cyber terrorism is terror which is directed at
automated systems directly or that uses automated systems to disrupt other critical
infrastructure systems that they support or control. Cyber attacks generally consist of
directed intrusions into computer networks to steal or alter information or damage the
system; malicious code, known as viruses or worms, that propagates from computer to
computer and disrupts their functionality; or denial of service attacks that bombard
networks with bogus communications so that they cannot function properly. It has to be
noted that the motivations for an attack can vary widely: attackers range from hackers
bent on proving their skills to others in the hacking community, to criminals stealing
credit card numbers, to extortion rings, to foreign intelligence services stealing military
or economic secrets, to terrorists or foreign armies wanting to cause widespread
damage to the western countries.3 The arsenal of modern weapons that terrorists and
other unfriendly entities might someday use to disrupt power grids, gas lines and other
parts of the nation’s critical infrastructure includes conventional weapons as well as
bits and bytes – in other words cyberterror attacks.
The global nature of the Internet and telecommunications networks means that
cyber attacks can be launched from anywhere in the world, at low cost, and with
incredible speed. With current technology, it is nearly impossible to predict in advance
when an attack may begin. There is no longer the luxury of the 20-minute window
from launch to landing of a nuclear-tipped intercontinental ballistic missile as there was
in the Cold War. Cyber attacks therefore require swift responses and effective
cooperation with international counterparts to detect and respond to an attack once it is
Ministerie van Binnenlandse Zaken en Koninkrijksrelaties, National Coordinator for Counterterrorism
(NCTb), Jihadis and The Internet, 2006.
Memri, The Enemy Within: Where Are the Islamist/Jihadist Websites Hosted, and What Can Be Done
about It? The Middle East Media Research Institute, Inquiry and Analysis Series, No. 374, July 19, 2007,
Several nations like the US, Russia and China have already developed cyber warfare or “information
warfare” doctrine, programs, and capabilities. Other often cited examples are France, Israel, India and
Pakistan. The Defense Department’s Foreign Technology Assessment (FTA) for 2000 suggested that around
25 countries may now have the ability to carry out significant cyber attacks.
10 K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign
Potential adversaries like terrorist and organized crime organizations as well as
state actors like China4 are looking for the weaknesses in the governmental information
infrastructure of the continental countries and mapping out where and how they would
mount a cyber attack or how they could “just” use the Internet for their businesses like
propaganda, recruiting, data mining, funding etc. In 2002 US officials discovered an al-
Qaeda safe house in Pakistan devoted solely to training people for computer hacking
and cyber warfare. “Calling it a “cyber academy”, intelligence officials said al-Qaeda
operatives gathered information and expertise on the automated systems that control
U.S. infrastructure, such as dams and power grids.”5 In June 2006 a hacker penetrated
an unclassified Pentagon email system, prompting authorities to take as many as 1,500
accounts offline, US defence officials said.6 “Confidential documents about
supervisory control and data acquisition (SCADA) systems, for instance, have been
found in al-Qaeda hiding places in Afghanistan, while the Irish Republican Army has
said it plans cyber attacks on crucial supply systems.” 7 Scotland Yard has uncovered
evidence that al-Qaeda has been plotting to bring down the Internet in Britain. In a
series of raids, detectives recovered computer files revealing that terrorist suspects had
targeted a high-security Internet “hub”, the headquarters of Telehouse Europe in
London.8 For almost two years, intelligence services around the world tried to uncover
the identity of an Internet hacker who had become a key conduit for al-Qaeda. The
Internet and computer savvy individual, presumably a young webmaster, taunted his
pursuers, calling himself Irhabi – Terrorist – 007. He hacked into American university
computers, propagandized for the Iraqi insurgents led by Abu Musab al-Zarqawi and
taught other online jihadists how to wield their computers for the cause. Suddenly in
Fall 2005, Irhabi 007 disappeared from the message boards. The postings ended after
Scotland Yard arrested a 22-year-old West Londoner, Younis Tsouli, suspected of
participating in an alleged bomb plot. The terrorists who congregate in these cyber
communities are rapidly becoming skilled in hacking, programming, executing online
attacks and mastering digital and media design – and Irhabi was a master of all those
Even if terrorists have not yet demonstrated the capacity to carry out a large scale
web-based terrorist attack, that does not mean they have not achieved the necessary
level of expertise to do it. This situation is alarming when one considers that we have
many thousands of airports, chemical plants, federal reservoirs and of course power
plants, most of whose integral systems are operated and controlled by sophisticated
computer systems or other automated controllers.
The broad diversity of potential sources of attack, our reliance on information
systems that are inherently insecure, and the international dimension of both cyber
attacks and governmental responses raise a host of complicated policy questions and
cultural challenges for governmental security institutions. These include how best to
improve the state of cyber security: what can be done to improve international
interagency cooperation on stemming cyber crime and preventing and responding to
Chinesische Trojaner auf PCs im Kanzerlamt, in: Spiegel Online,
Rick White and Stratton Sclavos, Targeting our Computers, in: Washington Post 15.08.2003, pg A. 27.
Correspondents in Washington, Pentagon Email hacked, in: Australian IT, 22.06.2007,
Blau John, The Battle against Cyberterror, in: Network World, Vol. 21, Issue 48; pg. 49.
David Leppard, Al Qaeda plot to bring down UK Internet, The Sunday Times, 11.03.2007.
K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 11
cyber terrorism; and cyber warfare. Having all the challenges in mind this article will
focus on the most important and highly sensitive one, international cooperation.
2. The M.U.D. Approach
The different types of terrorist activities and different levels of web-based
radicalization on the Internet require appropriately differentiated responses. One such
response is based on what Prof. Gabriel Weimann termed, at the NATO ARW
“Hypermedia Seduction for Terrorist Recruiting”, held in September 2006 in Eilat
Israel, the “M.U.D.” approach (Monitoring, Using and Disrupting).
First, terrorist websites need to be monitored to learn about their mindsets,
motives, persuasive “buzzwords”, audiences, operational plans and potential targets for
attack. This form of knowledge discovery refers to non-trival extraction of implicit,
previously unknown and potentially useful knowledge from data. Monitoring forums,
blogs and other frequently updated sites are increasingly a focus of attention. New
methods to monitor the so called “hidden web” have to be improved. The hidden web
is that part of the Internet which search engines cannot access. Some estimate that the
hidden web is actually 95% of all Internet content.
Second, counterterrorism organizations need to “use” the terrorist websites to
identify and locate their propagandists, chat room discussion moderators, Internet
service provider (ISP) hosts, operatives and participating members. The retrieved data
needs to be archived to enhance the learning process and to identify social networks. A
social network consists of a web of connections between people, between people and
events, and between people and organizations. There are mathematical techniques
which among other things can: identify clusters of people within a network, display a
network in the best and clearest way, identify key persons within a network, and
measure the robustness of a network. Integrated Early Warning Systems are an
Third, terrorist websites need to be “disrupted” through negative and positive
means. In a negative “influence” campaign, sites can be infected with viruses and
worms to destroy them, or kept “alive” while flooding them with false technical
information about weapons systems, circulating rumours to create doubt about the
reputation and credibility of terrorist leaders, or inserting conflicting messages into
discussion forums to confuse operatives and their supporters. In a more positive
approach, alternative narratives can be inserted into these websites to demonstrate the
negative results of terrorism or, aiming at potential suicide bombers, to suggest the
benefits of the “value of life” versus the self-destructiveness of the “culture of death
It has to be noted that “disruption” of relevant websites conflicts with
“monitoring” and “using”. For instance Country X would like to monitor a specific
chat room and country Y would prefer to disrupt this website by negative means. That
could cause disagreements, and to avoid such conflicts, to save resources, and to carry
out an effective and efficient web-focused counterterrorism campaign, an international
interagency decision-making and harmonizing committee should lead that approach.
However, an effective “M.U.D.” approach depends on several conditions. It must
be interdisciplinary, involving experts in communications and rhetoric, psychologists
12 K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign
who understand the impact of influence campaigns on their targeted audiences’
cognitive and behavioral responses, graphic designers and Islam experts who
understand the type of graphic interface and layout that would appeal to such potential
audiences, and civil liberty attorneys to ensure that such influence campaigns do not
infringe constitutional rights of free speech and expression.
This is a dynamic arena of continuous feedback loops in which our actions must
ceaselessly anticipate and respond to the reactions of the targeted terrorist websites. For
instance, when a website is brought down, it usually re-emerges with a different
configuration elsewhere. Moreover, we need to prioritize the audiences to be targeted
by such influence campaigns. For example, devoted activists may be considered a lost
cause, while potential recruits who have not yet been activated into terrorism represent
new opportunities for influence operations.
Such influence campaigns must be led by moderate political and religious leaders
from Islamic communities who formulate alternative messages and narratives to the
radical Islamist ideologies. Here, further differentiation is required because, for
example, mainstream Islam in the Middle East will be different to its counterparts in
Southeast Asia or Europe.
Above all, such a response requires new counterterrorism “armies” possessing new
strategies, capabilities, tactics and cyber weapons to counteract the Jihadi websites.
Intense intergovernmental, interagency and international communication and
harmonizing processes embedded in an institutional framework and clear defined rules
of the game are required to make such a campaign effective and efficient.
K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 13
3. Responses of the European Union
The EU has implemented the first steps towards institutionalizing such an approach. It
has recognized the threat of how terrorists are using the Internet for their purposes. In
its strategy and action plan for combating radicalization and recruitment to terrorism
(doc 14781/1/05 and doc. 14782/ 05) the EU calls for measures to combat terrorist use
of the Internet: “We need to spot such behaviour by, for example, community policing,
and effective monitoring of the Internet and travel to conflict zones. (…) And we will
examine ways to impede terrorist recruitment using the Internet.”9
The EU also emphasizes that the activities of the member states have to be
accompanied by action at the EU level. In its conclusions of 15/16 June 2006 (doc.
10633/06 CONCL 2), the European Council expressly asks the Council and the
Commission to develop measures to prevent the misuse of the Internet for terrorist
purposes while at the same time observing fundamental rights and principles: “The
European Council calls for the implementation of the action plans agreed under the EU
Counter Terrorism Strategy, including the strategy against radicalization and
recruitment, to be accelerated. Work must also be sped up on the protection of critical
infrastructure. The European Council awaits the Commission’s first programme in this
connection as well as concrete proposals on detection technologies. The Council and
the Commission are also invited to develop measures to combat the misuse of the
Internet for terrorist purposes while respecting fundamental rights and principles.” 10
The EU member states and Europol are already actively monitoring and evaluating
terrorist websites. The Council supports the initiative “Check the Web”, which aims at
strengthening cooperation and sharing the task of monitoring and evaluating open
Internet sources on a voluntary basis “(…) there is also scope to strengthen cooperation
on an EU basis, specifically with regards to monitoring and evaluating Islamist terrorist
websites. Many Internet pages in various languages have to be monitored and
evaluated, which requires enormous technical and human resources. Due to the huge
quantity of Internet pages in use, problems arise on a national and international level
concerning the quantity and quality of resources, especially with a view to the language
skills needed. It is hardly possible for one individual member state to cover all
suspicious terrorism related activities on the Internet. Monitoring and evaluating the
Internet should therefore be intensified by sharing this task on a voluntary basis among
the member states, taking advantage of the special language and professional
competence of the relevant authorities of the individual member states. In addition to
sharing information via Europol, member states may also choose to divide labour
amongst themselves on a voluntary basis to achieve the most efficient use of resources.
However, irrespective of potential distribution of priorities the responsibility of
deciding whether to monitor, interrupt or shut down specific websites remains with the
member states. In all of this work the activities of the various actors (member states,
the Commission, Europol, SitCen, et al.) have to be coordinated in a targeted way.” 11
To reach this goal Europol is building the information portal as a technical
platform for information exchange among member states. “It will contain the following
Council of the European Union doc. 14781/1/05, subject: The European Union Strategy for Combating
Radicalisation and Recruitment to Terrorism, 24. 11. 2005, p. 3.
Council of the European Union, subject: Presidency Conclusions, doc. 10633/06, P.5.
Council of the European Union, subject: Council Conclusions on cooperation to combat terrorist use of
the Internet 8457/2/07, p. 3.
14 K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign
modules, for which the member states provide their data and to which all member
states have access:
• Contact persons for strengthening the expert network;
• Lists of links to monitored websites for mutual information;
• Additional information (special language competence in the individual
member states, technical expertise, possibilities of legal action against terrorist
websites) that enables the sharing of resources;
• List of announcements by terrorist organizations, to aid in combining
• Evaluation results to avoid duplication of work.”12
Europol will expeditiously extend the information portal on contact persons, link
lists and lists of statements by terrorist organizations. The establishment of this
information portal should facilitate a significantly increased quality of cooperation
between the member states in monitoring and evaluating Islamist terrorist websites. It
is planned to provide a platform where member states can make their information
accessible to each other, thus compiling the knowledge available within the EU.
Member states will have direct and fast access to information on the work performed
by other member states and their results. In urgent cases direct contact can be
established and cooperation can be coordinated through the list of national contact
persons. In addition, initial steps were taken to strengthen cooperation, on a voluntary
basis, under the principle of the division of labour amongst interested member states.
The success of this information platform depends on the willingness of the EU
member states to provide useful data and it might be a disadvantage that so far just EU
countries participate at this project.
4. Towards a Collaborative Terrorism Data Fusion Centre
The general wisdom and truth is that the terrorism threat forces governments to expand
its legal and law enforcement powers and many of them are just implemented on a ad
hoc basis and/or without conducting effectivity analysis. The terrorist organization and
the individual are in a power position because they force the governments to act. But
new laws are useless when they are being institutionalized without an expansion of
good educated human capabilities. New powers in terms of intelligence, surveillance,
data collection, etc., only make sense when at the same time data interpretation and
analysis capabilities are to be expanded as well. The most valuable resource in addition
to HUMINT is the good educated analyst. A good analyst has not only excellent
knowledge of the topic and the target communities, he or she has high language
abilities, knows how to think like the enemy to evaluate the data, has a tremendous
knowledge of quantitative and qualitative analysis techniques and methods, and
additionally the analyst knows how and in which context the data has been collected.
Technical solutions have their value but also their abilities are limited. Having in mind
that Islamist terrorism is a common threat for many countries, it would make sense, on
the basis of a rational cost-benefit analysis, to cumulate/pool resources. It will be
assumed that, for instance, the same radical Islamic website, forum or chat room will
be observed by several intelligence agencies at the same time. That means a waste of
Ibid., p. 4-5.
K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 15
the high value human analysis resources. To make such a system work specific factors
have to be taken into consideration.
I assume that no international security threat has facilitated governmental
cooperation on the levels of politics, intelligence and law enforcement to the extent
terrorism has. I propose the notion of “synergy”, and that 2+2=5, implying that
governmental institutions could attain a competitive advantage by joining forces. Bi-
and multilateral agreements and strategic alliances were the first wave of networking in
the name of internationalization and expansion of effective and efficient
counterterrorism. The United Nations, the European Union and the OECD have proven
to be successful platforms for harmonizing counterterrorism policies. Interpol, Europol,
and shadowy organizations like the Club of Berne or the Security Alliance in Paris are
examples which show that, in the face of the threat of terrorism, the institutionalization
of functional cooperation and information-sharing on the level of law enforcement and
intelligence is possible.
This section discusses how such a virtual and physical network(ed) organization
can be theoretically organized, and how geographically dispersed knowledge analysts
can collaborate virtually for a project in the absence of classic central planning. Even if
for many people these thoughts seem to have much in common with dreams, sooner or
later governmental institutions cannot avoid the implementation of such a system if
they are to have a serious chance of combating terrorism in the long term. Co-
ordination, management and the role of knowledge arise as the central areas of focus.
The planned study proceeds to the formulation of a framework that can be applied to a
web-based counterterrorism method in the sense of virtual decentralized work and
concludes that value creation is maximized when there is intense interaction and
uninhibited sharing of information between the organizations and the surrounding
community. Therefore, the potential success or failure of this organizational paradigm
depends on the degree of dedication and involvement by the surrounding community.
Recent technological achievements have enabled governmental organizations to
become more centralized, or decentralized, according to their strategic and cultural
orientation, and they have further enhanced the efficiency of managing organizational
goals. However, centralization is still the prevailing mode of management.
To date, the existing organizational and management theory that examines the
“virtual network(ed) organization” is not clear. It does not provide more than a basic
explanation of how one could boost technological capacity so that emerging
governmental opportunities are seized by flexible organizations which together face a
global threat, namely terrorism.
Similarly, no in-depth analysis has been carried out regarding the management of
such a governmental “virtual organization” and the key factors that play a decisive role
in the viability and potential success or failure of this fluid organizational structure.
One of the reasons behind the lack of extensive research and literature on “virtual
organizations” is merely that this presents an emerging phenomenon or organizational
5. Framework/System Analyses
Before our M.U.D. approach can be embedded in an international institution a
framework/system analysis should be conducted which will take all relevant paradigms
16 K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign
and factors into consideration. The framework analysis draws upon key features of
major organizational paradigms (participation, levels of participations, continuous
improvement, organizational learning, rules of the game, technological equipment, etc.)
and how these are managed. The key factor may be the creation of an access for
consuming and providing open source material and analyses that enables a common
computing and communications infrastructure. The heart of this system might be a
technological platform with analytical tools and databases of open source data. The
challenging factors are trust and symmetry. Potential parties to a shared infrastructure
can rationally trust it more if they can see how it works all the way down, and will
prefer an infrastructure in which all parties have symmetrical rights to one in which a
single party is in a privileged position to extract fees or exert control. For this reason
the institution should be virtually and physically led by a committee consisting of
representatives of the participating institutions. To avoid a situation where a
participating country just consumes the data provided by other participants, a sort of
credit point system should be established. This system should guarantee that the parties
are allowed to consume as much data as they have provided.
6. From Hierarchies to Joint Governmental Networks
There is an old saying in military planning: “Get the command and control
relationships right, and everything else will take care of itself.” It is a common sense
acknowledgement that people provide solutions only if they are well led in a functional
organization. The concept of the hierarchy of governmental security institutions is built
on three assumptions: the environment is stable, the processes are bureaucratic and the
output is definable and more or less predictable. Obviously, these assumptions no
longer apply to cyber terrorism. Governmental organizations are controlled by
hierarchies, and the counterterrorism departments should be linked according to a
paradigm that relies on open and adaptive systems that promote learning, co-operation
and flexibility, and that takes the form of networks of governmental analysts, artificial
intelligence labs and research institutions instead of individuals. The system should be
based on open source analyses, should focus on tactical and strategic issues using
participation and empowerment, team accountability, matrix arrangements (flexible
positions and responsibilities based on the abilities of the participating institutions),
information networking, and initiatives for improvements should emanate from all
directions on a regular basis.
While military and governmental institutions do not like committees, a committee
structure might be most effective for command in a web-based counter-terrorism
campaign. There should be an executive committee for every major technical
subdivision. Each committee must include all key personnel involved in the
counterterrorism: police, intelligence officers, economic developers (to include NGOs),
public services ministers, and the military. The committees must be in charge and have
full authority. Committee members must not be controlled or evaluated by their parent
agencies at the next level up; otherwise, the committee will fail to achieve unity of
K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 17
Table 1. Hierarchies and joint governmental networks.
Hierarchy Networked organization
Structure Hierarchal Networking and pooling
Scope Internal, closed External, open
Resource focus Classified Open source
State Stable Dynamic
Direction Commands, bureaucracy Committee-management
Basis of action Control Empowerment to collect
and to provide
Basis of compensation Credit-point system: based
on the amount and quality
of the provided data, the
are allowed to use the
material provided by the
7. System Theory
The underlying assumption that such a virtual and physical networked organization
might work has its roots in the System Theory. System Theory is the trans-disciplinary
study of the abstract organization of phenomena, independent of their substance, type,
or spatial or temporal scale of existence. It investigates both the principles common to
all complex entities, and the (usually mathematical) models which can be used to
describe them. A system can be said to consist of four things. The first is objects – the
parts, elements, or variables within the system. These may be physical or abstract, or
both, depending on the nature of the system. Second, a system consists of attributes –
the qualities or properties of the system and its objects. Third, a system had internal
relationships between its objects. Fourth, systems exist in an environment. A system,
then, is a set of things that affect one another within an environment and form a larger
pattern that is different from any of the parts. The fundamental systems-interactive
paradigm of organizational analysis features the continual stages of input, throughput
(processing), and output, which manifest the concepts of openness/closedness. A closed
system does not interact with its environment. It does not take in information and
therefore is likely to atrophy, that is, to vanish. An open system receives the
information which it uses to interact dynamically with its participating elements.
Openness increases its likelihood of survival and prosperity. Several system
characteristics are: wholeness13 and interdependence, correlations, perceiving of
causes, chain of influence, self-regulation and control, goal-orientation, interchange
with the environment, inputs/outputs, the need for balance/homeostasis, change and
adaptability (morphogenesis) and equifinality (there are various ways to achieve goals).
Communication from this perspective can be seen as an integrated process.
The whole is more than the sum of the parts.
18 K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign
8. Creating an Intelligent System
Such open systems are called openflows. An openflow is a cluster of initiatives, people
and computers who create platforms, projects and concepts for the development of
Open Source Intelligence (OSINT). The technologies of the Internet allow us to
develop new ways of collaboration, ways that are more open, more collaborative, less
hierarchical and, also, more efficient. The Open Source Software movement has shown
this. However, real change does not come easily, and in each context it raises different
challenges. The openflow aims to help address these challenges, both in terms of its
technological aspects and in terms of its organizational and conceptual dimensions.
In addition to particular features, these communities display overall organization
patterns similar to those seen in other organization types, including both natural and
artificial systems. Self-organizing processes are processes known in different kinds of
communities’ software developers, as well colonies and open-source communities. The
most well-known open-source community might be Wikipedia. The strength of
Wikipedia is not the technology, but the massively collaborative effort of thousands of
decentralized brains that the technology enables. Take, for example, the Wikipedia
entry for Moqtada al-Sadr. Mr. Sadr’s entry in this free encyclopaedia that anyone can
edit has been modified approximately 500 times by about 50 people in the past three
years. These motivated authors have expanded the entry and corrected hundreds of one
another’s errors or omissions. Readers can “vote” the most accurate and relevant
information to the top, giving them enough credibility to be taken seriously. These
communities practice an ongoing collective learning process and collective
intelligence. Based on the assumption that 80% of radical Islamist terrorism
information is open source and available, a huge amount of this data could be collected
in the Internet (websites, open communication platforms), and relevant analysis can be
generated just using this data. Collaborative analysis in a networked multinational
interagency system would save resources and would increase the output.14
The new tools of US Intelligence include a federated search engine called Oogle15
and Intellipedia, a controversial intelligence data-sharing tool based on Wiki social
software technology. Intellipedia runs on JWICS, SIPRNet, and Intelink-U and the
server can not be reached over the Internet. Intellipedia uses MediaWiki, the same
software used by the Wikipedia free-content encyclopaedia project.16 It might be worth
thinking and discussing how a similar and improved system could be developed on an
9. Qualitative Research of Open Sources
I estimate that 80% of the information regarding radical Islamist terrorism is provided
via open sources and a large amount of this data is being communicated in the world-
wide web. Open source research covers a much wider field than just news monitoring.
Dizard, Wilson P. Spy agencies adapt social software, federated search tools, in: GCN
Google also provided its hardware and software system, which includes proprietary algorithms that
intelligence IT managers praise highly, to the Army, the Energy Department and other agencies in the
Wikipedia for Intel Officers Proves Useful, National Defense Magazine
K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 19
Investigations often need to locate and retrieve thousands of potential documents,
pictures, videos, etc., from the Internet. The relevant data of radical Islamists are not
inherently quantitative, and can be bits and pieces of almost anything. They do not
necessarily have to be expressed in numbers. Frequency distributions and probability
tables can be useful but a lot of data can come in the form of words, images,
impressions, gestures, or tones which represent real events or reality as it is seen
symbolically or sociologically. To develop such a collaborative integrated system the
first step would be to identify a joint definition of open sources and OSINT. OSINT is
collected from information that is openly available to the public. An open source can be
any person, group, or system that provides information without the expectation that the
information, relationship, or both, are protected against public disclosure. Publicly
available information includes data, facts, instructions, or other material published or
broadcast for general public consumption available on request to a member of the
general public; lawfully seen or heard by any casual observer; or made available at a
meeting open to the general public.17 What is being understood under “openly
available” might vary between governmental institutions in different countries. In
general “OSINT operations support other intelligence, surveillance, and reconnaissance
(ISR) efforts by providing information that enhances collection and production. As part
of a multidiscipline intelligence effort, the use and integration of OSINT ensures
decision-makers have the benefit of all available information.”18 Data collected from
these different sources are often in diverse formats, ranging from structured database
records to unstructured test, image, audio, and video files. As open source data volumes
continue to grow, extracting valuable, credible intelligence and knowledge becomes
Social science and other academic disciplines provide a tremendous amount of
useful analytical methods. The first question which arises is how to define qualitative
research. The simplest definition is to say it involves methods of data collection and
analysis that are non-quantitative.19 Historical-comparative researchers would say it
always involves the historical context, and sometimes a critique of the “front” being
put on to get at the “deep structure” of social relations. Qualitative research most often
is developed bottom up – not top down. Qualitative research uses unreconstructed logic
to get at what is really real – the quality, meaning, context, or images of reality in what
people actually do, not what they say they do. The challenge at this point is that
institutions in charge of the analysis of open source materials use very different
Taylor, Michael C. Doctrine Corner: Open Source Intelligence Doctrine Military Intelligence
Professional Bulletin. Ft. Huachuca: Oct-Dec 2005. Vol. 31, Iss. 4; p. 3.
Internet sites enable users to participate in a publicly accessible communications network that connects
computers, computer networks, and organizational computer facilities around the world. The Internet is more
than just a research tool. It is a reconnaissance and surveillance tool that enables intelligence personnel to
locate and observe open sources of information. Through the Internet, trained collectors can detect and
monitor Internet sites that may provide I&W of enemy intentions, capabilities, and activities. Collectors can
monitor newspaper, radio, and television websites that support assessments of information operations.
Collectors can conduct periodic searches of web pages and databases for content on military order of battle,
personalities, and equipment. Collecting web page content and links can provide useful information about
relationships between individuals and organizations. Properly focused, collecting and processing publicly
available information from Internet sites can help analysts and decision makers understand the operational
environment. Taylor, Michael C. Doctrine Corner: Open Source Intelligence Doctrine Military Intelligence
Professional Bulletin. Ft. Huachuca: Oct-Dec 2005. Vol. 31, Iss. 4; p. 3.
Lofland, John und Lyn H. Lofland. 1984. Analyzing Social Settings: A Guide to Qualitative Observation
and Analysis. Belmont, CA.
20 K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign
Qualitative research methods are for example: ethnography, ethno-methodology,
imagery analysis, participant observation, dramaturgical interviewing, cognitive
interviewing, narrative interviewing, text mining, spatial and temporal mining and
visualization, hot spot analysis, sociometry, natural experiment, theoretical experiment
like game theories,20 case studies, rational-choice, social network analysis, network
learning, network topological analysis (e.g. random network, small world network, and
scale-free network), language analysis, unobtrusive measures, content analysis,
historiography, secondary analysis of data, etc. At this point it has to be noted that each
qualitative research method has its advantages and disadvantages and often a
combination of two, three or more qualitative research methods in addition to a
quantitative research method will lead the research to evidence.
For instance what are the advantages and disadvantages of a case study approach?
Advantages of the method: Case studies allow in-depth understanding of the group or
groups under study, and they yield descriptions of group events – processes often
unsurpassed by any other research procedure. Also, and at a more pragmatic level, case
studies can be relatively easy to carry out and they make for fascinating reading. But
the real forte of the case study approach is its power to provide grist for the
theoretician’s mill, enabling the investigator to formulate hypotheses that set the stage
for other research methods.21 The most important disadvantage of a case study
approach is that it is liable to be seduced into generalizations. Case studies, however,
yield only limited information about groups in general. Researchers who use this
method must constantly remind themselves that the group/cell studied may be unique
and therefore non-representative of other groups. Also, because researchers cannot
always use objective measures of group/cell processes when conducting case studies,
their interpretations can be influenced by their own assumptions and biases. In all, case
studies limit the researcher’s ability to draw conclusions, to quantify results, and to
make objective interpretations. However, some topics such as groupthink, group
decision-making and group work are almost impossible to study by any other method.22
To explain how important it is for a collaborative database not just to provide open
source analysis for the participating governmental institutions, but also information
about the method and when the data was collected, and how it was analyzed, we cite
the following example of qualitative research. The qualitative research method of
participant observation is a very critical one because the way it is conducted could have
an impact on the research outcome. Participant observation is the process of immersing
the researcher in the study of people the researcher is not too different from. It is almost
always done covertly, with the researcher never revealing his or her true purpose or
identity. If it is a group the researcher already knows a lot about, the researcher needs
to step back and take the perspective of a “martian”, as if the researcher were from a
different planet, and seeing things in a fresh light. If it is a group the researcher knows
nothing about, the researcher needs to become a “convert” and really get committed
and involved. The more secretive and amorphous the group, the more the researcher
Game theories are an appropriated tool for understanding the strategic interactions associated with
terrorist and those shared with counterterrorism. Sandler and Arce (2007 provide an up-to-date survey of
game theoretical papers on terrorism. There is currently a lot of interest in applying game theory to the study
of terrorism with recent contributions by Arce and Sandler 2007, Bueno des Mesquity (2005), Heal and
Kunreuther (2005), and Siqueira (2005)
Forsyth, D.R. (1990), Group Dynamics, Pacific Grove, CA: Brooks/Cole.
Libraries are full with books on qualitative research. In terms of collective efficacy; group processes;
group decision making; vigilant problem solving; groupthink; group performance, Norman Schoefield´s
Collective Decision-making might be a good book to start with.
K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 21
needs participation. The more localized and turf-conscious the group, the more the
researcher need observation.23 The known open source literature describes four roles:
• “Complete participation – the researcher participates in deviant or illegal
activities and goes on to actively influence the direction of the group
• Participant as observer – the researcher participates in deviant or illegal
activities but does not try to influence the direction of the group
• Observer as participant – the researcher participates in a one-time deviant or
illegal activity but then takes a back seat to any further activities
• Complete observation – the researcher is a member of the group but does not
participate in any deviant or illegal activities” 24
The key point behind all of them is that the researcher must operate on two levels:
becoming an insider while remaining an outsider. To reach this goal the researcher has
to create an excellent virtual identity that fits in with the research goals, which is easy
to handle and which provides a high level of credibility for the target audience. He or
she must avoid becoming over socialized, or “going native”, as well as being
personally revolted or repulsed by the group conduct. Going native is sometimes
described as giving up research and joining the group for life, but in most
criminological circles, it means losing your objectivity and glorifying criminals.
Generally, it takes time to carry out participant observation, from several weeks or
months to years.25 The key point is that the method used could have an impact on the
outcome. For the participating governmental institution of our collaborative database
and system it is essential for the evaluation process of the analyses provided to give all
relevant methodological data regarding what has been used. To identify or develop
“best practices”, new instruments, or improve automated collection and sorting systems
for specific research goals, the exchange of analytical methods regarding open sources
would be an additional asset.
10. The Technology
Law enforcement agencies and counter-terrorism analysts need tools which enable
them to mine the Internet and process thousands of documents to identify patterns and
produce evidence. These tools: 1.) retrieve documents from the Internet according to
user-specified criteria, and 2.) extract information and “facts” from resultant reserves of
Information science and technology has drastically expanded the mechanisms by
which data can be collected, and knowledge extracted and disseminated through
Recent technological achievements provide knowledge discovery techniques and
they promise an easy, convenient, and practical way of exploring very large collections
of data for organizations and users. They can: identify terrorist groups and individuals;
identify an initial set of websites created by these groups; make link analysis and
collect content and context of the identified terrorist websites, forums and chat rooms.
An automatic web crawler is applied to collect the contents of these sites. All
types of contents from terrorist websites, including textual files (e.g. HTML files, plain
Qualitative Social Science Research Methodology, http://faculty.ncwc.edu/toconnor/308/308lect09.htm
22 K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign
text files), multimedia files (e.g. images, audio/video files), and archive files (e.g. ZIP
files, RAR files) should be collected.26
There are two general approaches to collecting domain-specific web documents:
• manual selection, and
• automatic web crawling.
The manual approach is often used when the relevance and quality of information
from websites is of the utmost importance. However, this approach is labour intensive
and time consuming, and often leads to inconclusive results. The automatic web
crawling technique is an efficient way to collect large amounts of web pages. This can
be done using retrieval systems such as Convera RetrievalWare. A new, publicly
available online tool now allows for a better assessment of where the members of this
virtual jihadi community are physically located. This tool – the traffic-tracking website
www.alexa.com – extrapolates from a smaller sample a general approximation of the
distribution of the visitors to a given website. Running this tool against the URLs of the
primary websites of the Electronic Jihad provides a basic breakdown of their traffic. 27
Given the sheer volume of data, technological tools are essential for an effective
and efficient intelligence agency. Intelligence agencies need to use analysis and
decision-making support tools, foreign language tools, sample-analyses instruments
and predictive modelling tools. Data collection needs to be done automatically, and
whichever system is utilized, it should be able to analyze and sort the data, and raise
the alarm if necessary. One major concern in using web crawlers is that off-topic
documents are often introduced into the collection, due to the limitations of web
crawling technologies. The web information we are interested in is often not in English.
Cross-lingual information retrieval (CLIR) can help break language barriers by
allowing users to retrieve documents in foreign languages, via queries in their native
languages. Most reported CLIR approaches translate queries into the document
languages and then perform monolingual retrievals.28 This method helps experts to
explore global Dark Web information without first having to learn foreign languages,
and reduces the need for human translators working in the domain of terrorism
Technology is able to improve the speed, and in counterterrorism speed is
important, but the focus must be more on accuracy. To date, network-centric concepts
have focused on shortening the sensor-to-shooter step. Facing the threat of terrorism we
must focus on improving the quality of the observe-orient segment.
To cut it down to one sentence: One analyst is intelligent, a group of analysts
produce collective intelligence, and machines are tools. Collective intelligence needs
tools to become more efficient and effective, and tools require intelligence to be useful.
See: Yilu Zhou, Jialun Qin, Quanpi Lai Reid, Hsinchun Chen: Building Knowledge System for
Researching Terrorist Groups on the Web, Proceedings of the 11. Americas Conference on Information
Systems, Omaha, NE, USA, August 2005, p.4.
Rebecca Givner-Forbes and Clay Shwery , Mapping the Electronic Jihad, in: ISN Security Watch,
L. Ballesteros and B. Croft: Dictionary Methods for Cross-Lingual Information Retrieval, in Proceedings
of the 7. DEXA Conference on Database and Expert System Application, Zürich, Switzerland, 1996, pp. 791-
K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 23
In Collective Intelligence proper investigative and legal procedures need to be strictly
followed. The key factor may be the creation of an access for consuming and providing
open source material and analyses that enables a common computing and
communications infrastructure. The heart of this system might be a technological
platform with analytical tools and databases of open source data. The value creation is
maximized when there is intense interaction and uninhibited sharing of information
between the organizations and the surrounding community. Therefore, the potential
success or failure of such a physical and virtual network organizational paradigm
depends on the degree of dedication and involvement by the surrounding community.
Arce, Daniel G., and Todd Sandler. (2005) Counterterrorism: a Game-Theoretical Analysis. Journal of
Conflict Resolution 49: 183-200
Bertalanffy, von, L. (1968). General systems theory. New York: Braziller.
Bueno de Mesquita, Ethan. (2005) Conciliantion, Commitment and Counterterrorim: A Formal Model.
International Organization 59: 145-176
Heal, Goeffrey and Howard Kunreuther. (2005) IDS Model of Airline Security. Journal of Conflict Security
Infante, D.A., Rancer, A.S. & Womack, D.F. (1997). Building communication theory. Prospect Heights,
Illinois: Waveland Press.
Laarmans, R. (1999). Communicatie zonder Mensen. Amsterdam: Uitgeverij Boom.
Littlejohn, S.W. (2001). Theories of Human Communication. Belmont, CA: Wadsworth/ Thomson Learning.
Lofland, John und Lyn H. Lofland. 1984. Analyzing Social Settings: A Guide to Qualitative Observation and
Analysis. Belmont, CA.
Luhmann, N. (1984). Soziale Systeme. Grund einer allgemeinen Theorie. Frankfurt am Main: Suhrkamp.
Midgley, G. (Ed.) (2003). Systems thinking. London: Sage.
Sandler, Todd, and Daniel G. Arce (2007) Terrorism: A Game Theoretical Approach. In Handbook of
Defense Economics Vol. 2, edited by T. Sandler and K. Hartley. Amsterdam.
Siqueira, Kevin (2005) Political and Militant Wings within Dissident Movements and Organizations. Journal
of Conflict Resolution 49: 218-236.
Taylor, Michael C. Doctrine Corner: Open Source Intelligence Doctrine Military Intelligence Professional
Bulletin. Ft. Huachuca: Oct-Dec 2005. Vol. 31, Iss. 4; pg. 12, 3 pgs
S.E. Goodman / Critical Information Infrastructure Protection 25
computer-communications systems for direct control and other functions. You could
say that “cyberspace” includes a significant amount of “control space”. The
infrastructures in question include major forms of transportation, banking and finance,
energy distribution, emergency preparedness and response, and public health.
In this paper I will outline aspects of Critical Information Infrastructure Protection
(CIIP), first setting it in the context of how cyberspace has spread globally, and of
Internet security. Secondly, we will consider the various threats to which cyberspace is
exposed. It is the vehicle of, and the potential victim of, globalization. We will
summarize the uses which terrorists have made of cyberspace.
A range of measures are seen as essential for protecting critical infrastructure.
Effective communication of R&D agendas will allow preventative steps to be taken, or
attacks to be repelled as quickly as possible. Governments and the private sector should
work to build cyber security capabilities, especially by forming CSIRTs (Cyber
Security Incident Response Teams). A legal framework for this new technology must
be developed in terms of national legislation and, in view of the worldwide character of
the networks, international conventions.
2. Cyberspace at a Glance
For the most part, the Internet is built upon national and international
telecommunications infrastructures, including the landlines of most public phone
systems and wireless, and satellite communications. Beyond the Internet, these
telecommunications infrastructures tend to be highly dependent on computing
technology. Thus, by our definition, they are part of cyberspace.
There are currently about 1.3 billion Internet users worldwide. The Internet now
comes to ground in over 200 “countries” (Top-Level Domains, i.e. the letters which
follow the dot after the domain name).
This enormous growth has been achieved since the early 90s. The only thing
growing faster than the Internet is cellular telephony, with about three billion phones in
use, to which 1.6 million users are added every day. The fact that soon cellular
telephones will be a platform for the Internet means that at least a billion new users will
have access to this resource, and this expansion will mostly be in developing countries.
3. (In)Security (Internet Security) at a Glance
The architecture, design, and practice of the Internet emphasize access (ease of use,
low cost, universality). It has almost never considered security as a primary or
important factor. It is an unfortunate result of the history of the way the Internet was
developed that the protocols used by the Internet today are derived from those that were
established in the early days of the ARPANet, where there were only a few well-
respected researchers using the infrastructure, and they were trusted to do no harm.
Consequently, security considerations were not built in to the Internet. All
cybersecurity measures taken today to protect the Internet are add-on measures that do
not remedy the underlying security deficiencies.
The situation we have as a result is that current technology asymmetrically favors
the attackers; it provides them great “nonlinear leverage”, and attackers get their
innovations into practice more quickly and effectively than defenders. If we make a
26 S.E. Goodman / Critical Information Infrastructure Protection
comparison between cyber attacks and modern warfare, we would say that it is an
asymmetrical conflict. While the state, because of its capacity, has a huge technological
advantage over terrorists, the problem is that the kinds of nonlinearities associated with
what terrorists do in cyberspace give leverage to those with relatively little technical
capability. What has always been thought of as one of the great advantages of the
networks can also threaten them: They give a small number of relatively weak people
extensive access to a lot of information, each other, potential recruits and sympathizers,
and prospective targets. There is also a negative aspect of tightening access against
terrorists or other malicious users more generally because it would compromise access
and privacy for many, many more “good” users.
The functionality of the Internet ranges greatly. Of particular concern for those
aware of the threat of terrorism is the fact that SCADA (Supervisory Control and Data
Acquisition) systems now more commonly use the Internet to transmit data and control
instructions, rather than the dedicated networks that had been used before. Additionally,
very few of the “cyber” parts of the critical infrastructures were designed or
implemented with security as much of a consideration, if it was considered at all. Most
are riddled with vulnerabilities, which are defined as weaknesses that can be exploited
through either hostile attacks or accidents. It would be almost impossible to create
“patches” to protect programs from malicious people who seek to find and exploit these
Another problem to recognize is that Internet defense pushes the burden outward
to the end user organizations; most of these find it difficult, and often increasingly
difficult, to defend themselves.
In particular, most of the over two hundred connected countries have little or no
national cybersecurity capabilities.
4. International Threats Arising from Globalization
One area of concern that extends broadly across all of the stages of defense is that
globalization creates new populations of “insiders”—people who have authorized
access with the potential for abuse that can cause great harm. Insiders still probably
account for a majority of successful penetrations for criminal purposes. The problem is
complicated by changes in organizational relations and technical architectures that
make “inside” and “outside” more difficult even to define. The possibility that a
terrorist or a terrorist sympathizer might gain employment that would enable him or her
to conduct a devastating attack or to provide critical information or access to others
cannot be discounted or ignored.
The two most general ways of dealing with infiltration are through deep pre-
employment investigations, something that most non-government entities are neither
capable of doing nor permitted to do in many countries, and through stronger forms of
containment and compartmentalization of access within an organization.
Globalization has meant that the Internet is now less secure, with vulnerabilities
resulting from new systems “intimacies”. Transfer of information now takes place in
unprecedented transnational contexts.
A particular problem for those who want to control or police the Internet is the
spread and ownership of, and access to, transnational transportation infrastructures.
Much of the day to day running is outsourced, and offshoring (outsourcing to foreign
S.E. Goodman / Critical Information Infrastructure Protection 27
entities) means that any attempts to control the Internet require international co-
5. Terrorists in Cyberspace
What do we know or anticipate that terrorists want to do in cyberspace? I believe the
answers to this question fall into three categories:
1. Terrorists want to support their activities and infrastructure, but not directly
through an attack, using the Internet.
2. They may want explicitly to attack parts of the cyber infrastructure.
3. They may use cyberspace as a means of attacking other targets. These might
include compromising transportation or other supervisory control systems to
cause disasters resulting in extensive consternation and costing many lives.
It is certain that terrorists and their supporters have been engaging in extensive
activities under category 1, and that they will continue to do so. This would cover
communications, including encrypted communications with each other; recruiting and
“advertising” (for example, via Web sites); and financial transactions such as money
transfers and laundering. Training manuals for terrorists, including information about
bomb-making and avoiding detection, are freely available. Terrorists are also likely to
be scouring cyberspace for information on potential targets and on weapons of mass
As far as we can tell, terrorists have not been responsible for any of the major
attacks or accidents that have occurred in recent years under categories 2 or 3. So much
has been written about such possibilities—and they have had some prominence in the
media—that it is inconceivable that terrorists are not aware of them. So far, for reasons
we can only speculate about, they do not seem to have chosen to pursue these
possibilities with vigor and effect, or perhaps they have tried and failed.
6. Systems and Networks at Risk
Should an attack be launched against systems and networks, the following would be at
1. The Internet.
2. Embedded/real-time computing (e.g. avionics systems for air traffic control,
SCADA systems used by the amenities, routing for shipping containers, and
process control for toxic chemical production, switching of
telecommunications, bank teller machines, floodgates).
3. Dedicated computing devices (e.g. desktop computers).
Each has a different role, and may be the subject of different kinds of attack.
Terrorists might attack the Internet physically or “through the wires”, the latter being
potentially more destructive. One type of attack that we see is directed against Internet
operations. Such attacks are often based on self-replicating programs (worms and
viruses) that are transmitted from system to system, consuming prodigious amounts of
router processing time and network channel bandwidth. In recent years, some of these
worms and viruses have been transmitted without explicitly destructive payloads and
yet have been able to disrupt key Internet backbone subnetworks for several days.
28 S.E. Goodman / Critical Information Infrastructure Protection
Another kind of attack on Internet operations seeks to corrupt the routing tables
that determine how a packet should travel through the Internet. In both cases, the intent
of the attack is to reduce the normally expected functionality of the Internet for some
significant portion of its users—that is, a denial-of-service attack in intent, although not
one necessarily based on flooding traffic.
An attacker might also target the Internet’s Domain Name System (DNS), which
translates domain names (e.g. “example.com”) to specific Internet Protocol (IP)
addresses (e.g. 22.214.171.124) denoting specific Internet nodes. A relatively small
number of “root name servers” underpins the DNS. Although the DNS is designed to
provide redundancy in case of accidental failure, it has some vulnerability to an attack
that might target all name servers simultaneously. Although Internet operations would
not halt instantly, an increasing number of sites would, over a period of time measured
in hours to days, become inaccessible without root name servers to provide
authoritative translation information. Physical replacement of damaged servers would
be achievable in a matter of days, but changing the IP addresses of the root name
servers would be more complicated.
7. Recommendations: Focus on Terrorists
It is only a matter of time before cyber terror attacks, at present largely a threat, become
a reality. Both government and private sector need to focus on preparations. There are a
number of measures that must be taken.
7.1. Build Much Stronger Defenses, More Integrated Emergency Preparedness and
Response Systems, and Improve the Processes for Their Use.
The first order of business is to provide indications and warnings that an attack is
taking place. This is a difficult area, and intrusion detection has become a particularly
active area in research and development. Not surprisingly, detection and notification
are more difficult and prone to false positives during the early stages of an attack,
before significant damage has been done.
To prevent penetration of the system at risk from the outside, we try to erect
barriers and otherwise harden it. Both cyber and physical approaches are necessary.
Passwords are the oldest, and still most widely used, cybertechnique. More recent and
somewhat widely used techniques are firewalls and proxy servers. Like all forms of
cyberdefense, these can be defeated, although it is possible to make them real barriers
against many attempted attacks. Physical protection needs to consider several forms of
penetration or attempts to isolate the system. These include attacks on electronics using
electromagnetic pulses, and attempts to cut cable endings. A wide variety of forms of
physical protection are possible, ranging from fences to biometrics.
In the event of an attack there needs to be a system for incident management,
mitigating an attack, and damage limitation. A next line of defense is internal
compartmentalization and containment. In this instance, the goals are to limit
penetration and damage, protect surviving assets, and protect and gather information to
help with recovery and response after the attack. Approaches include creating internal
physical barriers and cyberbarriers through compartmentalization and need-to-know
access controls, intrusion tolerance schemes, setting up decoys, maintaining protected
S.E. Goodman / Critical Information Infrastructure Protection 29
redundancies, and hiding assets. All have both static (pre-positioned and unchanging
during the attack) and dynamic variants.
Another approach is automatic or partial shutdown and reallocation. A system that
senses it is under attack would start erecting internal barriers that would not be
tolerable during normal operations, in an attempt to isolate those parts of the system
that had been compromised. It would also involve load-shedding strategies to reallocate
surviving capabilities to the most important functions required by the organization. All
of this amounts to various forms of real-time reassignment and reconfiguration under
Particular attention needs to be given to preserving and collecting information
during an attack. This is done most easily if the attack has a clear and precise starting
time and backups are made regularly, or if the organization maintains a redundant
“shadow” system. More insidious attacks that build up slowly present a much more
difficult problem in identifying a state where the system is free from inserted malicious
code. It is also important to have strong audit functions to identify when an attack starts
and to collect information that might assist in the identification and apprehension of the
attacker and help the organization better defend itself against similar attacks in the
Organizations should establish security policies and plans for defending against
attacks. Special attention should be given to preventing and dealing with insider attacks.
Staff should know who to call for help. It might be a good idea to test the plan through
the use of exercises. However, most organizations avoid live “fire drills” because they
can be expensive, disruptive, and risky in their own right. Many information systems
are delicate and their owners are afraid something will go wrong, resulting in the self-
inflicted equivalent of a serious attack.
7.2. Improve the security of systems that control physical processes (e.g., SCADA).
From the standpoint of counter terrorism, we would imagine that attacking physical
targets via control and management systems would result in the kind of mass casualties,
damage, fear, and loss of confidence that terrorists favor. Many of these systems are
vulnerable to tampering with control signals, especially by insiders.
Increasing the security for DC/SCADA systems poses particularly difficult
problems. These systems are often small and self-contained, and have constrained
power needs (including backup). Security may not readily fit with the space, real-time,
or power requirements. Security measures could also reduce performance or be
problematic in the synchronization of other more extensive processes. Additionally,
most of these systems are in the private or mixed sectors (for example, airports). Their
owners and operators may not have sufficient resources to secure them more effectively.
National governments that are in positions to do so should give priority to
protecting the small percentage of cyberspace users who are private owners and
operators of digital control and management systems. This would include providing
them with various forms of assistance and technology. Particular attention should be
given to transportation systems because for decades they have been highly favored by
terrorists both as targets and as the means of delivering an attack.
This kind of defensive work is essentially “target hardening”. This can be defined
as the use of various technologies and products and procedures (for example, those
governing outside dial-in or reconstitution and recovery) to protect the information
technology (IT) assets owned or operated by an individual or organization.
30 S.E. Goodman / Critical Information Infrastructure Protection
It is important to notice that many of these recommendations would have more
general value than just vs. terrorists (e.g., they would help against accidents, natural
disasters, serious crime, and non-terrorist forms of conflict). However, as defense does
not involve serious risk or impose a penalty on the attacker, there is also the need to
develop deterrents. For this we need laws:
7.3. Design and Implement a Stronger “System of Justice”, Especially Its International
International cooperation should concentrate on effective intelligence operations. This
is an area where a considerable amount of success could be expected, which would
create the atmosphere for a long-term international legal framework.
The problems of jurisdiction are greatly compounded by the easy transnational
access provided by many components of cyberspace, most notably the Internet. What
may be perceived as serious in one country whose cyberinfrastructure may be used as
part of a terrorist action may not even make the legal radar screen of others that are part
of an attack that crosses multiple sovereign physical jurisdictions. Most countries have
given little or no thought to making serious crimes of the various forms of cyberattack,
and “without law there is no sin”. Seeking widely adopted national laws at least
criminalizing attacks against or using the networks is an important objective.
Legislating against the support functions to which terrorists put the Internet would be a
more distant prospect. The enforcement and prosecution of these laws are also critical
elements of cybersecurity.
Given the many technical and evidentiary problems of identifying cybercriminals
and prosecuting them, nobody has any delusion that such laws would end criminal or
terrorist activities in cyberspace. Nonetheless, they might reduce the enormous amount
of malicious “noise” in cyberspace, and this would help make it easier to more readily
identify more serious activities. They would also provide a necessary basis for
encouraging people to report malicious cyberactivities, and for international
cooperation in dealing with several kinds of problem.
8. Recommendations: CIIP at Every Stage
Security must become a criterion for any system used for CII from the design stage
onwards. The priorities in design have been access and throughput. Added security is
not just costly; it may also result in reduced efficiency and functionality. Furthermore,
so far there does not seem to be much incentive for people to design or redesign
systems to be much more secure. There has been much speculation that the design or
redesign of systems will occur only in the aftermath of a “digital Pearl Harbor” or in
response to the forces of legal liability or insurance necessities and standards.
Even better, security should be a factor to be considered over the entire life cycle
of such systems. Organizations should build cadres of capable defenders, and
contingency plans (including internationally) for crisis and emergency conditions need
to be in place. There could be national-level CERTs or CSIRTs (Cybersecurity Incident
A postdesign and implementation variant is to try to prevent attacks by finding and
fixing vulnerabilities before an attacker can try to exploit them. Red teams, test beds, or
simulations may be used to do this. Another approach, at least to the often-serious
S.E. Goodman / Critical Information Infrastructure Protection 31
threat of possible insider attacks, is to more thoroughly screen employees with
potentially sensitive access.
It is clear that for a number of these measures operational contingencies among
owners and operators and their governments need to be established.
9. Recommendations: Help Build National and Regional Cybersecurity
Harmonization of national laws (as provided for in the 2001 Council of Europe
Convention on Cybercrime) is a good first step toward ensuring the availability of legal
recourse. This would provide the basis for tracking, identifying, and prosecuting
cybercriminals across national boundaries. Considerable efforts are underway today at
the regional intergovernmental and international governmental level. 3 One goal for
which international action would be useful is the more effective coordination and
sharing of information and R&D.
9.1. Types of Relevant International Conventions
There is no reason why an international legislative system should not be built up
around the new technologies we see today. If we make a comparison with aviation, that
was also one hundred years ago a new technology for which no laws existed, yet there
is now a very effective worldwide legislative framework for air traffic.
Comparisons with other areas of international cooperation help us to see what kind
of work can be done in this area for cybersecurity. There are three types of relevant
international convention with multilateral operational dimensions:
9.1.1. Crime and Punishment
Define undesirable behavior as criminal.
Concern with sub-state actors.
The prime example of such a convention is the Council of Europe Convention on
9.1.2. Infrastructure Protection
Define undesirable behavior.
Concern with sub-state actors.
Establish standards/best practices.
Concern with state actors.
Here the prime examples are the Civil Aviation Conventions (1919, 1944, 1963, …).
9.1.3. Arms Control
Control/limit behavior and possessions.
Concern with state actors.
The prime example: Biological and Toxin Weapons Convention (1972).
See the report: The International Landscape of Cyber Security.
32 S.E. Goodman / Critical Information Infrastructure Protection
10. An International CIIP Convention?
For international conventions covering Critical Infrastructure those concerning Civil
Aviation may be the most relevant model to follow. The following characteristics are
They range from issues of aircraft safety to strong laws prohibiting acts
The laws covering acts against aviation infrastructure are also effective.
There is an International Civil Aviation Organization (ICAO).
Since 1944 these conventions have gained near universal acceptance, with 189
countries signing up to them, and the coverage is growing.
They are supported by other UN agencies and NGOs.
If a CIIP Convention is to become a reality, there needs to be significant and sufficient
international concern (the WSIS C5 Action Item could be an indicator here). It is
essential that the convention strive for universal sign-up, and this probably necessitates
a UN umbrella, perhaps the ITU. A CIIP Convention must be supported by an
operational organization that can help build and certify national capabilities.
Reports for the US Government
National Research Council, Information Technology for Counterterrorism, Report of the Committee on the
Role of Information Technology in Responding to Terrorism (J. L. Hennessy, D.A. Patterson, co-chairs,
H. S. Lin, study director), Washington, DC, 2003.
National Research Council, Toward a Safer and More Secure Cyberspace, Report of the Committee on
Improving Cybersecurity Research in the United States (S. E. Goodman, chair, H. S. Lin, study
director), Washington, DC, 2007.
National Science and Technology Council, Federal Plan for Cyber Security and Information Assurance
Research and Development, Report by the Interagency Working Group on Cyber Security and
Information Assurance, Washington, DC, 2006.
National Security Telecommunications Advisory Committee (NSTAC), Research and Development Issues
to Ensure Trustworthiness in the Telecommunications and Information Systems that Directly or
Indirectly Impact National Security and Emergency Preparedness, Atlanta, GA, March 13-14, 2003.
National Security Telecommunications Advisory Committee (NSTAC), Report to the President on
International Communications, Washington, DC, Draft, July 16, 2007.
Other Selected References
A. D. Sofaer and S. E. Goodman, (eds.), The Transnational Dimensions of Cyber Crime and Terrorism,
Hoover Institute, Stanford University, 2001.
Seymour E. Goodman, “Toward a Treaty-based International Regime on Cyber Crime and Terrorism,” in
Cyber Security: Turning National Solutions into International Cooperation, Center for Strategic and
International Studies, CSIS Press, 2003,. pp. 65-78
Stephen J. Lukasik, Seymour E. Goodman, and David W. Longhurst, Protecting Critical Infrastructures
Against Cyber-Attack, Adelphi Paper 359, International Institute for Strategic Studies, London, 2003.
Seymour E. Goodman, Charles House, et al., “Risks and Exposures,” Chapter 6 in William Aspray, Frank
Mayadas, and Moshe Vardi, eds., Globalization and the Offshoring of Software. New York: ACM,
S.E. Goodman / Critical Information Infrastructure Protection 33
Gabriel Weimann, Terror on the Internet, U.S. Institute for Peace, Washington, DC, 2006.
S. E. Goodman, “Cyberterrorism and Security Measures,” Chapter 5 in Science and Technology to Counter
Terrorism: Proceedings of an Indo-U.S. Workshop, (see also commentary in Chapters 6 and 18), The
National Academies (US) and the National Institute of Advanced Science (India), National Academies
Press, Washington DC, May 2007, http://books.nap.edu/catalog.php?record_id=11848.
P.W. Brunst / Use of the Internet by Terrorists 35
usage by terrorists or even conventional attacks that are aimed at IT infrastructures ).
This chapter will not analyze the different definitions of terrorism and cyberterrorism.
Instead, it will give an overview of the use that terrorists can make of the Internet and
the advantages that they can gain from this usage. For this reason, in the following text,
the term “terrorism” is understood in a broad sense in order to enable a comprehensive
examination of possible uses. For an analysis of definitions of terrorism, see .
To analyze the possibilities that terrorists have by using the Internet, it is not suffi-
cient merely to look at confirmed cases of terrorist involvement. Instead, it is necessary
to identify possible targets, risks, and other forms of terrorist Internet use. Therefore,
this analysis is based on cybercrime- and cyberterrorism literature as well as on special-
ized security reports and everyday news reports. This broad approach allows an ex-
panded view not only of real occurrences of cyberterrorism and other uses of the Inter-
net, but also of possible future (or undetected current) forms of utilization.
Three different areas of terrorist uses of the Internet are mainly under discussion.
With a view to news coverage, terrorist attacks that are carried out via the Internet are
especially considered to be “cyberterrorism”. These attacks are either aimed at other IT
structures, such as individual computers, central servers, and routers or at objects in the
“physical world”, such as buildings, planes, trains, or even human life (Part 1.). How-
ever, these intensely observed and frightening possibilities might not be the most inter-
esting ones for terrorists. Since Internet access is available in many countries, terrorist
organizations use the Internet not only to attack, but also to inform, threaten, and attract
attention (Part 2.). Finally, the Internet offers to all of its users many interesting possi-
bilities and information that can also be used by terrorists. These possibilities include
the exchange of encrypted information between people in countries where censorship
and mass surveillance are exercised as well as the obtainment of information about
possible targets (Part 3.).
1. Attacks via the Internet
Attacks via the Internet have, for a long time, been the domain of cyber criminals who
abuse systems for their own benefit, especially to gain monetary income. However,
these acts can also be committed with a terrorist intent. To analyze further the possibili-
ties of digital attacks for terrorist organizations, one has to look at the reasons and mo-
tives behind engagement in this fairly new field (Part 1.1.). The attacks themselves are
often highly flexible and can be combined in several different ways. This makes it hard
to distinguish, for example, a hacking attack that is being committed with the intent to
“test” the security of a certain computer system from another hacking attack that is
being carried out to shut down the system and create further damage. With respect to
terrorist ambitions, however, the attacks can roughly be divided into actions carried out
with the intent to attack other IT systems (and perhaps the physical infrastructure that is
connected to these systems) and attacks that are carried out with the goal of endanger-
ing human life (Parts 1.2. and 1.3.).
1.1. Reasons and Motives for Terrorist Attacks
Since many attacks carried out via the Internet give no explanation for the reasons be-
hind them, it is often not possible to determine whether they are the result of an arbi-
trary experiment carried out by a user who tried out a program discovered while brows-
36 P.W. Brunst / Use of the Internet by Terrorists
ing the Internet or the result of the purposeful aggression of an organized group. Ac-
cordingly, in many cases of cyber aggressions, the originator is not known. For this
reason, some authors have claimed that – up to now – not a single instance of cyberter-
rorism has been recorded . Even if it is true that – according to informal sources –
many cyberterrorist attacks have already taken place, many (if not most) cases are kept
confidential due to the security threat to important infrastructures. However, even if
evidence is scarce, the threat of terrorists using (or considering use of) the Internet for
their purposes is not unrealistic. This in turn can also be used by terrorists as a form of
psychological warfare: cyber-fear is generated by the fact that what a computer attack
could do is too often associated with what actually will happen .
1.1.1. Motivation for Attacks via the Internet
The existence of many different reasons and motives show why the Internet, in general,
is interesting not only for the “ordinary” criminal, but also for terrorist purposes:
− Attacks that are conducted via the Internet can be launched from anywhere in the
world. It is not necessary to be “on site” as it is for a classic bomb attack. Internet
connections that are needed for the initialization of the attack are widely available
or can be started from most up-to-date mobile phones;
− When the attack is set up, it can be launched quickly with hardly any need for fur-
ther preparation. This makes it possible to react spontaneously to current events
− The speed of many forms of attack is not dependent on the connection speed of
the attacker, e.g. in cases of Distributed Denial-of-Service attacks (DDoS attacks).
Instead, the connection speed of captured victim computers can be fully exploited.
Thus, worms and viruses can spread at the fastest possible rate without the need
for any further involvement on the part of the attacker;
− Actions committed via the Internet can be kept anonymous and untraceable.
Technically, anonymizing services and similar camouflaging techniques, as well
as the forwarding of traffic via other hacked systems, can make tracing an attack
difficult if not impossible. Furthermore, if traces are being led through different
countries, legal problems and differing technical standards in these countries add
to the list of problems. Finally, digital evidence can be deliberately forged, thus
raising suspicion against uninvolved and innocent parties;
− The cost-benefit-ratio is extremely positive: use of the Internet itself is cheap. For
many attacks, only a small bandwidth connection is needed, which is affordable
in most countries. Damage caused via the Internet, however, can be rather costly.
IT experts must continue to be involved in fixing newfound security flaws; fur-
thermore, additional costs arise if damages have occurred and require fixing (e.g.
reconstructing IT equipment or repairing physical damage that resulted from a
− Often, attacks are easy to carry out because many targets are poorly protected.
Therefore, attackers can choose from a wide variety of interesting targets. If the
favored target is not vulnerable to the “weapon of choice”, many other targets are
P.W. Brunst / Use of the Internet by Terrorists 37
1.1.2. Terrorist Motivation
The short list above already shows that attacks via the Internet are generally attractive
for any criminal organization. However, differences between ordinary criminals and
terrorist organizations can be observed when the underlying motivation for such attacks
is analyzed . Cybercriminals often conduct attacks simply to gain monetary income
or to demonstrate their “virtual power”. This can be achieved, for example, by the fol-
− Circumventing security measures. Attackers can thereby corrupt the integrity and
confidentiality of computer systems and data;
− Rendering systems useless. This can be followed up by further drastic effects if
mission-critical IT systems are affected;
− Creating physical harm. This can be the case if critical infrastructures, such as
transportation, power, or water facilities that are connected to an IT system, can
be manipulated by a perpetrator who has gained access to such a control system.
Terrorist organizations, however, typically follow a more long-term perspective.
Their general aim is to achieve a (primarily political) goal with their actions. Therefore,
the following actions are of high importance to the organization:
− the generation of fear,
− the creation of economic confusion, or
− the discrimination of the political opponent.
Other reasons, however, can also be an underlying agenda for a terrorist act that is be-
ing committed via the Internet, for example:
− the generation of monetary income or
− the gathering of information on a target (either for a conventional or an electronic
Depending on individual motivation, terrorist aggressions can be performed in dif-
ferent ways. As an example, a hacking attack with the intent to shut down an important
system at an airport could be made publicly known in order to arouse fear in the popu-
lation. However, a hacking attack that is committed in the hopes of gaining information
on the automobile route of an important person might be kept secret so as not to endan-
ger future plans for a bomb assassination on that person. In general, it is possible to
imagine that all of the general aims mentioned above could also be accomplished with
the help of attacks that are committed over the Internet.
1.2. Attacks on IT Systems
Attacks on IT systems can roughly be divided into three different groups. (1) With the
help of hacking techniques, access to individual systems can be gained. The system can
be subsequently used to shut itself down, gather, alter, or delete information from it, or
to conquer further systems that are attached. The latter is especially important with
regard to attacks on an infrastructure that is controlled by a computer system. (2) The
second approach is not designed to gain access to a computer, but to render it useless.
38 P.W. Brunst / Use of the Internet by Terrorists
These so-called “Denial-of-Service attacks” (DoS attacks) are often committed with the
help of hundreds or thousands of computers that send (mostly useless) instructions to
the victim computer. (3) Finally, a third type of attacks combines one or both of the
above-mentioned attacks with a conventional bomb attack.
1.2.1. Individual Hacking Attacks
126.96.36.199. Accessing Systems
The first type of attacks is aimed at enabling access to protected data and computer
systems. This can be achieved if the victim computer is vulnerable to a security weak-
ness that can be exploited by the attacker. Software and techniques for this purpose can
be acquired through different channels: many specialized security forums discuss the
known weaknesses of different operating systems and other software. If the designated
victim computer is not immune against all current (and known) software flaws (so-
called “patching”), this information can be used to gain access to it. However, even if
all known patches have been applied to a computer system, this does not mean that the
system is protected against all possible attacks. So-called “Zero-Day-Exploits”, i.e.
software flaws that have not yet been disclosed to the manufacturer (and therefore not
yet been patched), can be acquired via the black market. Such software enables access
to a system even though the system administrators have followed all publicly known
Once an attacker has gained access to a computer system, several possibilities lie
ahead. First, the system can simply be shut down, thereby making it unavailable to le-
gitimate users. However, the system can be restarted by administrators immediately,
giving the attackers only a very short moment of success. Nevertheless, even a very
short interruption can be hazardous for some systems, such as control systems for
power plants or in medical environments. Furthermore, an outage can be combined
with a conventional attack, e.g. to handicap rescue workers after a bomb attack. 3 Fur-
thermore, the information on a system can be altered, thereby giving it a new meaning,
e.g. to mislead people relying on that information, or destroyed. Finally, some attacks
can be conducted without anybody noticing, making countermeasures extremely diffi-
188.8.131.52. Altering Information
The second possibility is to change information that is being stored on the computer
system. This can lead to so-called “defacements” that often take place after a web
server has been compromised , . In the case of a defacement, a web page (usu-
ally an entry page) is replaced with another page that informs the visiting user that this
particular web server has been hacked (and most likely also provides information about
who has done it). In doing so, the attackers can easily demonstrate their capabilities and
the weakness of the victim. In addition, the impression is created that the attacker will
be able repeat his action at any given point in time and even with other, even more
highly protected systems. Therefore, defacements of web servers that belong to security
agencies, the military, or other important services are popular targets for attackers. The
group “Pentaguard”,4 for example, demonstrated its capabilities in 2001 when it simul-
taneously defaced a multitude of government and military websites in the U.K, Austra-
For these so-called “hybrid” attacks see below.
For an excerpt of websites defaced by the “Pentaguard” group, see
http://www.attrition.org/mirror/attrition/pentaguard.html [last visited: July 2007].
P.W. Brunst / Use of the Internet by Terrorists 39
lia, and the United States. This attack was later evaluated as one of “the largest, most
systematic defacements of worldwide government servers on the Web” . Terrorist
organizations had also already used this technique in the past. Al-Qaeda, for example,
hacked the website of Silicon Valley Landsurveying Inc. in order to deposit a video file
showing the hijacked (and later beheaded) Paul Marshal Johnson . By publishing
the link to the stored video, the organization could simultaneously demonstrate its
technical as well as conventional dangerousness. In another case, pro-Palestinian hack-
ers used a coordinated attack to break into 80 Israel-related sites and deface them ,
Instead of defacing a web server, all other information stored on a computer sys-
tem can also be affected, i.e. deleted or altered. If, for example, vital data, such as the
U.S. Social Security database, financial institutions’ records, or secret military docu-
ments, were able to be irreversibly damaged, grave social disorder and a long-lasting
lack of trust in all government institutions could be the consequence . Studies, such
as the exercise “Eligible Receiver”,5 and recent attacks have shown that even top-secret
military computers and sensitive nuclear research centers are not immune against all
attacks , .
184.108.40.206. Silent Operations
The shutting down of a computer or the defacement of a web page each have the ad-
vantage that the success of the attack becomes immediately known to both operators
and users of the affected system. However, if an attacker does not aim at a demonstra-
tion of his powers, but rather tries to gather information, secrecy is of essence.
Therefore, the third possibility for an attacker to proceed after gaining access to a
computer is simply to search for useful information and try to leave few or no traces at
all. This form of action also has another advantage: whereas a security flaw that has
been detected can be fixed after an intruder has been detected, an unknown security
weakness allows the attacker to use it not only once but for a longer period of time.
Hence, apart from the above-mentioned “Zero-Day-Exploits”, other forms of custom-
made software are of also interest.
A mode of operation that could also be put to use by a terrorist organization can be
observed in a case that a security company has tested . The company prepared USB
sticks with a custom-designed, newly developed Trojan horse program that could not
be detected by virus scanners. Twenty of these sticks were “lost” on the premises of a
credit union. Of these, 15 sticks were found by employees – and promptly connected to
the company network where the Trojan started to collect passwords and other valuable
information and e-mailed this data back to the offenders. Such an attack would be a
powerful way for a terrorist organization to initiate counterespionage.
Another way to introduce such software could be through legal channels. This was
observed in the year 2000, when Japan’s Metropolitan Police Department used a soft-
ware system to track 150 police vehicles, including unmarked cars. It turned out that
this software had been developed by the Aum Shinrikyo cult – the same group that
gassed the Tokyo subway in 1995. It turned out that members of the cult had developed
In 1997, the NSA launched an exercise under the codename „Eligible Receiver.” A group of
hackers was in essence challenged to use publicly available tools to try to break into the U.S. Pacific Com-
mand in Hawaii, which is responsible for all military contingencies and operations conducted in the Pacific.
To the surprise of the military, the group gained access to the user account management and were able to
reformat server hard drives, scramble data, and shut systems down. Even the disruption of telephone services
and interception of emails did not pose a large challenge .
40 P.W. Brunst / Use of the Internet by Terrorists
software for at least eighty firms and ten government agencies . The cult had been
able to work largely undetected because the software developers were engaged as sub-
contractors, thus enabling personnel clearance to be easily circumvented.
1.2.2. Large-Scale Attacks
If the information inside a computer is not of essence, but the aim is simply to make its
services unavailable, the use of large-scale attacks might be preferred over a hacking
attack. Large-scale attacks are often committed with the help of hundreds or thousands
of other computers (so-called Distributed-Denial-of-Service-Attacks or DDoS-Attacks)
, . In these cases, viruses and Trojan horses are used to control other computers.
These computers are turned into so-called “zombies” that are forced to report to a bot-
net on a regular basis. These zombies are, in turn, controlled by a bot-master that in-
structs them, for instance, to forward thousands of requests to a particular site in order
to make it inaccessible to its users. In 2006, more than 60,000 active bot-infected com-
puters were observed per day. Furthermore, over 6 million distinct bot-infected com-
puters were detected in 6 months. These “zombies” were controlled by less than 5,000
command-and-control-servers . It can therefore be safely assumed that the persons
in control of these bot-nets are not hobby hackers, but well experienced and organized
For terrorist groups, however, it is not necessary to acquire these skills or to organ-
ize bot-nets by themselves as bot-nets can also be rented. Prices for attacks range from
about 150 to 400 US-dollars, depending on the target and the duration of the attack.
Some bot-net-operators even offer discounts for multiple orders . Also – as a non-
technical alternative – the same effect as that achieved with a bot-net attack can be ob-
tained if enough human supporters are available who can take over the part of will-less
“zombies” in bot-net attacks. This can be observed in an online demonstration that was
launched against the German airline “Lufthansa” in 2001. In order to call attention to
the involvement of the company in the deportation of illegal alien residents, supporters
were asked to open the web page of the company at the same date and time. Over
13,000 people followed the call. The Lufthansa server was unable to reply to the sud-
den peak of requests so that the web page became unavailable to customers during this
time frame . This technique is also known as “swarming”, “virtual blockade”, or
“virtual sit-in” and it shows that even technically non-adept organizations can use the
power of distributed attacks against targets in the Internet , .
However, for a terrorist organization, the operation of a bot-net could also be an
interesting option, since it can be used in a variety of ways. Two main options seem to
be realistic: the use of bot-nets for email campaigns and for aggressive attacks on other
Internet sites. In the first option, the “zombie” computers can be used to send out mass-
mailings with terrorist content (e.g. propaganda). These mails are difficult to trace back
since they do not originate from the computer of the terrorist organization, but from
thousands of computers linked to the bot-net. Furthermore, this service can also be
rented out to other companies wishing to cover their tracks in order to forward spam-
emails and willing to pay for this service. Therefore, by using this first option, the bot-
net can also be used as a source of income for the organization. When using a bot-net
for the second option, i.e. utilization for attacks on other targets in the Internet, a terror-
ist organization can benefit from the large diversification of attackers in a bot-net. Such
aggressions can hardly be traced back and, in addition, the defense against such attacks
is often not possible.
P.W. Brunst / Use of the Internet by Terrorists 41
Manifold examples of the use of bot-nets to bring down other services in the Inter-
net can be found. Among them are actions that can be classified as terrorist or part of a
cyber war. For example, six different Hizbollah sites, the Hamas site, and other Pales-
tinian information sites were brought down by a so-called “FloodNet” attack of pro-
Israeli hackers. The service virtually “flooded” the respective servers with pings result-
ing in the unavailability of the servers for all other requests. Even after a relaunch with
a slightly different spelling, the sites were still unreachable as the hackers immediately
adjusted the attack to the new name , . The targets of such attacks can be chosen
freely, i.e. any system that is reachable over the Internet can be the victim of a (distrib-
uted or simple) denial-of-service-attack. Therefore, the internal and external communi-
cation systems of NATO troops were the victim of an attack during the allied air strikes
on Kosovo and Serbia  as well as the thirteen root servers for the Internet domain
name systems (DNS) , .6
1.2.3. Hybrid Attacks
Many of the attacks described above can result in violence against persons or property
and they can generate fear within a population. However, this depends largely on the
chosen target and the actual effect that the attack was able to accomplish. Therefore,
some authors claim that a conventional bomb attack is – in many ways – easier to plan
and conduct and that the results can be better foreseen. However, even in cases of con-
ventional bomb attacks, the losses can be increased if hybrid attacks are launched, i.e.
an attack that is aimed at a physical target is combined with one or both of the above-
mentioned electronic forms of attack.
The bomb attack can be aimed at any given target. For example, it is often chosen
to bring forth a high number of casualties. In this case, a supplementary digital attack
could be launched that is aimed at the communication devices of police or ambulances
in order to hinder an effective coordination of rescue teams , . Another possibil-
ity would be for attackers to choose to launch an assault on the economic stability of a
country. In this case, a hybrid attack against national financial networks (such as Fed-
wire or Fednet) or against transfer networks (such as SWIFT) could be launched. It is
estimated that such an attack could wreak havoc on the entire global economy .
Another possibility would be to directly attack the infrastructure that forms the ba-
sis of the Internet. To achieve this, offenders could assault any system whose operation
is of the essence for the functioning of the Internet. One example would be the domain
name service (DNS). The DNS is responsible for the translation of domain names (such
as www.mpicc.de) into IP-numbers (such as 220.127.116.11). This task is necessary for
many transactions, e.g. the opening of a web page or the sending of an email. If an at-
tacker was able to disturb this service, large parts of Internet-based services would be
inaccessible. Therefore, a DDoS attack on the thirteen root servers of the DNS in Octo-
ber 2002 was described as an attack against the “heart of the Internet network.” How-
ever, due to built-in safeguards, no slowdowns or even outages were caused . The
same is true for a recent attack which took place in February 2007: even though the
aggression lasted for almost twelve hours, the influence was hardly noticeable ,
Such attacks against the infrastructure are possible not only by digital, but also by
conventional means. For example, many transcontinental data connections rely on
For further details on the attack on the DNS root servers see also below.
42 P.W. Brunst / Use of the Internet by Terrorists
transatlantic cable connections between Europe and the United States. Whereas Euro-
pean cable ends are widely spread between many different countries, they are often
bundled on the American side (e.g. in New Jersey and Rhode Island). An attack on one
or two of these connections could have a serious impact on Internet connections in
general. In the past, this was observed when cables were damaged accidentally ,
. For example, after an underground cable between China and the USA was se-
verely damaged, according to a survey, 97% of Chinese users reported problems of
accessing foreign web pages and 57% claimed that their life and work was being af-
fected by the damage . Another focus of a conventional attack against IT infrastruc-
tures could be to target one or more of the central so-called peeringpoints that intercon-
nect different networks in the Internet. The German peeringpoint DE-CIX in Frankfurt,
for example, is said to handle 80% of German and 35% of European Internet traffic.
The London Internet Exchange LINX is the world’s largest Internet peeringpoint. In
2006, it was at the center of a planned assault. However, Scotland Yard arrested sus-
pects beforehand. An MI5-website is reported to have said that “without these services,
the UK could suffer serious consequences, including severe economic damage, grave
social disruption, or even large-scale loss of life” . Since this report is focused on
the use of the Internet by terrorists, there will be no further analysis of possible targets
for conventional attacks. The examples above show, however, that terrorists can se-
verely damage targets in the Internet even without any technical knowledge.
1.3. Attacks on Human Life
Often, attacks on computer systems are considered less dangerous than conventional
attacks with bombs because damages to computers are said to “only” lead to economic
losses. However, these days, computers are no longer exclusively used to “crunch
numbers” and store huge amounts of data. Instead, a new type of service has quietly
evolved: SCADA 7 systems are used to measure and control other systems and can
therefore lead to effects not only in the “virtual”, but also in the “real” world. Often,
these systems are also connected to the Internet – in one way or another: according to
informal sources, 17% of SCADA malfunctions are caused by a direct Internet access
to the SCADA system . Other possibilities include VPN-, modem- or trusted con-
nections, e.g. remote access to allow maintenance work. Even though such possibilities
for remote access are not advisable for security reasons, the need to cut costs and the
ability to remotely control several SCADA systems centrally, instead of having one
person control one system on-site, led many companies to establish such structures.
Furthermore, many of the control systems are based on standard Windows- and UNIX
operating systems . Therefore, some hackers claim that it would take them only
about a week to get into most of the existing control systems . The effect of a com-
bination of SCADA systems that are connected to the Internet and security weaknesses
could be observed in 2003 when 21 power plants were brought down and other criti-
cally important institutions in the United States, including Edwards Air Force Base, the
test center for B-2 and B-1 bombers, also affected. As far as is publicly known, these
breakdowns were the result of the W32.Lovsan worm that was using the same port to
exploit a weakness on individual personal computers being used by the plants to com-
municate with each other . The collision resulted in a large power-down in the
United States and Eastern Canada.
SCADA is an acronym for “Supervisory Control and Data Acquisition”.
P.W. Brunst / Use of the Internet by Terrorists 43
However, even though 60 million households are said to have been without elec-
tricity, no panic erupted; there were only a few injuries, and hospitals and emergency
services continued to function properly . Therefore, some authors question whether
cyber attacks are really of the same class as conventional attacks carried out with
bombs . From a terrorist’s point of view, it generally should not matter which
weapon is used to commit an attack – as long as the attack is efficient, causes fear in
the public, and is repeatable (at least in general) at any given point in time. Therefore,
attacks that endanger human life often receive larger media coverage than those that
only affect computer systems. Some of these attacks only have a nexus to electronics,
e.g. bomb attacks that are triggered by RFID8 chips contained in newer passports ,
, . Other forms of computer attacks that endanger human life have – for the
most part – only been discussed and not yet taken place (or this has not become known
to the public) . Two different options are mainly being discussed: attacks on
SCADA systems connected to potentially dangerous machinery with an immediate
outcome and those that lead to a long-term effect.
1.3.1. Attacks with an Immediate Outcome
Most scenarios that are under discussion and that could directly result in lost lives have
not yet taken place or they have not become known to the public. The following are
especially considered to be potential target scenarios for terrorist attacks with an imme-
diate danger to human lives: launching attacks on hydroelectric dams, tampering with
control systems for railways or air traffic, and gaining control over systems supervising
Probably the most discussed scenario of cyberterrorism with an immediate danger
for human lives is an attack on a hydroelectric dam. The consequences of (accidentally)
damaged dams have been observed in the past, e.g. when, in 1975, the Banqiao and
Shimantan dams on tributaries of the Huang He (Yellow) River in China failed, dozens
of lower dams were damaged, and at least 85,000 people died . If terrorists were
able, for example, by way of hacking into a SCADA system controlling a dam, to cre-
ate a similar effect by deliberately opening the floodgates, again hundreds or even
thousands of people would be at risk. The vulnerability of such systems could also be
observed in 1996, when an individual used simple explosive devices to destroy the
master terminal of a hydroelectric dam in Oregon. Although the structure of the dam
was not affected by the attack, the power-generating turbines were completely disabled
and had to be switched to manual control . However, attacks via digital channels
have also been on the rise. In 1998, for example, a 12-year-old was able to break into a
computer system that runs Arizona’s Roosevelt Dam. Federal authorities afterwards
reported that he had complete command of the SCADA system controlling the dam’s
massive floodgates .9
A similar incidence – albeit without a threat to human life – took place in the year
2000, when the police arrested a man who used a stolen computer and radio transmitter
to control the sewage treatment in Queensland, Australia. The culprit had manipulated
RFID is the abbreviation for Radio Frequency Identification. An RFID tag is an object that can be
incorporated in products for the purpose of identification using radiowaves.
The details of the attack are disputed: whereas the Washington Post reports that a 12-year-old
hacker broke into the system in 1998, other sources claim that he was 27 and the incident occurred in 1994
. Also, the level of access is debatable. However, the simple fact that the control system of a hydroelec-
tric dam with the dimensions of the Roosevelt dam was compromised at all is sufficient to show the danger
of a terrorist attack.
44 P.W. Brunst / Use of the Internet by Terrorists
the system over a period of two months, letting hundreds of thousands of gallons of
putrid sludge ooze into parks and rivers. According to an employee of the Australian
Environmental Protection Agency “marine life died, the creek water turned black and
the stench was unbearable for residents.” However, the perpetrator’s motive was not to
generate fear in the public, but to bargain for a consulting contract in order to fix the
problems he had caused , . Nevertheless, the case shows that physical damage
can be caused by manipulating SCADA systems.
It is easy to imagine what could happen if a terrorist were to gain control over a
system that is set up to prevent the collision of airplanes. In 1997, a juvenile was able
to access the communication systems of Worcester, Mass. Airport. The action dis-
rupted the telephone service to the Federal Aviation Administration Tower at the Air-
port, the Airport Fire Department, and other related services such as airport security,
the weather service, and various private airfreight companies. Furthermore, the main
radio transmitter and the circuit which enables aircrafts to send an electronic signal to
activate the runway lights on approach were disabled . Fortunately, no accidents
were caused by the attack . However, the incident clearly shows the potential dan-
ger and the vulnerability of systems that are responsible for protecting human lives. In
a worst case scenario, colliding trains or airplanes could possibly cost hundreds of lives
Finally, other scenarios with the possibility for mass mortality have also had an
impact on the discussion about possible targets for cyberterrorists. In particular, the
chance of terrorists controlling nuclear power plants or military missile control centers
has been a subject discussed by many authors . The above-mentioned power-down
of 2003 has shown that digital attacks can indeed have an impact on such systems.
However, many of these situations rely on the failure of all other security measures
at the same time. Air traffic controllers and pilots are especially trained as regards
“situational awareness” and use computers only as an aid. So, for a successful attack, it
would be necessary to manipulate pilots and/or controllers as well as intrude into the
computer system . Furthermore, military facilities that are able to launch missiles
are often not connected to the Internet, but “air-gapped” 10 instead, making a remote
launch simply impossible , .
There are, however, no grounds for a complete all-clear. One reason is that it is not
reasonable or sufficient to distinguish exclusively between “computer only” and “hu-
man only” scenarios. If organizations have (or can buy) the aid of an insider – either in
the form of active participation or in the form of gathering otherwise protected infor-
mation – many security measures can be dangerously compromised. The second reason
is that the military also makes use of increased connectivity and remote controlling in
order to save the lives of soldiers. New weapons are being developed that rely on re-
mote control. For example, semi-autonomous military robots often provide a commu-
nication channel for human controllers – sometimes even over the Internet. This, for
example, is the case with “RoboGuard”, a guard robot that can be equipped with infra-
red-sensors and weaponry , . Finally, many software products also used by
military services rely on civilian technology and established operating systems, thereby
opening additional loopholes for security risks.
Typically, a system is called “air-gapped” if it is completely physically, electrically, and electro-
magnetically isolated. In the context above, especially the fact that the system can be considered closed and
that it is not accessible from the outside, e.g. the Internet, is important.
P.W. Brunst / Use of the Internet by Terrorists 45
1.3.2. Attacks with a Long-Term-Effect
The situations mentioned above can result in a one-time catastrophe. In order to create
long-lasting panic and fear within the population, however, long-term effects and un-
certainty may be even more suitable for terrorist organizations. Scenarios that are being
discussed in this field include the manipulation of machinery, for example, in the pro-
duction of food or medication , . However, it is doubtful whether such scenar-
ios are realistic. If, for example, the production chain of a food company were altered
to create poisonous food, it seems likely that quality control would detect changes in
the composition at an early stage. In addition, a sudden increase in the use of different
ingredients would likely draw attention. Finally, the taste of the altered product would
Other possible targets include the weapons-production process, where manipula-
tion could lead to useless ammunition. This would be effective especially, because test-
ing is hardly possible and defects would be noticed only after it is too late. However,
since these production areas are usually high-risk areas, security measures are high, and
production computers are seldom linked to public networks the risk of a digital effect
in this area can be considered very low.
2. Terrorist-Related Contents
From the beginning, one great strength of the Internet has always been its use for
communication. However, widespread success began with the establishment of the
WWW and the possibility for everyone to disseminate information. Today, terrorists
have also begun to use the Internet not only to launch attacks, but also to exploit it for
new possibilities in a “war of ideas” . The use of the Internet is especially of inter-
est for the presentation of terrorist viewpoints, the propagation of threats and propa-
ganda, and the possibility to it for fundraising.
2.1. Presentation of Terrorist Views
In general, terrorists and terrorist organizations have to work undercover which makes
the communication of their views, aims, and ambitions extremely difficult. “Conven-
tional” ways to spread ideas are leaflets and “mouth-to-mouth” propaganda. However,
both alternatives are time-consuming and risky and they do not reach a large group of
people. Additionally, terrorists are faced with the problem of how to communicate with
(and possibly influence) the media or other people and organizations who might not
actively be looking for such information but who would be interested in it once intro-
duced to it.
With the help of the Internet, the situation has changed. Almost every organization
of importance now has its own website ,  and the number of terrorist websites is
steadily rising: Whereas in 1999, two of 30 deemed foreign terrorist organizations had
their own websites (according to the United States Department of State), in 2005 more
than 4,500 terrorist-related websites were known to exist , .
Many websites contain detailed information on leaders, the history of the organiza-
tion, aims, or recent successes. The information is put together in such a way that the
different “target groups”, e.g. supporters, enemies, or mass media, can easily find rele-
vant information , , . Some websites even offer cartoon-style design and
46 P.W. Brunst / Use of the Internet by Terrorists
children stories in order to reach already the youngest . Also, information is pro-
vided in different languages so that even foreigners can compare their media news with
the views of the respective organization. The website of the Revolutionary Armed
Forces of Colombia (FARC – http://www.farcep.org [last visited: September 2007]),
for example, offers information in English, Italian, Portuguese, Russian, and German.
For an overview of terrorist websites and their languages of operation, see .
As regards content, terrorists are not restricted to presenting information on their
organization alone. Everything is virtually possible, from a mere presentation of view-
points to a general glorification of terrorism or justification of recent acts of violence
(or threats to perform new acts) even up to and including the incitement of further ter-
rorist acts by the reading audience and recruits. The honoring of “martyrs” and com-
munication with families of terrorists has even already taken place. The website al-
neda.com, for example, has published the names and home phone numbers of 84 al-
Qaeda fighters who have been captured. Presumably, the aim of this action was to al-
low sympathizers to contact their families and let them know whether they were alive
. Other websites contain obituaries of suicide bombers, effectively glorifying them
and encouraging others to follow this path . The Internet has therefore become the
most important means by which terrorist organizations communicate with their sup-
porters and other interested parties 
The most popular terrorist sites attract tens of thousands of visitors each month .
Of course, governments try to shut down such websites and prevent the spreading of
information. However, the “censorship resistance” of the Internet is often used. For
example, when Jordanian officials removed an article from 40 print copies of The
Economist on sale in Jordan, an online copy was printed, photocopied, and faxed to
1,000 Jordanians, thereby circumventing local censors . Furthermore, websites are
often stored on servers that are physically located in different countries than the one the
organization is acting from. For example, several websites of al Qaeda are physically
stored in the USA and Canada .
2.2. Threats and Propaganda
As mentioned above, terrorist websites are not restricted to a presentation of views
alone. Instead, terrorists can also use the Internet to send threats to enemies and spread
propaganda. The possibility to use multimedia technology especially enables an or-
ganization to burn images into the memories of the viewing audience in an impressive
way. The assassination of Daniel Perl for example, showed the impact of psychologi-
cal warfare as conducted by these new means. Also, other more recent, messages are no
longer sent as mere text messages. Instead, professional-looking videos are being pro-
duced, e.g. in the case of threats against German and Austrian involvement in Afghani-
stan. These videos were subtitled in German and sent to a website called “Global Is-
lamic Mediafront (GIMF) . A high-ranking member of the German Office for the
Protection of the Constitution is quoted as having said that this video is seen as a form
of “psychological warfare” because it does not make direct threats, but instead creates
an atmosphere of unease . Other messages are directly forwarded to TV stations
which incorporate the material and broadcast it in their programs , . Therefore,
some attacks are staged and filmed from several angles at the same time so that the
material can be better used for the distribution to the media, websites, and the produc-
tion of DVDs .
P.W. Brunst / Use of the Internet by Terrorists 47
The use of terrorist websites, however, also has two big disadvantages. First, most
websites are only visited by people who are actively seeking such information. There-
fore, organizations have to find new ways to also reach other people, e.g. mass media.
Secondly, websites serve as a “single point of failure”: If the website is closed down,
all information contained there must be moved to another site and the new name spread
among those who wish to visit the site and get information from it.
Terrorists have started to fight both problems and added more decentralized ap-
proaches to their arsenal. This makes it harder for the government to control content on
the one hand. On the other hand, it also makes propaganda available for those capable
of being influenced by it or who are open to the views of the organization but not ac-
tively seeking it. It is probably for this reason that many propaganda videos have
shown up on video-sharing platforms such as YouTube. They depict terrorism in a glo-
rious light and show assault scenes, bombings (often accompanied by modern music),
or speeches by agitators. In addition to videos, Internet radio shows are also being
launched . Both, video and radio shows allow organizations to spread their body of
thought among young viewers who are vulnerable to such influences and may stumble
over such material while looking for a new pop song.
Material and information that is spread via the Internet can also be used to influ-
ence public opinion. Whereas, in the past, only a few well-established organizations
were able to produce newspapers, magazines, or TV shows, the Internet makes it pos-
sible for virtually anyone to launch their own periodicals or otherwise use the power of
the media. The cost advantage over traditional mass media greatly helps to promote
such journals. Al-Qaeda, for example, has launched a weekly bilingual news show con-
taining world news from a terrorist point of view , . Viewers of such online
journals often cannot identify the source and evaluate whether the news being broad-
cast is true or false. This, however, has proven to be a double-edged sword in the past.
On the one hand, organizations were able to express their own views under the guise of
a seemingly neutral authority, leading to a seemingly prevailing opinion between many
“independent” journals. On the other hand, due also to the quick proliferation of fake
communiqués, it was not easy to distinguish real terrorist messages from the statements
of non-existent groups for some time .
Nevertheless, the risk remains that traditional mass media – thanks to increasing
use of the Internet as a source of stories and illustrated footage – can fall for news sites
that are set up especially for this purpose. By attractively presenting viewpoints and
opinions, terrorist organizations can at least increase their chances of introducing these
opinions into mass media products. In this context, semantic attacks are also being dis-
cussed. A semantic attack involves subtly changing the content of the web page of a
traditional news site, thus disseminating false information , . However, it is
doubtful whether these attacks would remain unnoticed.
2.3. Fundraising and Financing
Some organizations have started to use their websites not only to disseminate informa-
tion, but also to use it as a source of income for financing (fundraising). This can be
done, for example, by selling CDs, DVDs, T-Shirts, badges, flags or books , .
Other websites give instructions on how to donate money to the organization, for ex-
ample directly by means of credit card or by providing bank account details . By
doing so, organizations can establish a link to supporters and candidates for possible
recruitment. The same can be achieved, if terrorists gather user demographics, e.g.
48 P.W. Brunst / Use of the Internet by Terrorists
from personal information entered on online questionnaires and order forms. Users that
are identified as potential sympathizers can then be e-mailed and asked to make dona-
Since the websites of the organizations themselves are often at the center of sur-
veillance by security agencies, hundreds of support websites commonly appear and
disappear. To allow visitors to find further websites, they are often link by web rings.
Yahoo for example has pulled dozens of sites in the Jihad Web Ring, a coalition of 55
Jihad-related sites .
3. Use of the Internet for Other Purposes
The third sector that is of interest to terrorists, apart from attacks carried out over the
Internet and the dissemination of information, is the use of the Internet for seemingly
harmless tasks such as sending e-mails or visiting web sites. However, the following
section will show that even these simple tasks can be beneficial to a terrorist organiza-
tion if they are carried out via the Internet. This is especially true for the individual
communication between terrorists and terrorist groups and the use of the Internet as a
planning and supporting instrument.
3.1. Individual Communication
The general benefits of the Internet, such as speed, low cost-level, and wide accessibil-
ity, apply especially if it is used for communication purposes. The use of the Internet to
communicate goes back to the roots of the Internet itself. Therefore, many tools and
programs are in existence and their functionality has already been widely tested. In
general, communication can be divided into text-based tools on the one hand, that can
either be used in realtime (“chatting”) or in delayed mode (e.g. email), and voice-based
systems on the other hand.
Text-based systems, such as email, have the advantage that they are widely avail-
able and that many companies usually offer these services free of charge. Additionally,
they do not require a lot of bandwidth, making it possible to send and retrieve informa-
tion even over older mobile phones or in areas where Internet-connections are limited.
Since email services are offered free of charge by many different companies, terrorist
organizations can rely on them and refrain from building up their own service. For ex-
ample, the organizers of the 9/11 attacks had opened multiple accounts on largely
anonymous e-mail services such as “Hotmail” .
Text-based, real-time systems, such as IRC, allow for a fast (and largely unsuper-
vised) conversation of two or more persons who are online at the same time. If, how-
ever, this is not the case, delayed applications that use a process-and-store mechanism
(as with email) have a great advantage: messages can be stored and retrieved at any
given point in time; terrorists neither have to be online all the time, nor do they have to
entrust third parties with the task of accepting personal messages for them. Finally,
many encryption tools have been developed and are freely available for this service.
Voice-based systems, however, allow for even faster communication than text-
based real-time systems.11 Voice-over-IP systems (VoIP) have enjoyed great success
In general, the bandwidth that is used by voice-based systems exceeds that of a text-based system
by and large. Therefore, technically, text-based systems will often be faster than voice-based systems. How-
P.W. Brunst / Use of the Internet by Terrorists 49
since the free-of-charge software “Skype” was introduced. Lately, many manufacturers
of messaging systems (such as AIM or Microsoft Messenger) have also included a
voice function into their products. Therefore, it is of no surprise that VoIP software has
been found in connection with al-Qaeda cells , .
3.2. Encryption and Anonymity
Information that is exchanged over the Internet is – by nature – digital. This allows for
easy encryption and also for opportunities to remain anonymous. With regard to the
latter, anonymity services and open proxies can be used. However, in many cases, ter-
rorists must anticipate that their message will be intercepted. Therefore, they must ei-
ther disguise the message itself or use conventional encryption techniques.
To hide a message, two techniques are especially being discussed. The first is to
hide the message with the help of steganography. In this case, a message is hidden in-
side a picture, sound file, or any other file , . This file can then be put on any
public website, e.g. a photo could be put on a classic photo site such as webshots.com.
Afterwards, other members of the organization could download the picture and decrypt
the message. The entire process is concealed because no one (except for the terrorists)
knows that the file contains more information than initially appears. Furthermore, the
course of action is completely inconspicuous because it is an everyday event to up- or
download a picture from a photo site and does not draw any attention to itself. Some
authors claim that the use of steganography is only a myth . However, even if this
technique is not proven, there is a possibility that it could be used by terrorists as well
as anybody else.
Furthermore, also other techniques could be used to secretly pass messages that
cannot be noticed or deciphered by observers. If, for example, code words or certain
signals are being agreed upon between different terrorists, it would be sufficient to use
this code word in an inconspicuous context. Therefore, experts currently argue whether
the color of the beard of Osama Bin Laden in his latest video is a secret message for his
followers . Similar techniques were already used by the group of terrorists conduct-
ing the attack on 9/11. The message from Mohammed Atta to the other attackers stated
that “19 confirmations for studies in the faculty of law, the faculty of urban planning,
the faculty of fine arts, and the faculty of engineering” were obtained . This mes-
sage could be sent without attracting any attention, even if it was intercepted. For the
well-informed, however, the references to the various faculties revealed the different
targets for the assassins.
Another method of preventing the content of a message from being revealed is the
use of a free mailer e-mail account. To begin with, the use of a free mailer account it-
self offers a great degree of anonymity and protection in itself, especially if more than
one service is used (either alternatively or simultaneously). However, to protect the
content of an e-mail, the account is used in an unconventional way: instead of logging
in, writing, and sending an e-mail, the password is not known to just one person but to
two – sender and recipient. The sender logs onto the account and writes, but does not
send, the message. Instead, the message is saved as a draft. Later, the recipient logs
onto the same account and reads the message in the draft folder. By means of this tech-
nique, the message never leaves the system, so that no traces of an e-mail remain on
ever, from a user point of view “simply talking” is often felt as being more direct and quicker than pressing
keys on a keyboard.
50 P.W. Brunst / Use of the Internet by Terrorists
any system. Thereby, governmental filtering systems were successfully circumvented
for a long time . In the meantime, however, this technique is known to secret ser-
vices around the globe. Therefore, if conventional messages (i.e. unencrypted or not in
other ways protected) are being exchanged in this way, terrorist conversations can still
be tapped . More difficulties arise, however, if this technique is not used with e-
mail accounts, but with online repositories. These storage places accept all kinds of
different files, e.g. plain text file, encrypted files, or the above-mentioned seemingly
harmless files that contain further information hidden inside.
But even if terrorists decide to send messages as proper e-mails (e.g. because there
was no safe channel to exchange the password for the e-mail account), they can do so
confidently because any message can be encrypted. Apparently, terrorists are already
using all the possibilities that computers and networks offer, “starting from encryption
techniques to password-protected repositories somewhere in the virtual world” .
This statement by the President of the German Federal Police (Bundeskriminalamt)
Jörg Ziercke was confirmed when thousands of encrypted messages were found by
federal officials on the computers of arrested Al-Qaeda terrorists Abu Zubaydah and
Ramzi Yousef; the latter of which was tried for the previous bombing of the World
Trade Center , . Good encryption programs are available to the public as open-
source software. Thus, terrorists can be sure that no hidden “backdoor” is contained in
the program. Furthermore, if the right encryption parameters are used, even up-to-date
technology is not able to decrypt the message without the proper key.
Yet, apparently not all terrorists use encrypted messages. For example, the organ-
izers of the 9/11 attacks indeed used e-mail, but did not see the need to encrypt their
messages . In some cases, this might not be careless, but the intended purpose. If, for
example, terrorists want the content of their communication to become known, they
send it in unencrypted form in the hopes that the message will be intercepted by the
appropriate authorities. Since it is common knowledge that the surveillance of tele-
communication is on the rise, such information could be purposefully disseminated in
order to conceal other – real – attack plans that concentrate on other targets .
3.3. Planning and Supporting
According to a terrorist training manual, public sources can provide up to 80% of all
required information on an opponent . Officials agree and state that the combina-
tion of all unclassified information available in the Internet “adds up to something that
ought to be classified”. Terrorists can therefore heavily rely on publicly available in-
formation in the Internet for the planning of attacks and for the support of their mission.
Examples of this field of application are especially the use of publicly available infor-
mation and the collection of specialized information for training purposes.
3.3.1. Publicly Available Information
An often cited example of publicly available information which is useful for terrorists
is the satellite maps that are provided, for example, by Google, Microsoft, or NASA.12
In former times, these images were only available to experts. Now, they are a common
good and accessible for anybody, including terrorists , . In the eyes of govern-
See, for example, Google Earth (http://earth.google.com), Google Maps (http://maps.google.com),
Microsoft Virtual Earth
(http://www.microsoft.com/ virtualearth), or NASA WorldWind (http://worldwind.arc.nasa.gov)
P.W. Brunst / Use of the Internet by Terrorists 51
ments around the world, at least part of such information poses a threat to national se-
curity because it allows the examination of otherwise protected areas from a bird’s eye
view. Therefore, it is reasonable that officials have begun to ask providers of digital
maps to disclose certain – security-relevant – information, e.g. defensive fortifications
or military development and production areas , . But even maps of publicly
accessible areas can be of interest because they can easily be combined with other data,
such as street names. As a result, for example, escape routes can be planned with great
precision, even before a territory is inspected in person.
In many cases, the information that is contained on the website of possible targets
(e.g. companies or government institutions) is also of interest to terrorists. In one case,
for example, maps, time schedules for shuttle busses, and a copy of the official tele-
phone directory of a military base were available via the official website. This informa-
tion could be gathered by terrorists and used for the preparation of a conventional at-
tack. The same is true for much other information that can be accessed via the Internet.
For example, reports of security weaknesses in airports or transport companies could
draw the attention of terrorists to possible targets . In summary, the amount of sen-
sitive data that can be discovered at the various corporate websites can be constituted as
“a gold mine for potential attackers” . According to some authors, terrorist organiza-
tions have even started to use databases to gather, sort, and evaluate the details of po-
tential targets in the United States . Actual findings on terrorists’ computers have
shown that publicly available information of all kinds are indeed being downloaded
and used for planning purposes , , .
Since so much information that can be abused is available over the Internet, some au-
thors claim that the Web has become “an open university for jihad” . Some infor-
mation that is of great interest – especially for new terrorists – has even been pre-
compiled, e.g. information on bombs, poisons, or many other dangerous goods. The
“Mujahadeen Poisons Handbook”, for example, contains various “recipes” for home-
made poisons and poisonous gases for use in terrorist attacks , . Comparable
information can also be found in other collections, such as the “Terrorist’s Handbook”,
the “Anarchist Cookbook”, the “Encyclopedia of Jihad”, the “Sabotage Handbook”,
and the famous “How to make Bombs”, all of which are freely available. Modern ter-
rorists amend these handbooks by adding extra information, e.g. on hostage taking,
guerrilla tactics, and special bombs . Some excerpts, e.g. from the virtual training
manual of al-Qaida Al Battar, have been published by the U.S. Department of Justice
The danger that appears to originate from many of these compilation should, how-
ever, not be overestimated. Even though the documents are clearly labeled, many of
them contain the same information that can be found in most standard chemistry books
for university students. Then again the Internet offers some advantages over traditional
libraries. For example, contents can be gathered without causing any suspicion and
without attracting a librarian’s attention. Furthermore, new information can be added at
any time and collections can be mirrored between different locations. This (and the
possibility to use anonymity services for retrieving the information) enables terrorists
to circumvent censorship and deletion.
52 P.W. Brunst / Use of the Internet by Terrorists
As explained above, the Internet can serve as a huge library for terrorists. Combined
with the possibilities to interact fast and anonymously with each other new opportuni-
ties for a support between terrorists and terrorist groups arise. This can happen in three
different ways: (1) supporters find instructions on what contributions are currently
needed by an organization; (2) organizations offer help to individuals; and (3) organiza-
tions help each other.
The first possibility is that individuals support a terrorist organization. This can
happen in many of the ways that are being described above, e.g. through financing. But
also support of electronic attacks has already taken place. Recently, for example, soft-
ware called “the electronic jihad program” has been discovered on jihadi web sites. The
program can be downloaded by interested followers. It is designed as to allow indi-
viduals to easily participate in attacks on different web sites over a windows-like inter-
face. In order to encourage other users, usernames of participants and the hours spent
for attacking websites are being collected and put on public “high score”-lists. The
publishers of this software obviously hope that with a spreading use of the Internet con-
tinually more users engage in such a form of “electronic jihad” , .
The second form of support goes into the opposite direction, i.e. terrorist organiza-
tions support individuals in their efforts. This form of support can especially take place
in the above mentioned way of compiling information for special purposes like instruc-
tions on hostage taking or on building bombs. This form of support is seemingly on the
rise. Al-Qaeda, for example, is said to run a “massive and dynamic online library of
training materials” which is supported by experts who can answer questions either on
message boards or in chat rooms. Topics that are covered in this database are said to
range from weapons and poisons to navigation instruments and even to camouflaging
and masquerading . Such a “terrorist’s helpdesk” could enable small groups of ter-
rorists all over the globe to act fast and competent.
Information on the third form of support – support between different organizations
– is hardly available. However, at least the technical infrastructure is available that al-
lows loosely interconnected groups to maintain contact with one another. Even terrorist
groups that fight for different political goals and that are located in different geographi-
cal areas could communicate with each other and exchange information, such as on
weapons or tactics .
4. Conclusion and Recommendations
The assessments in the literature on the danger of terrorists using the Internet range
from “imminent threat” to an “exaggerated cyber angst”. This, however, is mostly due
to the fact that no common definition of cyberterrorism exists. Most authors would
probably agree that terrorists have begun using the Internet at least for communication
purposes. Only a few, however, would describe this as a form of cyberterrorism. Based
on the broad approach that is being followed in this chapter, for a realistic assessment
of a terrorist use of the Internet one has to look at the skills terrorists have shown up to
today, the protection of the possible targets and services described above, and the re-
sults that are possible if terrorists choose to actually use the Internet.
P.W. Brunst / Use of the Internet by Terrorists 53
Often, those who claim that cyberterrorism is not a real threat state also that terrorists
lack the necessary skills for an electronic attack. This is true insofar as attacks in secu-
rity-relevant areas indeed require highly developed computer skills that exceed com-
mon user know-how by far. Therefore, some experts assume that it would take from
two to four years of preparation for a structured cyber attack against multiple systems
and networks. For a “complex coordinated cyberattack, causing mass disruption against
integrated, heterogeneous systems” even six to ten years would be needed .
The current generation of young terrorists, however, has – as least partly – been
growing up in a digital world. Seized computers of al-Qaeda, for example, show that
they are becoming increasingly familiar with hacker tools that are freely available over
the Internet . Also the above-mentioned use of encryption and communication tools
as well as the design and setup of web sites confirm this observation.
But even if the terrorists themselves were not yet ready for an attack, this is no rea-
son for an all-clear. With the above-mentioned interconnection and the fact that much
information on security issues is available on the Internet terrorists can gain this ex-
perience in only a short time . Furthermore, skill and information can also be ac-
quired on the free market. The Islamic fundamentalist group “Harkat-ul-Ansar”, for
example, has attempted to buy cyber attack software from hackers in late 1998 .
Also the above-mentioned “Zero-Day exploits” are available for anybody who is will-
ing and able to spend between $ 1,000 and $ 5,000. The same is true for computers that
can be used in a DDoS attack. In this case, prices range only from $ 150 to $ 400, de-
pending on the target and duration of the attack .
However, some authors doubt if organizations have enough money for large strikes.
After evaluating the results of a governmental test for a “Digital Pearl Harbor”, for ex-
ample, officials stated that terrorists would have to spend about $ 200 million for ap-
propriate resources . But in this calculation it has to be considered that several ter-
rorist-sponsoring nations might want to become involved. They can either invest
money in terrorist organizations, provide know-how and resources, or aid external ef-
forts by contributing their own personnel. The U.S. Department of State, for example,
lists several designated state sponsors of terrorism . Other countries are known for
the training of hackers for national defense purposes or keeping specialized depart-
ments within their intelligence services , , , , .
Summarizing it can be stated that different terrorists and terrorist organizations
have demonstrated their newly gained experiences with technology. This is especially
true for the presentation of terrorist contents and the use of the Internet for other pur-
poses. A large cyber attack that was verifiably committed by terrorists has – up till now
– not yet taken place. However, it has to be assumed that terrorists can either use their
own skills or cooperate with different parties in order to launch digital strikes.
4.2. Possible Results
When looking at the results that are possible one has to differentiate between the use of
the Internet for the distribution of contents or similar forms of utilization and the use
for a digital attack.
54 P.W. Brunst / Use of the Internet by Terrorists
4.2.1. Common Use of the Internet
The use of the Internet for buying airline tickets or gathering information on a certain
building is in essence a legitimate use of the Internet regardless of the underlying moti-
vation and intention . Therefore, the direct result of terrorists using the Internet for
the above mentioned purposes is hardly noticeable. However, the indirect conse-
quences are not marginal.
Especially the possibility to stay in contact from almost any place in the world and
the chance to do so without being noticed by intelligence services is a great benefit for
terrorists and terrorist organizations. Furthermore, the tracing of suspects is being seri-
ously hindered if anonymity services and encryption techniques are being used.
4.2.2. Use for Digital Attacks
The attacks that can possibly be launched over the Internet have been illustrated above.
Especially the latest attacks on the country of Estonia in 2007 have shown that a well
planned attack can bring down major commercial banks, telecommunication services,
name servers, and even ATMs all at the same time. In essence, according to Estonian
Defense minister Jaak Aaviksoo, the national security of an entire nation was threat-
ened by this particular attack .
However, terrorists will carefully assess how much time, personnel, and money is
needed for a certain attack and what the outcome will be. A scenario that results “only”
in the unavailability of (computer or other) services is likely to be put aside since the
outcome is a common phenomenon even without computer attacks. Other scenarios
that are able to create public fear and extensive media coverage on the other hand will
be considered by terrorists in greater depth.
But then again, terrorists will consider the efforts that it takes to carry out such at-
tacks. Often, a conventional attack can be carried out with greater ease – and it can be
easily repeated (whereas a computer-based attack is a one-time threat if the security
hole can be fixed afterwards). For example, a cyber attack on a transportation system is
possible – but the same (or even greater) result can be created with the use of explo-
sives. The same thought applies also to many other scenarios .
From this point of view a sole large digital attack executed by a terrorist organiza-
tion seems rather unlikely, because the effort would exceed the possible outcome. It
does seem likely, however, that followers are incited to start attacks by themselves.
This, for example, seems to have happened in the case of the attack against Estonia:
Hackers and “script kiddies” alike were instigated in chat rooms to initiate DoS attacks
against Estonian services at the same time . The second possibility that seems
likely are the above-mentioned hybrid attacks. These can be used in conjunction with a
conventional attack in order to increase the number of casualties. In these cases the
preparation is often easy or can be bought, e.g. if DDoS attacks are used.
4.3. Level of Protection
Most experts agree that some of the worst and scariest results of digital attacks are only
possible, because many targets are only poorly protected. In a recent study, for example,
U.S. authorities were audited on the implementation of the Federal Information Secu-
rity Management Act of 2002 (FISMA) that defines IT-security measures such as se-
cure password management or access control. The overall rating for all government
P.W. Brunst / Use of the Internet by Terrorists 55
agencies was a school grade of “D+”.13 Interestingly enough, the Department of Home-
land Security, which is also responsible for the coordination of state cyber security,
received an “F”. Indeed, it failed the test three times in a row . But also other gov-
ernments around the world were found to be vulnerable to cyber attacks. Computers at
the Chancellery and three ministries in Germany, for example, have been infected with
spy programs that allegedly were installed over the Internet by Chinese army hackers
However, it is not the public sector alone that is to be blamed. More than 80 per-
cent of critical infrastructure systems are privately owned . Many of these systems
are also easy targets and not adequately protected. A survey conducted in 1997, for
example, found that then 40 percent of water facilities allowed their operators direct
access to the Internet, and 60 percent of the SCADA systems could be connected by
modem. Additionally, even in power plants configurations were detected where all con-
trol systems were set to the same password . Furthermore, even actual attacks on
the systems were often not detected. In the above-mentioned case of 2000 when a con-
sultant broke into the control system of sewage treatment in Queensland, Australia, it
took over 40 attempts to actually unleash the raw sewage. Not one of the unsuccessful
attempts, however, was noticed by the people managing the infrastructure .
From the analysis carried out above, mainly three different recommendations can be
derived. They regard the awareness towards security issues, the communication paths
between countries and different institutions, and the dealing with terrorist contents.
4.4.1. Security Awareness
Especially the results of the last section show that a severe problem lies in the level of
protection at the different sites. Unprotected systems – especially if they are responsi-
ble for valuable infrastructure, services, or data – pose a just too tempting target for
cybercriminals as well as for terrorists. Therefore, a strong initiative should be started
to incite the public and the private sector to invest more time, money, and care into
In the public sector, several instruments have been introduced that were targeted to
either test security level of public institutions or to raise their awareness towards secu-
rity issues. The well known test called “Eligible Receiver” that was conducted in 1997,
for example, was able to point out several serious vulnerabilities in the military’s com-
puter network. Other tests have led to similar results. With a view to a raised awareness
towards security issues, the U.S. FISMA is a good example. Through this act public
institutions are forced to inspect and adjust their measures at regular intervals.
Similar initiatives could lead to better results also in the private sector. Currently,
many companies might not be aware of their importance for the economy as a whole –
or at least they do not act according to this role. According to Richard Clarke a typical
company devotes only one quarter of one percent of its information technology budget
to cyber security or – as he puts it – “slightly less than they spend on coffee” . To-
day, these figures have changed slightly, but still more than half of the companies that
In U.S. school grades an “A” stands for “excellent”, “B” for “above average”, “C” for “average”
and “D” for “below average, but passing”. Grades of “F” (or “E”) mean failure.
56 P.W. Brunst / Use of the Internet by Terrorists
answered to the CSI survey of 2007 stated that they spent 5% or less .14 A possible
initiative could – as a first step – classify companies according to their endangerment.
If – according to this classification – high- and medium-risk businesses would also be
audited (comparable to FISMA), this again could have two positive effects: First, it
would be known, which companies are responsible for certain critical infrastructures.
In the U.S. alone, for example, some 5,700 companies are deemed to be essential to
national security . Secondly, it would become known which dependencies between
these companies currently exist. Thirdly, due to the auditing, also companies in the
private sector would have to increase their security level constantly.
4.4.2. Communication Paths
The second recommendation against digital attacks concerns the communication
between different institutions in the case of an attack. Most cybercrime cases involve
not only resources in one, but in many different countries or institutions at the same
time. Therefore, fast and efficient communication is of the essence to fight digital at-
tacks. Several initiatives have been made so far to strengthen this sharing of informa-
tion in the event of a digital attack.
Article 35 of the Convention on Cyber Crime by the Council of Europe, for exam-
ple, asks the member countries to introduce contact points that are available on a 24
hour, 7 day per week basis in order to ensure immediate assistance for the purpose of
investigations or proceedings concerning criminal offences related to computer systems
and data. This 24/7 network is an important step towards fast communication paths
between different countries.
Similar activities, however, are needed not only between countries, but also be-
tween the different institutions within each country. In the U.S., for example, the Na-
tional Infrastructure Protection Center (NIPC) was created in 1998. Its mission is to
provide “a national focal point for gathering information on threats to the infrastruc-
tures, and providing the principal means of facilitating and coordinating the federal
government’s response to an incident, mitigating attacks, investigating threats, and
monitoring reconstitution efforts.” . To accomplish this mission, the NIPC believes
that it is necessary to build a “coalition of trust amongst all government agencies, be-
tween the government and the private sector, amongst the different business interests
within the private sector itself, and in concert with the greater international commu-
In essence, fixed communication paths have to be established between (1) different
countries (e.g. through the 24/7 network of the Council of Europe), (2) between the
different institutions and services in the public sector, and (3) between important com-
panies in the private sector and institutions in the public sector. As a guide on what
companies have to be considered “important” in this context, the infrastructure defini-
tion of the NIPC can be taken into account. It defines infrastructure as “those physical
and cyber-based systems essential to the minimum operations of the economy and gov-
ernment, including telecommunications, energy, banking and finance, transportation,
water systems, emergency systems, both governmental and private” .
12% of the companies asked in the 2007 survey answered that they spend less than 1% of the IT
budget on security (2006: 21%), 23% (2006: 26%) stated that they spend one to two percent and 26% (2006:
only 6%) invested from 3 to 5%. These figures are based on 484 Respondents. See .
P.W. Brunst / Use of the Internet by Terrorists 57
4.4.3. Terrorist Contents
The final recommendation regards the interaction with terrorist contents, e.g. websites
and training materials. It might sound provocatively, but the (young) history of the
Internet shows that all efforts to censor and control media and communication are
doomed to fail. Technically, it is almost impossible to effectively hinder websites or to
block communication between terrorists  – especially if encryption technology or
other methods to obscure their communications are being used. Additionally, all of
these efforts threaten civil liberties and the freedom of law-abiding citizens. Finally, it
is still unclear how the valuation of crimes and ethics in different countries can safely
Therefore, countries should refrain from enacting ineffective control methods of a
purely symbolic nature that seriously infringes the freedom of information rights and
that can lead to the development of uncontrolled surveillance . Instead, advantage
should be taken of the situation that terrorists communicate over open channels .
This can be used, for instance, to register activities, assess the size and possibly future
actions of terrorist groups.
 U. Sieber/P. Brunst, in: Council of Europe (Ed.), Analytical Report: Cyberterrorism and Other Use of
the Internet for Terrorist Purposes, Strasbourg 2007 (forthcoming).
 J. Record, Bounding the global war on terrorism. Strategic Studies Institute of the U.S. Army War
College, http://www.strategicstudiesinstitute.army.mil/pdffiles/PUB207.pdf [last visited: September
2007], December 2003.
 B. Golder/G. Williams, What is ‘terrorism’? Problems of legal definition, University of New South
Wales Law Journal 2004, Vol. 27, p. 270-295.
 B. Foltz, Cyberterrorism, computer crime, and reality, In: Information Management & Computer Secu-
rity, 15.03.2004, Vol. 12, No. 2, p. 154-166.
 M. Conway, Reality Bytes: Cyberterrorism and Terrorist ‘Use’ of the Internet, In: First Monday,
04.11.2002, Vol. 7, No. 11, http://firstmonday.org/issues/issue7_11/conway/ [last visited: September
 M. Gercke, „Cyberterrorismus“ – Aktivitäten terroristischer Organisationen im Internet, CR 2007, p.
 G. Weimann, Terror on the Internet, Washington D.C. 2006.
 C. Wilson, Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress, Con-
gressional Research Service Report for Congress (RL32114), Updated April 1, 2005.
 Tomuschat, C., Council of Europe Committee of Experts on Terrorism (CODEXTER), Strasbourg, On
the possible “added value” of a comprehensive Convention on Terrorism, 26 Human Rights Law Jour-
nal 2005, p. 287-306.
 U. Sieber, The Threat of Cybercrime, in: Council of Europe (ed.), Organized Crime in Europe, stras-
bourg 2005, p. 81-218.
 L. Janczewski/A. Colarik, Managerial Guide for Handling Cyber-Terrorism and Information Warfare,
Hershey, London 2005.
 M. Vatis, Cyber attacks during the war on terrorism: a predictive analysis, 22.09.2001,
http://www.ists.dartmouth.edu/analysis/cyber_a1.pdf [last visited: September 2007].
 J. Leyden, Mass hack takes out govt sites, The Register, 22.01.2001, http://www.theregister.co.uk/
2001/01/22/mass_hack_takes_out_govt/ [last visited: September 2007].
 Y. Musharbash, US-Firmen-Website für Qaida-Botschaft gehackt, Spiegel Online, 17.06.2004,
http://service.spiegel.de/digas/find?DID=31237523 [last visited: September 2007].
 S. Berinato, The Truth About Cyberterrorism, CIO Magazine, 15.03.2002, http://www.cio.com/archive/
031502/truth.html [last visited: September 2007].
 S. Stasiukonis, Social Engineering, the USB Way, http://www.darkreading.com/document.asp?
doc_id=95556&WT.svl=column1_1 [last visited: September 2007].
58 P.W. Brunst / Use of the Internet by Terrorists
 G. Weiman, Cyberterrorism: The Sum of All Fears? Studies in Conflict & Terrorism, 28 (2005), p. 129-
 Symantec Corp, Internet Security Threat Report XI (March 2007).
 B. Bidder, Angriff der Cyber-Söldner, Der Spiegel 31/2007, pp. 74-76.
 OLG Frankfurt a.M., MMR 2006, pp. 547-552.
 D. Denning, Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign
Policy, http://www.totse.com/en/technology/cyberspace_the_new_frontier/cyberspc.html [last visited:
 G. Weiman, Cyberterrorism. How real is the threat? United States Institute of Peace Special Report 119,
December 2004, http://www.usip.org/pubs/specialreports/sr119.pdf [last visited: September 2007].
 C. Stöcker, Delle im Datenstrom: Hacker attackieren Internet-Rootserver, http://www.spiegel.de/
netzwelt/tech/0,1518,464926,00.html [last visited: September 2007].
 ICANN, Factsheet on root server attacks on 6 February 2007, as of: 01 March 2007,
http://icann.org/announcements/factsehhet-dns-attack-08mar07.pdf [last visited: September 2007].
 A. Wilkens, Kabelbruch im Atlantik koppelt Island vom Internet ab, Heise Online 18.12.2006,
http://www.heise.de/newsticker/meldung/82700 [last visited: September 2007].
 C. Persson, „Rückfall ins Telefonzeitalter“ nach Erdbeben, Heise Online, 28.12.2006,
http://www.heise.de/newsticker/meldung/83007 [last visited: September 2007].
 D. Leppard, Al-Qaeda plot to bring down UK internet,Times Online, 11.03.2007,
http://www.timesonline.co.uk/tol/news/uk/crime/article1496831.ece [last visited: September 2007].
 D. Bachfeld, War der Wurm drin? IT-Sicherheit in der US-Stromversorgung, http://www.heise.de/
ct/03/18/034/default.shtml [last visited: September 2007].
 R. Lenzner/N. Vardi, The Next Threat, www.forbes.com/forbes/ 2004/0920/070_print.html [last vis-
ited: September 2007].
 G. Giacomello, Bangs for the Buck: A Cost-Benefit Analysis of Cyberterrorism, In: Studies in Conflict
& Terrorism, Vol. 27 (2004), p. 387-408.
 F. Cohen, Cyber-Risks and Critical Infrastructures, In: Alan O’Day (Ed.), Cyberterrorism, p. 1-10.
 G. Ou, RFID passports with improper shielding triggers bomb in simulation, ZDNet 09.08.2006,
http://blogs.zdnet.com/Ou/?p=289 [last visited: September 2007].
 H. Cheung, Blackhat 2006: Explosive risks in RFID-enabled passports? TG Daily 03.08.2006,
http://www.tgdaily.com/content/view/27899/113/ [last visited: September 2007].
 S. Koesch/F. Magdanz/R. Funkchip-Reisepass zündet Bombe, Spiegel Online, 21.08.2006,
http://www.spiegel.de/netzwelt/mobil/0,1518,432654,00.html [last visited: September 2007].
 P.H. Gleick, Water and terrorism, Water Policy 8 (2006), p. 481-503.
 Testimony of FBI Deputy Assistant Director Keith Lourdeau at the Hearing before the subcommittee on
terrorism, technology and homeland security of the committee on the judiciary United States Senate on
“Virtual Threat, Real Terror: Cyberterrorism in the 21st Century”, Feburary 24, 2004, Serial No. J-108-
 B. Gellman, Cyber-Attacks by Al Qaeda Feared, The Washington Post, June 27, 2002, page A01.
 P.H. Gleick, Water Conflict Chronology (as of: October 12, 2006), http://worldwater.org/
conflictchronology.pdf [last visited: August 2007].
 M. Pollitt, Cyberterrorism – Fact or Fancy? http://www.cs.georgetown.edu/~denning/infosec/
pollitt.html [last visited: September 2007].
 J. Green, The Myth of Cyberterrorism. There are many ways terrorists can kill you – computers aren’t
one of them. Washington monthly, November 2002. http://www.washingtonmonthly.com/features/
2001/0211.green.html [last visited: September 2007].
 U.S. Army Training and Doctrine Command, Cyber Operations and Cyber Terrorism, DCSINT Hand-
book No. 1.02, http://www.fas.org/irp/threat/terrorism/sup2.pdf [last visited: September 2007].
 F. Rötzer, Vorsicht, schießender Roboter, Telepolis 19.08.2000, http://www.heise.de/tp/r4/artikel/6/
6973/1.html [last visited: September 2007].
 W. Stieler, Schießender Roboter beunruhigt Experten, Heise News 31.08.2000, http://www.heise.de/
newsticker/meldung/11621/ [last visited: September 2007].
 G. Weimann, www.terror.net. How Modern Terrorism Uses the Internet. United States Institute of
Peace Special Report 116, March 2004, http://www.usip.org/ pubs/specialreports/sr116.pdf [last visited:
 S. Coll/S. Glassner, Terrorists turn to the web as base of operations, The Washington Post, 7 August
2005, Section A01.
 Y. Tsfati/G. Weimann, www.terrorism.com: Terror on the Internet, In: Studies in Conflict & Terrorism
2002 (25), p.317-332.
 T. Thomas, Al Qaeda and the Internet: the danger of “cyberplanning”, In: Parameters, Spring 2003.
P.W. Brunst / Use of the Internet by Terrorists 59
 Y. Musharbash, The Cyber-Cemetery of the Mujahedeen, Spiegel Online, 28.10.2005,
http://www.spiegel.de/international/0,1518,382097,00.html [last visited: September 2007].
 Bundesministerium des Inneren (Ed.), Verfassungsschutzbericht 2005, Berlin 2006.
 S. Lawrence, Terrorism and the Internet, Technology Review, February 2005, p. 50-51.
 A. Ramelsberger, Krieger im Internet, Süddeutsche Zeitung, 15 March 2007, p. 5.
 Süddeutsche Zeitung, „Diesen Krieg könnt ihr Euch nicht leisten“, Süddeutsche Zeitung vom
11.03.2007, http://www.sueddeutsche.de/deutschland/artikel/189/105084/ [last visited: September
 N. D. Kristof, Terrorists in Cyberspace, The New York Times, 20 December 2005, Section A, Coumn 5,
Editorial Desk, Pg. 31.
 Y. Musharbash, Al-Qaida launches a weekly news show, Spiegel Online, 07.10.2005,
http://www.spiegel.de/international/0,1518,378633,00.html [last visited: September 2007].
 E. Kohlmann on ZDNet Government 19 April 2006, http://government.zdnet.com/?p=2216 [last vis-
ited: September 2007].
 J. Tolson, Cracking al Qaeda’s code, U.S. News & World Report; 5/17/2004, Vol. 136 Issue 17, pp. 72-
 S. Krempl, Terroristen verstecken Botschaften angeblich in IP-Headern, Heise News from 09.03.2003,
http://www.heise.de/newsticker/meldung/35137 [last visited: September 2007].
 Y. Musharbash, Beim Barte des Bin Laden! Spiegel Online 13 September 2007,
http://www.spiegel.de/politik/ausland/0,1518,505319,00.html [last visited: September 2007].
 B. Wagner, Experts Downplay Imminent Threat of Cyberterrorism, National Defense Magazine, Issue
July 2007, http://www.nationaldefensemagazine.org/issues/2007/July/ExpertsDownplay.htm [last vis-
ited: September 2007].
 S. Kaiser/M. Rosenbach/H. Stark, „Operation Alberich“, Der Spiegel 37/2007, p. 20-26.
 President of the German Federal Police (Bundeskriminalamt) Jörg Ziercke, in Der Spiegel, 9/2007, p.36.
 J. Radü, Terroristen suchen Ziele mit Google Earth, Spiegel Online, 13.01.2007,
http://www.spiegel.de/netzwelt/web/0,1518,459542,00.html [last visited: September 2007].
 T. Harding, Terrorists ‘use Google maps to hit UK troops’, Telegraph 13 January 2007,
http://www.telegraph.co.uk/news/main.jhtml? xml=/news/2007/01/13/wgoogle13.xml [last visited: Sep-
 F. Patalong, Das zensierte Weltauge, http://www.spiegel.de/netzwelt/web/0,1518,464186,00.html [last
visited: September 2007].
 A. Seith, Google Earth verschleiert indische Verteidigungsanlagen, ttp://www.spiegel.de/netzwelt/web/
0,1518,464178,00.html [last visited: September 2007].
 J. Kuri, BKA-Forensiker entlöschen Bombenbaupläne, Heise News from 08.03.2007,
http://www.heise.de/newsticker/meldung/86388 [last visited: September 2007].
 Y. Musharbash, Qaidas Leitfaden für Entführungen, Spiegel Online, 30.11.2005,
http://www.spiegel.de/politik/ausland/0,1518,387691,00.html [last visited: September 2007].
 L. Greenemeier, “Electronic Jihad” app offers cyberterrorism for the masses, ITNews 3 July 2007,
www.itnews.com.au/Tools/Print.aspx?CIID=85204 [last visited: September 2007].
 L. Greenemeier, Cyberterrorism: By Whatever Name, It’s On The Increase, InformationWeek 7 July
2007, http://www.informationweek.com/story/showArticle.jhtml?articleID=200900812 [last visited:
 G. Weimann, Terrorists and Their Tools – Part II. Using the Internet to recruit, raise funds, and plan
attacks, YaleGlobal, 26.04.2004, http://yaleglobal.yale.edu/article.print?id=3768 [last visited: Septem-
 T. Espiner, Foreign powers are main cyberthreat, U.K. says, ZDNet 11/22/05,
http://news.zdnet.com/2102-1009_22-5967532.html [last visited: September 2007].
 C. Wagner, Countering Cyber Attacks, The Futurist, Issue May/June 2007, p. 16.
 J. Davis, Hackers Take Down the Most Wired Country in Europe, Wired Magazine, Issue 15.09,
http://www.wired.com/print/politics/security/magazine/15-09/ff_estonia [last visited: September 2007].
 A. Chang, China Denies Hacking Pentagon Computers, Wired News 4 September 2007,
http://news.wired.com/dynamic/stories/C/CHINA_US_HACKERS?SITE=WIRE [last visited: Septem-
 R. Lemos, E-terrorism. Safety: Assessing the infrastructure risk, CNET News, 26 August 2002,
http://news.com.com/2009-1001_3-54780.html [last visited: September 2007].
 P.-M. Ziegler, US-Behörden fallen bei IT-Sicherheit durch. Heise Security from 16.03.2006,
http://www.heise.de/security/news/meldung/70946 [last visited: September 2007].
 Richardson, Robert, CSI Computer Crime and Security Survey 2007. Available at
http://www.gocsi.com [last visited: September 2007].
60 P.W. Brunst / Use of the Internet by Terrorists
 B. Gellman, U.S. Fears Al Qaeda Cyber Attacks, Post-Newsweek Business Information Newsbytes, 26
 Testimony of Ronald L. Dick, Director of the National Infrastructure Protection Center before the Hou-
se Committee on Governmental Reform, Government Efficiency, Financial Management and Intergov-
ernmental Relations Subcommittee on “Cyber Terrorism and Critical Infrastructure Protection” on 24
July 2002, http://www.fbi.gov/congress/congress02/nipc072402.htm [last visited: September 2007].
62 G. Weimann / WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet
September 2007. We applied a systematic content analysis to the accumulating archive
of terrorist sites. Throughout the years of monitoring the terrorist presence in the Net,
we learned how to locate their new sites, how to search in chat rooms and forums of
supporters and sympathizers for the new “addresses” and how to use links in other
organizations’ websites to update our lists. This was often a Sisyphean effort,
especially since in certain instances (e.g., al Qaeda’s websites) the location and the
contents changed almost daily.
The present report, one of numerous publications on the project of monitoring and
analysis of the terrorist presence on the Internet, focuses on the terrorist entity that
leads, in terms of amount as well a sophistication, terrorist abuse of the Net, namely al
Al Qaeda Goes Virtual
Al Qaeda (Arabic for “The Base”) traces its roots to the Afghan resistance to the Soviet
invasion of Afghanistan in 1979. In 1982 Osama bin Laden joined the anti-Soviet
resistance. He went to Afghanistan, where he joined the mujahedeen and established
his own military camps. In 1988, bin Laden established al Qaeda, at first not as a
terrorist organization but as a network of foreign soldiers who had come to Afghanistan,
so that the soldiers’ relatives could track them. In 1989, when the Russians withdrew
from Afghanistan, bin Laden returned to Saudi Arabia; however, the Saudi government
placed him under house arrest and then forced him to move to Sudan. While in Sudan,
bin Laden formed his alliances with militant groups from Egypt, Pakistan, Algeria, and
Tunisia, as well as sending fighters to Chechnya and Tajikistan. In 1996, under
American pressure, Sudan forced bin Laden and other members of al Qaeda to leave,
and they moved to Afghanistan, where they stayed until the U.S. attacks on the Taliban
Given the transnational makeup and illicit nature of al Qaeda’s operations, the
Internet has complemented the organization’s “fuzzy” structure and served its needs
handily. The Net is becoming a major weapon in al Qaeda’s bid to win supporters to its
cause, keep its decentralized structure, galvanize its members to action, and raise funds.
As Middle East expert Paul Eedle argues, “The Web site is central to al Qaeda’s
strategy to ensure that its war with the U.S. will continue even if many of its cells
across the world are broken up and its current leaders are killed or captured. The site’s
function is to deepen and broaden worldwide Muslim support, allowing al Qaeda or
successor organizations to fish for recruits, money and political backing. The whole
thrust of the site, from videos glorifying September 11 to Islamic legal arguments
justifying the killing of civilians, and even poetry, is to convince radical Muslims that,
for decades, the U.S. has been waging a war to destroy Islam, and that they must fight
A widespread network of Web sites is used to feed directions and information from
those at the top of al Qaeda to supporters and sympathizers around the world. Lectures,
taped announcements, videos of terrorist attacks, guidebooks, and manuals are being
spread by al Qaeda’s Web sites, forums, chat rooms, and online bulletin boards. 5 With
Eedle, Paul, “Terrorism.com”, The Guardian, July 17, 2002,
Mark Ward, “Websites Spread al-Qaeda Message,” BBC News Online, December 12, 2002,
G. Weimann / WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet 63
Net access spreading swiftly across the Middle East, the audience for the online
campaign is steadily growing. According to Eedle, “The Internet is an ideal tool for a
network like al-Qaeda. It is not a matter of a few radical-sounding messages posted on
the odd bulletin board; it’s a very wide array of Internet sites and message boards … Al
Qaeda has much wider ambitions than just setting off explosives. It is trying to
mobilize the whole Muslim world against the West.” 6 Many of the sites associated with
al Qaeda gain credibility by demonstrating in various ways their close links with the
organization. Certain “fingerprints” in graphics and text clearly indicate whether the
sites indeed have ties with al Qaeda. Evidence of direct links between al Qaeda and
some of the Web sites is sometimes subtle to detect, but in many cases there is little
doubt that this group is the source of the material. However, al Qaeda openly
acknowledges the importance of the Internet as a propaganda tool, as it did on one of
its numerous websites:
“Due to the advances of modern technology, it is easy to spread news, information,
articles and other information over the Internet. We strongly urge Muslim Internet
professionals to spread and disseminate news and information about the Jihad through
e-mail lists, discussion groups, and their own Web sites. If you fail to do this, and our
site closes down before you have done this, we may hold you to account before Allah
on the Day of Judgment … We expect our Web site to be opened and closed
continuously. Therefore, we urgently recommend any Muslims that are interested in
our material to copy all the articles from our site and disseminate them through their
own Web sites, discussion boards and e-mail lists. This is something that any Muslim
can participate in, easily, including sisters. This way, even if our sites are closed down,
the material will live on with the Grace of Allah.” 7
The online propaganda strategy of al Qaeda, like its approach to online planning
and coordination, takes advantage of the speed, anonymity and interactivity of the
Internet. Al Qaeda’s sites are maintained by group members and supporters who are in
direct contact with the members. Many sites are registered or hosted in Europe, Asia, or
even the United States (according to a July 2004 survey, 76 percent of Islamic terrorist
Web sites are hosted by American companies). 8 Many of these Web sites are anti-
American and anti-West: “The Muslims know that America only wants to fight Islam
and to liquidate everyone who acts according to the Islamic Shariah, because America
knows that the biggest danger to it and for the Jews is Islam and its believers,” states
the Azzam Publications site that features more than four dozen celebratory biographies
of “Foreign Mujahideen Killed in Jihad.” The Azzam Publications site promotes the
book edited by the convicted mastermind of the 1993 World Trade Center attack,
Sheikh Omar Abdel Rahman, and another written by bin Laden’s mentor, Abdullah
Azzam. The Al-Maqdese site markets the book called Strengthening the Legitimacy of
the Ruin in America, which uses Islamic juridical arguments to justify the September
From the (al Qaeda) Web site Azzam, cited in Jihad Online: Islamic Terrorists and the Internet,
published by the Anti-Defamation League (ADL), 2000, at:
See “Islamist Websites and Their Hosts Part I: Islamist Terror Organizations” (online report, MEMRI,
July 2004), http://www.memri.org/bin/articles.cgi?Area=jihad&ID=SR3104
64 G. Weimann / WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet
Al Qaeda’s Dynamic Presence on the Net
One weapon against terrorists’ use of the Internet is direct assaults on their Web sites;
however, all efforts to prevent or minimize al Qaeda’s use of the Internet have proved
unsuccessful. In the late 1990s, when this project began, al Qaeda had one Web site
(www.alneda.com). Today, though the original site was hacked, al Qaeda is present in
hundreds of Web sites. If an al Qaeda site is taken offline by a counterterrorism agency,
by the Internet Service Provider hosting it, or by hackers, it will reemerge on the server
of another service provider. U.S. officials were searching the Internet for the
reappearance of alneda.com, the original Web site used as a mouthpiece by al Qaeda
terrorists. It was registered in Singapore and appeared on Web servers in Malaysia and
Texas before it was taken off at the request of U.S. officials. Then it changed its name
and URL every few days, forced to move from server to server by citizens who
complained to the ISPs hosting the sites. Then, in late 2002, al Qaeda lost the Internet
domain: it expired and was acquired by a private citizen. The Alneda site operators
tried to reappear by using various server accounts that had no associated domain name.
When that failed, they started posting the Alneda site as a “parasite.” Sheikh Yousef
Al-Ayyeri, who operated this site, exploited a known “bug” in a program called cPanel,
found on many Web servers. This flaw allowed him to install his site as a “parasite” on
an existing and legitimate site. Thus, the Alneda site was posted on the hijacked Web
site until someone noticed and got the ISP to remove the illegal site. When it was
removed, the process started again. This pattern of Alneda’s presence on the Net began
in the end of September 2002 and continued until April 2003.
In April 2003 al Qaeda’s Web site reemerged, this time named “Faroq,” flying the
banner of Alneda. Although the new site and other al Qaeda sites moved regularly,
various informal means were used to pass on details of the site’s new locations,
including via e-mails, chat rooms, and announcements or links on other groups’ Web
sites. The new Web site, faroq.com, began as an al Qaeda site focusing primarily on
fighting the United States in Iraq but then transformed itself into a more general site,
including reposting content from the original Alneda site. Today, being on the run, al
Qaeda’s organization is even more virtual, which often means more dependent on the
Internet to spread propaganda and plot operations. This reliance on the free access and
use of the Net is also one of the main reasons why, despite the many blows that it
received since 9/11, the organization’s operational capabilities have not truly
The Advantages of the Net for al Qaeda
Al Qaeda’s marginalized status vis-à-vis the Western media is partly a consequence of
what Phillip Hammond refers to as ‘the media war on terrorism’. 9 Bemoaning this
‘media siege’, al Qaeda as well as other terrorist groups have turned to the Internet as
their principal ideological and practical channel of communication. Thus, proliferation
of terrorist websites demonstrated an exponential growth from 12 websites in 1998 to
Phillip Hammond, ‘The Media War on Terrorism’, Journal for Crime, Conflict and the Media
(Vol. 1, No. 1, 2003), pp. 23–36.
G. Weimann / WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet 65
over 5,500 in 2007. 10 By its very nature, the Internet is in many ways an ideal arena for
activity by terrorist organizations. Most notably, it offers:
little or no regulation, censorship, or other forms of government control;
potentially huge audiences spread throughout the world;
anonymity of communication;
fast flow of information;
inexpensive development and maintenance of a web presence; and
a multimedia environment (the ability to combine text, graphics, audio, and
video and to allow users to download films, songs, books, posters, and so
Al Qaeda is using the Internet for various purposes, targeting various audiences.
Our studies have identified at least eight different uses that can be grouped into two
categories: communicative and operational uses. Let us explain and illustrate some of
these al Qaeda uses of the Net.
The Communicative Uses
From the communicative perspective, terrorism has often been conceptualized as a
form of psychological warfare, and certainly al Qaeda has sought to wage such a
campaign through the Internet. For instance, al Qaeda uses the Internet to spread
disinformation, to deliver threats intended to instill fear and helplessness, and to
disseminate horrific images of recent actions. The Internet—an uncensored medium
that carries stories, pictures, threats, or messages regardless of their validity or potential
impact—is peculiarly well suited to allowing even a small group to amplify its message
and exaggerate its importance and the threat it poses. Since September 11, 2001, al
Qaeda has festooned its websites with a string of announcements of an impending
“large attack” on U.S. targets. These warnings have received considerable media
coverage, which has helped to generate a widespread sense of dread and insecurity
among audiences throughout the world and especially within the United States.
Interestingly, al Qaeda has consistently claimed on its websites that the destruction of
the World Trade Center has inflicted psychological damage, as well as concrete
damage, on the U.S. economy.
Another popular communicative use of the Net is for publicity and propaganda.
Until the advent of the Internet, terrorists’ hopes of winning publicity for their causes
and activities depended on attracting the attention of television, radio, or the print
media. The fact that terrorists themselves have direct control over the content of their
websites offers further opportunities to shape how they are perceived by different target
audiences and to manipulate their image and the image of their enemies. Thus, the most
visible part of al Qaeda’s online presence involves the spread of propaganda. For its
online propaganda al Qaeda is using its media production branch, called As-Sahab
Tsfati, Yariv and Gabriel Weimann. 2002. “WWW.Terrorism.com: Terror on the Internet”, Studies in
Conflict and Terrorism 25(5), pp. 317-332; Weimann, Gabriel, 2006. Terror on the Internet: The New Arena,
The New Challenges. Washington, DC: United States Institute of Peace Press; Weimann, Gabriel. 2007.
“Online Terrorism: Modern Terrorism and the Internet”. In Glaab, Sonja (Ed.): Medien und Terrorismus.
Berlin: Berliner Wissenschaftsverlag (forthcoming).
Weimann, Gabriel, 2004. WWW.Terror.Net: How Modern Terrorism Uses the Internet. Special
Research Report, Washington DC: United States Institute of Peace.
66 G. Weimann / WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet
Foundation for Islamic Media Publication (As-Sahab means “The Cloud” in Arabic).
This organization uses modern technology to produce its video statements to the world,
using semi-professional hardware. In addition to being released in Arabic, some
published videos come with English or other language subtitles, while more recent
productions include videos in English and German. Al Qaeda is also operating online
radio and television broadcasting and an additional online production facility—the
Global Islamic Media Group (GIMF), an al Qaeda mouthpiece group.
Many terrorist groups, among them Hamas and al Qaeda, have undergone a
transformation from strictly hierarchical organizations with designated leaders to
affiliations of semi-independent cells that have no single commanding hierarchy.
Through the use of the Internet, these loosely interconnected groups are able to
maintain contact with one another—and with members of other terrorist groups. The
Internet connects not only members of the same terrorist organizations but also
members of different groups. For instance, dozens of sites exist that express support for
terrorism conducted in the name of jihad. These sites and related forums permit
terrorists in places such as Chechnya, Palestine, Indonesia, Afghanistan, Turkey, Iraq,
Malaysia, the Philippines, and Lebanon to exchange not only ideas and suggestions but
also practical information about how to build bombs, establish terror cells, and carry
out attacks. Thus, al Qaeda has became an online “terrorist Internet Service Provider”
linking together various elements of the worldwide Jihadist communities. To pursue
this objective, bin Laden and his deputy Ayman al Zawahiri set up a unique structure
whose essence was to provide a global virtual network linking together thousands of
disparate human, financial, military, intellectual and technical resources. Thus al Qaeda
became “the Jihad’s Franchise”, using the Net to link terrorist groups that range from
Algeria’s “Groupe Islamique Armé” (later becoming GSPC) to Pakistan’s “Jaish
Muhammad”, the Chechen rebels, the Iraqi insurgents or the al Qaeda cells in Lebanon
Al Qaeda’s Cyber-Propaganda
Al Qaeda’s propaganda is reacting to every major event, attempting to benefit from
disasters or scandals. Even the blackout in the Northeast and Midwest of the United
States in the summer of 2003 was used by al Qaeda’s communications: Al Qaeda’s
Abu Hafs Brigades posted online their announcement claiming responsibility for
“Operation Quick Lightning in the Land of the Tyrant of this Generation,” referring to
the blackout. 12 This was the third communiqué by this group: In previous postings they
accepted responsibility for the downing of an airplane in Kenya and for the bombing of
the Jakarta Marriott Hotel on August 5, 2003. The new communiqué assured readers
that the operation “was carried out on the orders of Osama bin Laden to hit the pillars
of the U.S. economy” as “a realization of bin Laden’s promise to offer the Iraqi people
a present.” 13 The included text warned, “Let the criminal Bush and his gang know that
the punishment is the result of the action, the soldiers of God cut the power on these
cities, they darkened the lives of the Americans as these criminals blackened the lives
of the Muslim people in Iraq, Afghanistan and Palestine. The Americans lived a black
day they will never forget. They lived a day of terror and fear ... a state of chaos and
See “Al-Qa’ida Claims Responsibility for Last Week’s Blackout” (online report, MEMRI, August
G. Weimann / WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet 67
confusion where looting and pillaging rampaged the cities, just like the capital of the
caliphate Baghdad, and Afghanistan and Palestine were. Let the American people take
a sip from the same glass.” 14
Another online channel used to promote the ideological legitimacy of global jihad
is the Web site of al Qaeda’s Center for Islamic Studies and Research. This Web site
has published the bimonthly virtual magazine Sawt al-Jihad, or The Voice of Jihad. 15
The new magazine focuses on the use of violence as jihad’s only way.16 The “editorial”
by Sheikh Naser al-Najdi entitled “Belief First: They are the Heretics, the Blood of
Each of Them Is the Blood of a Dog,” calls for the killing of every American:
“My fighting brother, kill the heretic; kill whoever’s blood is the blood of a dog;
kill those that Almighty Allah has ordered you to kill … Bush son of Bush … a dog
son of a dog … his blood is that of a dog … Shut your mouth and speak with your
other mouth—the mouth of the defender against his attacker. Rhetoric might cause
Al Qaeda is also targeting women on the Net and attempts to recruit women for
terrorist attacks. One of the articles posted on al Qaeda’s website, entitled “Umm
Hamza, an Example for the Woman Holy Warrior,” tells the story of a female martyr,
the late Umm Hamza, as told by her husband: “Umm Hamza and Martyrdom: Umm
Hamza was very happy whenever she heard about a martyrdom operation carried out
by a woman, whether it was in Palestine or Chechnya. She used to cry because she
wanted a martyrdom operation against the Christians in the Arabian Peninsula.”18 The
article also carries a copy of a letter handwritten by Umm Hamza shortly before her
death. On August 26, 2004, al Qaeda launched its online women’s magazine called Al-
Khansa, named after an early Islamic poetess who wrote eulogies for Muslims who
died while fighting the “infidels”. The Web site also gives advice on raising children to
carry on the Jihad, how to provide first aid for a family member injured in combat and
descriptions of physical training women need to prepare themselves for fighting. The
main goal of the magazine seems to be teaching women married to Islamists how to
support their husbands in their violent war against the non-Muslim world. One of its
first articles reads: “The blood of our husbands and the body parts of our children are
our sacrificial offering.” 19
The Operational Uses
Beyond communications, al Qaeda is increasingly using the Internet for operational
purposes. Following the loss of Afghanistan as a sanctuary and training ground, al
Qaeda moved to cyberspace, posting thousands of pages of its training manuals online.
From the making of an IED or deadly chemical weapons to the staging of an ambush,
the Internet has now become al Qaeda’s “virtual training camp”. The Net is used by
terrorist organizations for data mining: they can learn from the Internet about the
Appeared first at http://www.cybcity.com/image900/index.htm and then changed sites.
For analysis of this magazine, see Reuvan Paz, “Sawt al-Jihad: New Indoctrination of Qa’idat al-
Jihad” (Occasional Paper 1, no. 8, published by the Project for the Study of Islamist Movements [PRISM],
“Women’s War Daily—Al Khansa Magazine and Azzam Publications Offers Handy Hints for Martyr
Moms and Newlywed Jihadis,” Militant Islam Monitor, August 24, 2004,
68 G. Weimann / WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet
schedules and locations of targets such as transportation facilities, nuclear power plants,
public buildings, airports and ports, and even counterterrorism measures. According to
Secretary of Defense Donald Rumsfeld, speaking on January 15, 2003, an al Qaeda
training manual recovered in Afghanistan tells its readers, “Using public sources
openly and without resorting to illegal means, it is possible to gather at least 80 per cent
of all information required about the enemy”. Specific targets that al Qaeda-related
websites have discussed include the Centers for Disease Control and Prevention in
Atlanta; FedWire, the money-movement clearing system maintained by the Federal
Reserve Board; and facilities controlling the flow of information over the Internet. Al
Qaeda websites use maps, diagrams and photos of potential targets downloaded from
popular web sites such as Google Earth. One captured al Qaeda computer contained
engineering and structural architecture features of a dam, which had been downloaded
from the Internet and which would enable al Qaeda engineers and planners to simulate
catastrophic failures. In other captured computers, U.S. investigators found evidence
that al Qaeda operators spent time on sites that offer software and programming
instructions for the digital switches that run power, water, transportation, and
Like many other political organizations, terrorist groups use the Internet to raise
funds. Al Qaeda, for instance, has always depended heavily on donations, and its global
fund-raising network is built upon a foundation of charities, non-governmental
organizations, and other financial institutions that use websites and Internet-based chat
rooms and forums. The Internet can be used not only to solicit donations from
sympathizers but also to recruit and mobilize supporters to play a more active role in
support of terrorist activities or causes. Recruiters may also use more interactive
Internet technology to roam online chat rooms and cyber cafes, looking for receptive
members of the public, particularly young people. Electronic bulletin boards and user
nets (issue-specific chat rooms and bulletins) can also serve as vehicles for reaching out
to potential recruits. The SITE Institute, a Washington, D.C.-based terrorism research
group that monitors al Qaeda’s Internet communications, has provided chilling details
of a high-tech online campaign launched to recruit fighters to travel to Iraq and attack
U.S. and coalition forces there.
Al Qaeda represents the worst that globalization and advanced community technologies
have to offer. Al Qaeda is a virtual “network of networks”, a Jihadist franchise
marketing its messages of death and destruction on the Internet. Even if we witness the
demise of al Qaeda, we are not likely to witness the demise of its spirit and appeal. In a
briefing given in late September 2001, Ronald Dick, assistant director of the FBI and
head of the United States National Infrastructure Protection Center (NIPC), told
reporters that the hijackers of 9/11 had used the Internet, and “used it well.” Since 9/11,
al Qaeda operatives have only sharpened their Internet skills and increased their web
presence. How should democratic societies respond to the challenge of online al
Qaeda? At least two principles seem clear. First, we must become better informed
about the use of the Net by al Qaeda as well as other terrorists, and better able to
monitor their activities. Those uses are numerous and, from the terrorists’ perspective,
invaluable. Hence, it is imperative that security agencies continue to improve their
ability to study and monitor terrorist activities on the Internet and explore measures to
G. Weimann / WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet 69
limit the usability of this medium by modern terrorists. The growing familiarity with
terrorist online discourse may guide us to use the same Internet to challenge the culture
of doom and death with an alternative discourse, with the voice of hope and humanism.
Second, while we must thus better defend our societies against terrorism, we must
not in the process erode the very qualities and values that make our societies worth
defending. The Internet is in many ways an almost perfect embodiment of the
democratic ideals of free speech and open communication; it is a marketplace of ideas
unlike any that has existed before. Unfortunately, as this report has shown, the freedom
offered by the Internet is vulnerable to abuse from groups that, paradoxically, are
themselves often hostile to uncensored thought and expression. The use of advanced
techniques to monitor, search, track, and analyze communications carries inherent
dangers. Although such technologies might prove very helpful in the fight against
cyber terrorism and Internet-savvy terrorists, they would also hand participating
governments, especially authoritarian governments and agencies with little public
accountability, tools with which to violate civil liberties domestically and abroad. It
does not take much imagination to recognize that the long-term implications could be
profound and damaging for democracies and their values, adding a heavy price in terms
of diminished civil liberties to the high toll exacted by terrorism itself.
S. Özeren / Cyberterrorism and International Cooperation 71
in other words, information warfare encompasses cyberterrorism (Taylor, Caeti, Loper,
Fritch, and Liederbach, 2004, p. 20).
According to Ron Dick, Director of NIIPC in 2002, cyberterrorism means any
“criminal act perpetrated through computers resulting in violence, death and/or
destruction, and creating terror for the purpose of coercing a government to change its
policies” (as cited in Berinato, 2002).
By combining the above concepts, cyberterrorism may also be defined as the
politically motivated use of computers as weapons or as targets by sub-national groups
or clandestine agents intent on violence, to influence an audience or cause a
government to change its policies” (Wilson, 2003, p. 4).
In her article, “What Is Cyberterrorism?” Conway defines the term cyberterrorism
as “premeditated, politically motivated attacks by sub-national groups or clandestine
agents against information, computer systems, computer programs, and data that result
in violence against noncombatant and targets” (2002, p. 436). By this definition,
Conway excludes cybercrime activities, including stealing credit card information,
sending emails with pornographic content, or hacking a Web site. Some researchers in
this area characterize an act as cyberterrorism only if the act results in destruction,
death, and/or injury, and creates fear among the public (Denning 2000, Conway, 2002).
Furthermore, some also claim that we have not witnessed the destructive aspect of
cyberterrorism yet, and therefore they suggest that cyberterrorism does not exist at all
In terms of witnessing cyberterrorism, the claim might be considered to be an
accurate one; however, there is also evidence indicating that terrorist organizations
have been considering attacking information infrastructures and other communication
networks by engaging in cyberterrorism (Devost 1995). In their article, “In Defense of
Cyberterrorism: An Argument for Anticipating Cyber-Attacks,” Brenner and Goodman
attempt to answer the question “why has cyberterrorism not yet manifested itself?” As
an answer, they review the literature. The conclude that for some people, the reason
why international terrorists have not mounted cyber attacks yet is that they do not have
the capability in terms of the technical background. That explanation is called the
“there are not enough good terrorist hackers theory,” which claims that the terrorists do
not have the computer expertise to launch such attacks, and this perspective gives the
target countries, in particular, Western countries, the comfort of thinking that they are
safe (Brenner and Goodman, 2002, p. 46). Brenner and Goodman consider two
problems with respect to that theory: First, this theory ignores the fact that the countries
where the terrorists are active have the sophistication that is necessary to launch cyber
attacks against the information infrastructure of other countries. For example, the
Pakistani hacker groups, G-Force Pakistan and The Pakistani Hackers Club and the Sri
Lankan Internet Black Tigers, a special unit of Sri Lankan Tamil Tigers of Tamil
Eelam, are credited with executing attacks that seem to be a cyberterrorism campaign
(Brenner and Goodman, 2002, p. 47). The second problem with the theory is that it
underestimates the imminent possibility that terrorists can recruit “hacker mercenaries”
who have the expertise and motivation to launch cyber attacks if they are paid (Brenner
and Goodman, 2002, p. 48). Another explanation of why we have not seen
cyberterrorism is that the leaders of the terrorist organizations come from an older
generation; therefore, they may not see that type of attack as an alternative (Brenner
and Goodman, 2002, p. 48).
Another perspective for defining cyberterrorism is presented by Devost, Houghton,
and Pollard. They define information terrorism as the “intentional use of a digital
72 S. Özeren / Cyberterrorism and International Cooperation
information system, network or component toward an end that supports or facilitates a
terrorist campaign or action” (1997). The importance of such a definition is reflected in
their statement that cyberterrorism is the “nexus between criminal information system
fraud or abuse, and the physical violence of terrorism” (1997). They are fully aware of
the fact that one of the most important aspects of defining terrorism is to include
politically motivated violence instead of defining the term with actions which may
have nothing to do with violence. However, with this definition, they want to “allow
for the inclusion of pure information-system abuse” as a new face of terrorism (as cited
in Conway, 2002, p. 437). Of course that kind of approach results in including
cybercrime activities within the context of cyberterrorism only if they are politically
In addition to these perspectives, a guide prepared by the Federal Emergency
Management Agency (FEMA) discusses the concept of cyberterrorism and presents its
own perspective as to what it is. According to the FEMA, in order for an attack to be
qualified as cyberterrorism, it should cause violence against property or person, or “at
least cause enough harm to generate fear” (FEMA, 2002).
Also, FEMA reveals the distinction between cybercrime and cyberterrorism
(2002): “Cyberterrorism is distinct from computer crime, economic espionage, and
“hactivism,” although terrorists may employ any of these forms of computer abuse to
further their agendas. The weapons of cyberterrorism computers differ from weapons
of mass destruction such as biological agents, chemical agents, and radiological agents
in that they don’t directly cause death and injury. However, acting indirectly, they can
cause serious consequences to individuals, businesses, industry, government, and the
public at large. Depending on how they are used, they can lead to injury and death.”
The definition offered by the FEMA has an important component which underlies
the definition of terrorism and cyberterrorism. An action that generates fear in the
public may become a means for terrorists; in other words, a politically motivated attack
which results in a tremendous amount of fear and panic in the public may well be
characterized as cyberterrorism, even though it does not lead to physical injury or death.
The fact is: “Anyone who could learn to fly a commercial airliner could probably
acquire the expertise to penetrate one of our critical information systems” (as cited in
Brenner and Goodman, 2002, p. 45). It is not a reasonable assumption that today’s
terrorists do not have the capability of carrying out cyber attacks. Cyber attacks by
individuals, such as hackers and other criminal entities, provide strong evidence that
the Internet can be a tool for terrorists who attempt to exploit every possible means
available to them for their cause.
Cyberterrorism as a Force Multiplier
Conventional terrorist tactics, such as car bombings, assassinations, suicide bombings,
kidnapping, and hijacking may never be replaced by cyber attacks. However, as a force
multiplier, cyberterrorism can create more effect if it is executed in concert with other
traditional terrorist actions. A good example can be the scenario created by CSIS
involving the detonation of a bomb as a conventional terrorist act and a denial of
service attack as a force multiplier (Cilluffo, 2000).
Brenner and Goodman analyze the characteristics of cyberspace and the
advantages that it provides for terrorists and other criminal entities. The first
characteristic of cyberspace is that “cyberspace is borderless” (Brenner and Goodman,
2002, p. 12). As the former CIA Director George Tenet affirms, cyberspace gives
S. Özeren / Cyberterrorism and International Cooperation 73
terrorists the operational flexibility and greater security which can be capitalized on in
many ways, including establishing networks with other terrorist organizations and
members, communicating between members, and facilitating use of the Internet as a
propaganda mechanism (as cited in Brenner and Goodman, 2002, pp. 13-14). Also,
cyberspace enables terrorists to attack multiple targets at the same time, which can
increase the significance of the attack. An interesting perspective by two authors,
Brenner and Goodman, is that cyber attacks can act as “terror multipliers,” which is a
term for force multiplier (2002, p. 26). Terror multiplier can be explained as the effect
of a cyber attack which is created by the anonymous nature of the attack source, and its
Terrorists will attack vulnerable targets, as opposed to the well-protected ones, in
order to be successful in their actions and create appropriate conditions which will
serve their cause. Vulnerability represents one of the most important concepts of this
research. Therefore, the next section focuses on the definition and detailed explanation
Typology of Cyberterrorism
There are different approaches in terms of the typology of cyberterrorism. For example,
Collin (1999) identifies three types of cyberterrorist acts: Destruction, alteration, and
acquisition and retransmission. Grabosky et al. (1998) also identifies three major forms
of cyberterrorist acts: destruction of the files, impeding accessibility to data files by
encrypting it, and significantly overloading a system, thereby impairing the system’s
Another classification of cyberterrorism, “information operations,” is presented by
Zanini and Edwards (2001, p. 41). The term they used, in fact, has the same meaning as
“cyberterrorism.” According to Zanini and Edwards (2001, p. 41), there are three types
of offensive activities terrorists can use: First, terrorists can use information
technologies such as the Internet for perception management and propaganda. Second,
by using the Internet and other computer networks, terrorists can carry out disruptive
attacks. Finally, they can use the networks for destructive purposes (2001).
Perception management and propaganda involve both influencing public opinion
and recruitment of new members. The final type of attack is the destructive attack,
which is carried out to cause actual destruction of virtual and physical systems,
including power, water, or traffic control systems (2001, p. 45). However, some
analysts argue that since these attacks may not result in loss of human life they may not
produce the same emotional reaction as traditional attacks do (Denning, 2001).
On the other hand, Ballard et al. conceptualized a more comprehensive typology of
cyberterrorism called “cyber incident typology” (Ballard, Hornik, and McKenzie, 2002,
74 S. Özeren / Cyberterrorism and International Cooperation
Table 1. Cyber incident typology
Category Definition and Explanation
Information Cyberterrorist attacks focused on altering or destroying the content of electronic files,
attacks computer systems, or the various materials therein.
Infrastructure Cyberterrorist attacks designed to disrupt or destroy the actual hardware, operating
attacks platform, or programming in a computerized environment.
Technological Use of cyber communications to send plans for terrorist attacks, incite attacks, or
facilitation otherwise facilitate traditional terrorism or cyberterrorism.
Fundraising and Use of the Internet to raise funds for a violent political cause, to advance an
promotion organization supportive of violent political action, or to promote an alternative
ideology that is violent in orientation.
Source: Ballard, J. D., Hornik, J. G., & McKenzie, D. (2002), “Technological facilitation of terrorism:
Definitional, legal and policy issues,” American Behavioral Scientist, 45, (6), 989-1016.
International Cooperation as a Tool to Confront the Cyberterrorism Threat
Cooperation with other countries must be a central part of building cyber security
(Lewis, 2003, xii). However, “The Internet does not yet have the Web of cooperation
that has been built up elsewhere” (Lewis, 2003, p. xii). There are reasons behind this
lack of cooperation. First of all, it is new to some states, secondly, some states may not
know what is needed, and finally, it touches on many sensitive issues ranging from
economic competition, privacy, and access, to national security (Lewis, 2003). In
particular, the difficulty with respect to national security and cyber security is that it is
always a question as to the extent to which free states are willing to cooperate with
other nations in national security issues while they may be required to advertise their
own vulnerabilities (Lewis, 2003, p. xix). With advances in technology, financial and
banking systems, telecommunication networks, aviation systems, and air traffic control
become more reliant on computer and telecommunication networks, which serve many
countries but are not controlled by a single country. Therefore, it may be reasonable to
claim that it may be easier to facilitate international cooperation in critical
infrastructure protection by starting with areas where the transnational connections are
very large, such as financial services (Lewis, 2003, p. xix).
Models of International Cooperation
According to Miyawaki (1999), “The ease with which the origins of cyber attacks can
be hidden, and the fact that cyber attacks on one nation can come from anywhere on the
globe, mean that cybercrime and cyberterrorism are truly international threats.” Ever
since terrorism and other types of transnational criminal activities became the main
topics in the international arena, the term ‘cooperation’ has become a focal point for
every government. In particular, bilateral and multilateral cooperation have been shown
as the most effective method to respond to transnational cybercrime and cyberterrorism.
The next section will present strategies, attempts, and efforts with respect to countering
cyberterrorism and cybercrime.
S. Özeren / Cyberterrorism and International Cooperation 75
Lukasik presents a detailed analysis of responding to transnational cybercrime and
cyberterrorism. Lukasik asserts that in order to have a successful global response, the
following elements should be in place:
A common terminology between parties involved in the incident to include
identification of the intruder’s modus operandi, the technical attack details,
and the identification of the targets
Knowledge of the technical skills of all parties involved in resolving the
Knowledge of existing agreements on how incidents of a variety of types are
to be handled
An understanding of the common and conflicting societal issues surrounding
the incidents (2001, pp. 152-153).
Later he lists the critical elements that have to be in place in order to have what he calls
a “framework for international cooperation”:
Broad membership, consisting of both the world’s most technologically
advanced nations as well as developing nations, all of whom share the benefits
and the risks of global information architectures
A voluntary and non-coercive environment based on concepts of consensus
and practical experience
Open technical standards that prevent the manipulation of information
technology for unilateral gain
An open organizational structure that provides opportunities for all
constituencies to express their concerns
A mechanism for providing continuous monitoring of actions that can
adversely impact privacy
Mechanisms for reviewing the state of information technology and its
practical implementations to enable the international framework to remain
relevant in the light of changing capabilities and requirements
Mechanisms that can assist in building trust relationships globally
Funding arrangements that can assist less developed nations in meeting their
responsibilities to protect the information commons (2001, pp. 176-177).
In terms of international cooperation, there are different forms of relationship
among governments and their related law enforcement agencies. These cooperative
1. Formal bilateral cooperation: Mutual legal assistance treaties (MLATs)
2. Informal bilateral cooperation: Individual police contacts (inter-agency
cooperation), CERTs, etc.
3. Formal multilateral cooperation: Council of Europe
4. Informal multilateral cooperation: G-8, OECD, APEC, CERT collectives.
The necessity for multilateralism emerges because countries have different rules to
regulate extradition and legal assistance as well as different substantive laws that
govern computer crime (Barkham, 2001). “Operational efforts to prevent and respond
to computer attacks must be global” and so far, the most effective international
cooperation to respond to cyber attacks have been bilateral in nature (Vatis, 2003, pp.
There are advantages and disadvantages of all of these four types of cooperation.
For example, Vatis presents some of the obstacles facing MLATs as follows: First of
all, the scope of the MLATs is narrow in terms of the number of the countries. For
76 S. Özeren / Cyberterrorism and International Cooperation
example, the U.S. State Department has mutual legal assistance in criminal matters
treaties (MLATs) in force with 19 nineteen countries. Secondly, most of these treaties
do not cover cybercrime specifically or do so in general terms (Vatis, 2003, p. 2).
Finally, application of the MLATs can be time-consuming since these may involve
more paper work and other bureaucratic procedures. This final obstacle may not be a
major problem for traditional crime when the issue is physical evidence; however, in
cybercrime, time is significant since it may take a few minutes if not seconds to destroy
evidence or lose track of the criminals (Vatis, 2003, p. 3).
In addition to the issues discussed above, there are more fundamental issues
involving international cooperation. First of all, the growth of computer technology and
reliance on these types of technologies may differ from country to country. In other
words, some countries have not yet seen such crime while others may have experienced
many such crimes; therefore, while some countries may have substantive and
procedurally clear laws regarding cybercrime and cyberterrorism investigation, others
may not have a clue as to what these concepts represent (Vatis, 2003, p. 3). The second
important reason is that it may become very difficult to distinguish cybercrime from
information warfare, given the fact that many countries are developing cyber
techniques for fighting a war or intelligence purposes (Speeches and Testimony, 1998).
Vatis considers bilateral cooperation to be more feasible and gives some of the
In February and March 1998, more than fifty civilian, governmental, and
private sector computer systems in the U.S. were affected when intruders
penetrated at least 200 unclassified U.S. military personnel and other
government computer systems. The timing of these attacks coincided with an
increase in the U.S. military presence in the Middle East. The NIPC, working
closely with the Israel’s law enforcement, identified two people in Cloverdale,
CA, and individuals in Israel who were the true perpetrators
In February 2000, the NIPC received reports that CNN, Yahoo, Amazon.com,
e-Bay and other sites had been attacked through Distributed Denial of Service
(DDOS), in which intruders took over the networks. The investigation has
been carried out by the NIPC with the cooperation of the companies. The
attacks have been traced to Canada. The NIPC has worked with the Royal
Canadian Mounted Police (RCMP), and to arrest a juvenile, called
In May 2000, individuals and companies around the world were attacked by
the “Love Bug” or “I LOVE YOU” virus. The NIPC investigated the incident
and identified the suspect by tracing the attack to the Philippines. The FBI,
working closely with the Philippines’ National Bureau of Investigation,
identified the suspect, Onel de Guzman (2003, p. 7)
These are real world examples of bilateral cooperation between law enforcement
agencies from two different countries. They are promising in the sense that they prove
that working together creates results.
Cuellar focuses in one article on the importance of the international treaty in terms
of responding to cybercrime and cyberterrorism. He summarizes the effect of a treaty
with respect to its political consequences which may advance the underlying goals of
security and safety: a) deterrence of specific offenses: treaties among states allow for
extradition and prosecution, which will marginally enhance deterrence against
cybercrime and cyberterrorism. In other words, cyber offenders in general will be
deterred from committing cybercrime since jurisdictional difficulties in the
S. Özeren / Cyberterrorism and International Cooperation 77
investigation of the offense will be removed with treaties. b) International cooperation
for legal cooperation: A treaty will encourage cooperation between signatory countries’
law enforcement entities. c) Enhancing prospects for technical cooperation beyond the
boundaries of the treaty: Since the treaty will be a starting point for having an
international consensus as to which actions define cybercrime or cyberterrorism against
civil aviation, eventually law enforcement and other entities responsible for
investigating and prosecuting cybercrime and cyberterrorism will go beyond the
confines of the treaty (Cuellar, 2001, p. 121).
Public and Private Cooperation
“The Internet and other aspects of the information infrastructure are inherently
transnational” (Sofaer and Goodman, 2001, p. 2). The transnational nature of
cybercrime and cyberterrorism requires that the public and the private sectors work
together and cooperate.
“The most active international cooperation for cyber security has been in law
enforcement,” however, there has not been large scale cooperation outside of law
enforcement” (Lewis, 2003, p. xix). For example, even though critical infrastructure
protection has a law enforcement component, issues can go beyond the capacity of the
law enforcement and it becomes an issue of national security (Lewis, 2003, p. xix).
“Cyberterrorism and cybercrime could also overlap in damaging ways; groups can
steal credit card numbers or important data to damage economies and for their own
gain” (Lewis, 2003, p. xv). Localized law enforcement efforts toward cyber criminal
activities are at a disadvantage in an interconnected world due to the limited
jurisdiction that every law enforcement agency has. Nevertheless, Lewis is of the
opinion that “cyber attacks are far less damaging than physical attacks” (Lewis, 2003, p.
The next section focuses on the efforts aiming at responding to cyberterrorism and
cybercrime. The examples are both of national and international level cooperation
between law enforcement agencies as well as other international entities. They also
include public- private cooperative efforts.
Multilateral Level International Cooperation
Group of 8
The Group of 8 (G-8) countries is composed of the U.S., the United Kingdom, France,
Germany, Japan, Canada, Italy, and Russia. The leaders have been meeting annually
since 1975 to discuss issues of importance, including crime and terrorism, and the
information highway (Group of 8, 2003). The G-8 Subgroup on High-Tech Crime was
founded in 1997. In January 1997, the G-8 also set up a “24-Hour-Contact-Group” to
facilitate law enforcement communications for investigations (Group of 8, 2003). This
type of network enabled group members to foster speedy communications between and
among the members which allow them to preserve digital evidence until legal
processes can be started (Vatis, 2003, p. 3). The idea is to produce global agreements
so that there cannot be digital havens where anybody can plan and execute illegal
business (Hancock, 2003).
78 S. Özeren / Cyberterrorism and International Cooperation
The G-8 also held meetings between law enforcement and industry representatives,
and through these meetings the G-8 aims to foster cooperation, not only among the law
enforcement group members, but also industries so that each party can present their
concerns, experiences, and visions (Vatis, 2003, p. 5). These activities have had several
impacts, including being a model for larger formal multilateral efforts, and identifying
difficulties that individual states and multilateral entities may encounter (Vatis, 2003, p.
The G-8, in their meeting in 2000, published the Okinawa Charter on Global
Information Society, and indicated its commitment to the creation of international
cooperation to target cybercrime (G7-G8 Summit in Okinawa, 2000). This meeting
created another task force—the Digital Opportunity Taskforce (dot force)—in order to
integrate its efforts into a broader international approach. To this end, it was decided
that the dot force would convene as soon as possible to explore how best to secure
participation of stakeholders. This high-level task force is in close consultation with
other partners and in a manner intended to be responsive to the needs of developing
Efforts made by the G-8 states demonstrate the importance of cooperation at the
international level which may lead to the creation of a deterrent for the criminals, in the
sense that the investigation and prosecution of the criminal act will be swift and certain.
The G-8 held a meeting in Paris, France, in May 2003, and ended up with three
significant decisions with respect to critical infrastructure protection: To combat this
threat, they determined that they needed unprecedented global cooperation to protect
their information infrastructures, including computer network and communication
systems. They also saw the need to respond to terrorist and criminal threats against
them (Meeting of G8 Ministers of Justice and Home Affairs, 2003).
Council of Europe (CoE)
The Council of Europe (CoE) is an intergovernmental organization, which is made up
of forty-five European countries. In addition to these countries, states such as the U.S.,
Canada, and Japan have observer status (Council of Europe, 2003).
In 2001, the CoE drew up a Convention on Cybercrime, and non-European
countries, such as the U.S., Canada, and Japan, participated in the drafting process. The
underlying reasons behind having a convention are described by the CoE (International
Working Group, 2002). It was drafted:
Considering that the aim of the Council of Europe is to achieve a greater unity
between its members;
Recognizing the value of fostering co-operation with the other States parties to
Convinced of the need to pursue, as a matter of priority, a common criminal
policy aimed at the protection of society against cybercrime, inter alia by
adopting appropriate legislation and fostering international co-operation;
Conscious of the profound changes brought about by the digitalization,
convergence and continuing globalization of computer networks;
Concerned at the risk that computer networks and electronic information may
also be used for committing criminal offences and that evidence relating to
such offences may be stored and transferred by these networks;
S. Özeren / Cyberterrorism and International Cooperation 79
Recognizing the need for co-operation between States and private industry in
combating cybercrime and the need to protect legitimate interests in the use
and development of information technologies;
And believing that an effective fight against cybercrime requires increased,
rapid and well-functioning international co-operation in criminal matters.
The purpose of this convention was “to make criminal investigations and
proceedings concerning criminal offences related to computer systems and data more
effective and to enable the collection of electronic evidence of a criminal offence”
(International Working Group, 2002).
According to Weber, the Convention on Cybercrime establishes three general
principles to international cooperation. First, international cooperation will be provided
among the states “to the widest extent possible”. Second, the obligation to cooperate
extends not only to the crimes established by the treaty, but also to the collection of
electronic evidence whenever it relates to a criminal offense. Third, the provisions for
international cooperation do not supercede preexisting provisions of international
agreements on these issues (2003, p. 433).
The CoE has taken a more comprehensive approach by publishing and refining a
Draft on Cybercrime (Sofaer, 2001). The Draft includes a detailed description of the
concepts, computer system, computer data, and data traffic (Convention on Cybercrime,
2001). The Draft also includes several provisions which criminalize some of the
activities in the cyberspace.
The significance of that convention is that, once in force, all countries that ratified
it, including those who are non-member observer states, are required to standardize
their laws to comply with the provisions of the Convention (Westby, 2003). Especially
those countries which are signatory states are required to adopt such domestic laws in
order to establish minimum standards (Council of Europe, 2001). In Budapest, on
November 23, 2001, the CoE opened the treaty for signature by the member states and
by non-member states, including the U.S. As of December, 2002, there were 32 thirty-
two signatories and it had been ratified by Albania and Croatia (Weber, 2003, pp. 429-
Of course, there was some criticism directed towards the Draft of the Convention
regarding the issue of basic human rights and information freedom. For some, the Draft
was “contrary to well-established norms for the protection of the individual … that it
improperly extends the police authority of national governments … that it will
undermine the development of network security techniques … and that it will reduce
government accountability in future law enforcement conduct” (Ever, 2000). Some
even said this treaty will “kill the Internet” (Davis, 2003, p. 217). Nevertheless, the
convention addresses deterrence as a necessary function and it aims at swift and
efficient law enforcement efforts toward cybercrime detection, investigation, and
prosecution, all of which will protect “confidentiality, integrity, and availability of
computer systems” (Baron, 2002, p. 268). The treaty of the CoE on cybercrime is
important for a number of reasons. “The Council’s approach recognizes that
accomplishment of this goal is predicated upon finding solutions to the lack of criminal
statutes, the lack of procedural powers, and the lack of enforceable mutual assistance
provisions that result from the jurisdictional gap in cybercrime regulation” (Weber,
2003, p. 430).
80 S. Özeren / Cyberterrorism and International Cooperation
European Union (EU)
The European Union (EU) emerged from three organizations formed in the 1950s by
Belgium, West Germany, France, Italy, Luxembourg, and the Netherlands: the
European Coal and Steel Community (ECSC), the European Atomic Energy
Community (Euratom), and the European Economic Community (Sussmann, 1999, p.
479). “The EU is, in fact, unique. Its Member States have set up common institutions to
which they delegate some of their sovereignty so that decisions on specific matters of
joint interest can be made democratically at the European level” (The European Union
at a Glance, 2003). Currently there are more than twenty-five member states within the
EU. With respect to cyber security and critical infrastructure security, the EU has
published several documents. It has also created entities to respond to the challenges of
critical information infrastructure security. Among these efforts, in April 1998, the
European Commission prepared a study called COMCRIME which focused on security
of information infrastructures and combating computer-related crime (Cybercrime
European Commission, 2004). In January, 1999, the European Parliament and the
Council adopted an action plan on promoting safer use of the Internet by combating
illegal and harmful content on global networks. In 2001, the European Commission
prepared a document entitled “Network and Information Security: Proposal for a
European Policy Approach,” in which the following four conditions were presented as
key conditions in order to be successful in responding to cybercrime and information
infrastructure vulnerabilities (Cybercrime, European Commission, 2001):
The adoption of adequate substantive and procedural legislative provisions to
deal with both domestic and transnational criminal activities.
The availability of a sufficient number of well-trained and equipped law
The improvement of the co-operation between all the actors concerned, users
and consumers, industry and law enforcement.
The need for ongoing industry and community-led initiatives.
Another significant effort by the EU is the eEurope 2005 Action Plan which was
approved by the European Council in June, 2002 (Council of Europe, 2002). The
central component of the eEurope 2005 Action Plan is information infrastructure
protection (Westby, 2003), and it stresses “the importance of ensuring the appropriate
security of networks and the information that is transmitted through them for
individuals, business, administrations and other organizations” (Council of Europe,
In terms of important agencies of the EU with regard to critical information and
infrastructure protection, there is the European Network and Information Security
Agency (ENISA). The objectives of the ENISA are to facilitate and intensify European
coordination in the area of information security, provide the highest security of the
information infrastructure systems for the members, and to create common
understanding of information security among the member states in the EU (Information
Society, 2003). “The management board of the Agency will be composed of five
representatives appointed by the Council, five by the Commission, two by the
European Parliament, as well as four industry and two consumers’ representatives”
(EU News Report, 2003). The agency has a budget of 24 million euro over a five-year
period and it is intended to help the Commission and the member states cooperate more
efficiently in their responses to information security and network problems such as
S. Özeren / Cyberterrorism and International Cooperation 81
viruses and unauthorized interception of communications, computer crashes, and
information technology (IT) network failures (EU Business, 2003).
United Nations (UN)
The United Nations (UN) has increased awareness of information security, in particular,
computer related crimes. In 2000, the Tenth United Nations Congress on Crime
Prevention and the Treatment of Offenders was held in Vienna, Austria. In sum, the
meeting emphasized the importance of internationally coordinated efforts toward
preventing and responding to threats against information systems and cyber security. In
addition, it was emphasized that the exchange of technical and forensic expertise
between national law enforcement authorities was crucial for faster and more effective
investigation of such crimes (Tenth United Nations Congress, 2000). Furthermore, in
different meetings, the members of the UN expressed their concerns about the threat of
cybercrime and cyberterrorism, and proposed training programs about cyberterrorism
for the national law enforcement agencies (Security Council 4,792nd Meeting, 2003).
Asia Pacific Economic Cooperation (APEC)
APEC was formed in 1989 in response to the growing interdependence among Asia-
Pacific economies, and since then APEC has become the primary regional vehicle for
promoting open trade and practical economic cooperation (TIA Online, 2002). Asia
Pacific Economic Cooperation (APEC) established the Telecommunication and
Information Working Group (APEC-TEL), which provides coordination between the
governments, private sectors, and business of the 21 twenty-one APEC members
(Westby 2003, p. 103).
The Fifth APEC Ministerial Meeting on Telecommunications and Information
Industry was held in May 2002 in China and the members of the APEC declared the
need for economies to promote the development of advanced, secure and reliable
information infrastructures and expressed their commitment to improving the
multilateral and bilateral cooperation in the APEC region in developing
telecommunications regulatory policies, and information and network security (APEC
Shanghai Declaration, 2002). They also made clear that it is very important to establish
a legal basis to address the criminal misuse of information technologies and law
enforcement cooperation in combating that misuse (TELMIN 2002).
Organization for Economic Co-operation and Development (OECD)
The Organization for Economic Co-operation and Development (OECD) defines cyber
security in their Guidelines for the Security of Information Systems as “the protection
of the interest of those relying on information systems from harm resulting from
failures of availability, confidentiality, and integrity” (OECD, 2002).
The Guidelines for the Security of Information Systems and Networks states that
due to increased interconnectivity, information systems and networks have now
become more vulnerable to a growing number and a wider variety of threats, which
explains one of the fundamental issues in information security (OECD, 2002). By
stating “… participants, as appropriate to their roles, should be aware of the relevant
security risks and preventive measures, assume responsibility and take steps to enhance
the security of information systems and networks,” the OECD put the responsibility on
82 S. Özeren / Cyberterrorism and International Cooperation
the shoulders of every member in the organization (OECD, 2002). The OECD Council
adopted nine important principles to develop “the culture of cyber security” (OECD,
Interpol is the abbreviation for the International Criminal Police Organization. It was
established in 1956 to enhance globally and facilitate cross-border criminal police
cooperation (Interpol, 2003). Currently, there are 181 countries in over five continents
that participate. Interpol is the largest international police organization, which serves as
an entity to help member countries with their investigations involving international
Interpol, among other crimes, focuses on the misuse of information technologies
under the name of information technology crime (Interpol, 2003). Interpol has created
parties of information technology crime in regions around the world. Instead of
establishing a new division, Interpol gathered “working parties” or experts from
members of national computer crime units (Interpol, 2003). Currently there are five
major working parties that Interpol works with: a) European Working Party on
Technology Crime, b) American Regional Working Party on Information Technology
Crime, c) African Regional Working Party on Information Technology Crime, d) Asia-
South Pacific Regional Working Party on Information Technology Crime, and e)
Steering Committee for Information Technology Crime (Interpol, 2003). Among these
working groups, the European Working Party on Technology Crime, formed in 1990,
has shown significant achievements, some of which include the compilation of the
Computer Crime Manual, now called the Information Technology Crime Investigation
Manual (ITCIM), a best practice guide for the experienced investigator, numerous
training courses in order to share its expertise with other members, a rapid information
exchange system which essentially consists of two elements, and preparing training
video / CD-ROM for international law enforcement (Interpol, 2003).
European Police Office (Europol)
The Council Act of 26 July, 1995, signed up the Convention on the establishment of a
European Police Office (Europol Convention, 2003), which was established to
improve police cooperation between the member states to combat terrorism, illicit drug
trafficking, and other serious types of international crime. It became fully operational in
1999 (Area of Security, 2003). “The official inauguration of Europol in 1998 …
marked a new watershed of EU cooperation in the field of “Justice and Home Affairs”
… which reflects a shift in the direction of supranationalism and away from Europe’s
long-standing intergovernmental approach to international law enforcement”
(Occhipinti, 2003, p. 1). Europol has also the following principal tasks (Europol
to facilitate information exchange between member states;
to obtain, assemble and analyze information and intelligence;
to notify the authorities of the member states without delay of information
concerning them and of any relations identified between criminal offenses;
to assist investigations in the member states;
to keep a computerized system of collected information.
S. Özeren / Cyberterrorism and International Cooperation 83
In other words, Europol can serve as an effective mechanism in terms of
investigating crimes involving information technologies, such as cybercrime and
cyberterrorism. “It is important to emphasize that Europol will not have executive
authority, and it is important that Europol should not be viewed as a European
equivalent of the Federal Bureau of Investigation in the United States. Nor will Europol
take over from, or place any type of restraint on, national counter-terrorist agencies”
(Marotta, 2001, p. 18).
However, according to Occhipinti, recent developments indicate that the nature of
collaboration on policing in the EU has become more supranational and the EU will
move even closer to having a supranational form of police cooperation, “including a
role for Europol that increasingly resembles that of the U.S. FBI” (2003, p. 238).
This study strongly emphasizes the importance of cooperation in response to the threats
coming from cyberspace. In particular, countries with high level of vulnerabilities need
to be involved in cooperative efforts not only with those countries that are highly
vulnerable, but also with other countries with lower levels of vulnerability. Given the
fact that a cyber attack can be launched from anywhere, the source of such an attack
does not necessarily have to be a country with a high level of technological
development. This brings us to the issue of having a vested interest in expanding an
alliance to include many countries with a variety of different backgrounds.
In terms of a theoretical discussion, any country concerned with cyberterrorism
should embrace the double approach. That is, while taking every necessary step to
ensure the safety of their critical infrastructures, they should also make every effort to
achieve an inclusive partnership/alliance with other countries.
To achieve such an overwhelming task, different venues should be sought,
including formal and informal cooperation. Cooperation may involve both formal and
informal relationships, and the effectiveness of both may vary depending on the case in
question. While the desired relationship should be formal cooperation, it has drawbacks,
most notably time-consuming bureaucratic procedures, although time can be crucial for
law enforcement and other national security agencies. Particularly, investigating
cyberterrorism does not allow the luxury of spending time going through bureaucracy.
On the other hand, while informal mechanisms are efficient in terms of time, in some
countries, informal cooperation may not be approved by their governments. Therefore,
in responding to cyberterrorism or cybercrime, both informal and formal cooperation
should be put into practice, while efforts are made to lessen the bureaucratic procedures,
and this can be achieved by bilateral agreements.
Awareness is another milestone toward achieving real, concrete cooperation.
Developing awareness at the domestic and international level toward cyberterrorism
and cybercrime will help concerned parties to work with other countries. Recognizing
existing or potential risks will motivate countries to start to take necessary measures to
respond to cyberterrorism and cybercrime, to include legal, technical, and political
Another important issue with respect to policy is the legal discrepancies and/or
lack of legal measures targeting cyberterrorism and cybercrime. While countries amend
new laws or update the existing ones to compensate for the gap stemming from new
trends in responding to cyberterrorism, they also should try to establish a consensus as
84 S. Özeren / Cyberterrorism and International Cooperation
to what cyberterrorism constitutes and what the general procedures should be in terms
of handling investigations and prosecution of cyberterrorism related incidents.
Conventions, such as the Council of Europe Convention on Cybercrime—even though
there are some questions about articles in the Convention Treaty—is an ambitious
attempt toward achieving such a consensus.
In terms of facilitation of cooperation at the national and international levels, a
number of entities can play important roles. In particular, institutions such as CERT
and FIRST can be instrumental in carrying out informal and formal bilateral and
multilateral cooperation. In the area of cyberterrorism and cybercrime such an activity
at the informal level among private or public institutions can lead to formal cooperation
since informal processes can guide the development of a culture of cooperation.
Moreover, entities such as G-8 and OECD can lead other non-member countries toward
developing a certain level of awareness. While these entities do not have operational
branches, they can set the standards for future applications and strategies for
themselves and be examples for other countries. On the other hand, institutions such as
the UN and the Council of Europe can be more active organizations since they have
more member states. Also the members can be obliged to fulfill the requests from these
multilateral entities, which can be vital to achieving consensus.
In addition, developed countries can offer technical and legal assistance to other
countries; in other words, developed countries can expand the response policies by
supporting other countries. One way to accomplish a sound cooperation is to identify
regions and focus those areas. Countries such as Turkey can be a center in the Middle
East, including the former Soviet republics. Turkey can work with experts from the U.S.
and other European countries to train law enforcement in the region in the area of
terrorism and cybercrime. Given the fact that Turkey has a long history of struggle
against terrorism and organized crime, the experience can be utilized toward advancing
regional countries’ abilities and understanding of how to handle terrorism, in particular,
cyberterrorism and cybercrime.
Other critical and rather sensitive issues are national sovereignty and jurisdiction.
National sovereignty is a political issue that may be an obstacle since countries have
every right to claim their sovereignty when it comes to investigating cyberterrorism.
Respectively, the issue of jurisdiction becomes a legal issue when investigating
cyberterrorism and cybercrime, both of which are transnational in nature. To overcome
these two critical issues, existing applications from other areas can be considered.
Aviation is one of those areas that involve internationally recognized and implemented
regulations worldwide. Agreement in such an area can be a model for cyberterrorism
and cybercrime initiatives. Another application is the “European Arrest Warrant”
which can give a clue as to how the international community will overcome issues of
jurisdiction. Of course the author of this study does not imply that we need to have
such a system; however, the European Arrest Warrant can be taken as an example.
In terms of overlaps between cybercrime techniques and cyberterrorism, the study
suggests that cybercrime techniques are readily available tools for terrorists to exploit.
More importantly, technology provides ample opportunity for terrorists to expand their
operations and establish new networks with other terrorist organizations. Cyberspace
gives terrorists new tools to recruit new members and to support their activities
financially. The C-F-R-P factor is very critical in terms of responding not only to
cyberterrorism, but also to traditional terrorism. The C-F-R-P factor can, in fact, be
monitored by law enforcement and can be used to identify possible recruitment
techniques, possible new recruits, and finance sources. Also, it can provide invaluable
S. Özeren / Cyberterrorism and International Cooperation 85
information in terms of communication. It is true that not every terrorist organization
uses the Internet for communication; nevertheless, communication on the Internet can
provide leads for further investigations.
Cooperation is very critical in terms of responding to cyberterrorism. Cooperation at
the national level includes law enforcement and private sector. Sometimes overlaps in
terms of the responsibilities and authorities between different law enforcement agencies
may cause confusion. To avoid such an event, law enforcers should establish a
coordination center that will not be a supervisory unit, but a unit which will facilitate
coordination and collaboration between layers of bureaucracy. This is particularly
important in countries like the U.S., where there are numerous law enforcement
agencies with a number of laws giving authority to them. Also, implementations, such
as the U.S.’s Secret Service Electronic Crime Task Force, should be expanded across
the world. The most important aspect of such programs is that they create a sense of
trust between law enforcement agencies and the private sector. Of course, the purpose
of these programs should be to share the concerns and support each other. Finally,
increasing awareness of vulnerabilities to cyberterrorism and cybercrime can be
facilitated by training of law enforcers and the public. At the National level, documents,
such as the National Strategy to Secure Cyberspace, published by the U.S., indicated
the importance of national and international levels of cooperation to respond to threats
coming from cyberspace. It also emphasizes the importance of cooperation and
collaboration between the public and private sector to respond adequately to cyber
threats. It is true that a document, alone, may not be effective, but it may describe the
path to be followed.
While there are numerous issues regarding how to achieve sound international
cooperation, the first step toward it involves believing in establishing international
cooperation. In other words, countries should spend time and energy establishing a
general consensus as to what they should do to achieve real cooperation. Based on the
research results, while multilateral cooperation is desirable, bilateral agreements are
considered as more achievable than multilateral agreements. Therefore, countries
should focus on establishing more bilateral agreements; they also should explore new
venues to set up multilateral cooperation. To achieve real cooperation at the
international level, countries should practice real coordination and exchange of
intelligence. Formal bilateral and multilateral agreements and organizations achieve
some level of cooperation, but bureaucracy and other obstacles may slow down the
procedures which are very critical in investigating cybercrime. To solve that problem,
countries should look for ways to practice informal cooperation at least among the law
Moreover, legal measures play a very critical role in responding to cybercrime and
cyberterrorism. Laws and conventions, such as the Council of Europe Convention on
Cybercrime, are useful tools to facilitate cooperation. In order to respond to this kind of
transnational crime, having a common definition of the crime is vital. Recognizing the
importance of defining a crime according to its unique characteristics will not only ease
the investigation procedures, but also enable cooperation with other countries.
Therefore, countries should again attempt to come up with internationally accepted
definitions of terrorism, cybercrime, and cyberterrorism.
86 S. Özeren / Cyberterrorism and International Cooperation
Finally, we need to find new strategies and tactics to respond to the overwhelming
problems we face today. The global nature of the issues such as cybercrime and
terrorism requires global responses. It is necessary to look for a radical approach.
Globalization of crime, in fact, asks for globalization of law enforcement. This
statement may sound overambitious; however, given the extent and complexity of
cybercrime and terrorism, it may be underestimating the seriousness of these problems
if we claim otherwise.
APEC Shanghai Declaration. (2002). The Fifth APEC ministerial meeting on telecommunications and
information industry. Retrieved February 13, 2004 from
Area of Security. (2003). Europol Convention: European Police Office. Retrieved March 13, 2004 from
Ballard, J. D., Hornik, J. G., & McKenzie, D. (2002). Technological facilitation of terrorism: Definitional,
legal and policy issues. American Behavioral Scientist, 45,(6), 989-1016.
Barkham, J. (2001). Cyberwar, cybercrime, and cyberterrorism: A bibliographic essay. American Society of
International Law. Retrieved March 10, 2004 from http://www.asil.org/barkham.pdf
Baron, R. M. F. (2002). A critique of the international cybercrime treaty. The Catholic University of America,
Berinato, S. (2002). The truth about cyberterrorism. CIO Magazine. Retrieved on April 13, 2004 from
Brenner, S. W., & Goodman, M. D. (2002). In defense of cyberterrorism: An argument for anticipating
cyber-attacks. University of Illinois Journal of Law, Technology & Policy, 1,(57).
Cilluffo, F. J., & Pattak, P. B. (2000). Bad guys and good stuff: When and where will the cyber threats
converge? DePaul Business Law Journal, (12),131- 169.
Collin, B. C. (1997). Cyberterrorism from virtual darkness: New weapons in a timeless battle. Retrieved from
Convention on Cybercrime. (2001). Retrieved December 05, 2004 from
Conway, M. (2002). Reality bytes: Cyberterrorism and terrorist 'Use' of the Internet. First Monday, 7, (11).
Retrieved April 04, 2004 from http://firstmonday.org/issues/issue7_11/conway/index.html
Council of Europe. (2001). Convention on cybercrime. Retrieved February 15, 2004 from
Council of Europe. (2002). Council resolution on the implementation of the eEurope 2005 action plan.
Retrieved March 12, 2004 from http://europa.eu.int/information_society/eeurope/2005/index_en.htm
Council of Europe. (2003). What is what? Retrieved December 10, 2004 from
Council of Europe. (2003). The Council of Europe's Member States. Retrieved December 15, 2004 from
Cuellar, M. F. (2001). Past as prologue: International aviation security treaties as precedents for international
cooperation against cyberterrorism and cybercrimes. In A. D. Sofaer, & S. E. Goodman (Eds.), The
transnational dimension of cybercrime and terrorism (pp. 91-124). Stanford, CA: Hoover Institution
Cybercrime European Commission (2001). Network and information security: Proposal for a European
policy approach. Retrieved March 14, 2004 from
Cybercrime European Commission. (2004). Anti cybercrime legislative proposals on Council table.
Retrieved March 14, 2004 from
Cybercrime European Commission. (2004). What steps is the EU taking to combat cyber-crime? Retrieved
March 14, 2004, from
Davis, E. S. (2003). A world wide problem on the World Wide Web. International responses to transnational
identity. Washington University Journal of Law & Policy.
S. Özeren / Cyberterrorism and International Cooperation 87
Denning, D. E. (1999). Encryption and evolving technologies as tools of organized crime and terrorism.
National Strategy and Information Center
Denning, D. E. (2000). Cyberterrorism. Global Dialogue. Retrieved from
Devost, M. G. (1995). National security in the information age. Master thesis. University of Vermont.
Devost, M. G., Houghton, B. K., Pollard, N. A. (1997). Information terrorism: Can you trust your toaster?.
Retrieved September 13, 2002 from htttp://www.terrorism.com
Evers, J. (2000). The Netherlands adopts cybercrime pact. Retrieved December 20, 2004 from
EU Business. (2003). European network and info security agency set for January launch. Retrieved March 04,
2004 from http://www.eubusiness.com/topics/Rd/EUNews.2003-11-21.2957
EU News Report. (2003). new European agency for network and information security. Retrieved March 01,
2004 from http://www.iwar.org.uk/news-archive/2003/10-08-6.htm
Europol Convention.(2003): European Police Office. Retrieved March 07, 2004 from
European Union at a glance. (2003). Retrieved March 10, 2004 from http://europa.eu.int/abc/index_en.htm
Europol. (2003). Fact Sheet on Europol. Retrieved October 11, 2003 from
FEMA. (2002). Retrieved from http://www.fema.gov
Grabosky, P. N., & Smith, R. G. (1998). Crime in the digital age. Riverwood, Australia: Ligare Pty Ltd.
Group of 8. (2003). Retrieved December 04, 2003 from
G 7- G 8 Summit in Okinawa. (2000). Okinawa Charter on Global Information Society. Retrieved from
Information Society. (2003). Establishment of a European network and information security agency.
Retrieved March 12, 2004 from http://europa.eu.int/scadplus/leg/en/lvb/l24153.htm
International Working Group. (2002). Common position on data protection aspects in the draft convention on
cyber-crime of the Council of Europe. Retrieved December 15, 2004 from http://www.datenschutz-
Interpol. (2003). Interpol an overview. Retrieved March 14, 2004 from
Interpol. (2003). Interpol’s contribution to combating information technology crime. Retrieved March 14,
2004 from http://www.interpol.int/Public/TechnologyCrime/default.asp
Interpol. (2003). Regional working parties. Retrieved March 14, 2004 from
Lewis, A. J. (2003). Introduction. In J. A. Lewis (Ed.), Cyber security: Turning national solutions into
international cooperation (pp. xi-xxiii). Washington D.C.: The CSIS Press.
Lukasik, S. J. (2001). Current and future technical capabilities. In A. D. Sofaer, & S. E. Goodman (Eds), The
transnational dimension of cybercrime and terrorism (pp. 125-184). Stanford, CA: Hoover Institution
Marotta, E. (2001). Europol’s Role in anti-terrorism policing. In M. Taylor & J. Horgan (Eds.), The future of
terrorism (pp. 14-18). London, England: Frank Cass & Co. Ltd.
Meeting of G8 Ministers of Justice and Home Affairs. (2003). Public statement by the ministry of the interior,
internal security and local freedoms. Retrieved January o5, 2005 from
Miyawaki, R. (1999) The Fight Against Cyber Terrorism: A Japanese View, paper presented to the Centre
for Strategic & International Studies, June 29, 1999.
Occhipinti, J. D. (2003). The politics of EU police cooperation: Toward a European FBI?. London, England:
Lynne Rienner Publishers.
OECD. (2002). Guidelines for the Security of Information Systems and networks: Towards a culture of
security. Retrieved March 13, 2004 from
Pollitt, M. M. (1997). A Cyberterrorism: Fact or fancy? Proceedings of the 20th national information systems
Security Council 4792nd Meeting. (2003). Fight against terrorism would be long with no short cuts, Counter-
terrorism Committee Chairman Tells Security Council. Retrieved February 07, 2004 from
Sofaer, A. D. & Goodman, S. E. (2001). Cybercrime and security: The transnational dimension. In A. D.
Sofaer, & S. E. Goodman, (Eds). The transnational dimension of cybercrime and terrorism (pp. 1-34).
Stanford, CA: Hoover Institution Press Publication.
88 S. Özeren / Cyberterrorism and International Cooperation
Speeches and testimony. (1998). Testimony by director of Central Intelligence George J. Tenet before the
Senate Committee on Government Affairs. Retrieved March 10, 2004 from
Sussmann, M. A. (1999). The critical challenges from international high-tech and computer-related crime at
the millennium. Duke Journal of Comparative & International Law (9).
Taylor, R. W., Caeti, T. J., Loper, K., Fritsch, E. J., & Liederbach, J. (2006). Digital crime and digital
terrorism. Upper Saddle River, NJ: Prentice Hall.
TELMIN. (2002). Statement on the security of information and communications infrastructures. Retrieved
February 15, 2004 from http://www.tiaonline.org/policy/regional/asia/telmin5_statement.pdf
United Nations Universal Declaration of Human Rights. Article 12. Retrieved from
Vatis, M. A. (2000). The NIPC's international response to cyber attacks and computer crime. Before the
House Committee on Government Affairs Subcommittee on government management, information, and
technology Washington D.C. Retrieved March 24, 2004 from
Vatis, M. (2003). International cyber-security cooperation: Informal bilateral models. In James A. Lewis
(Eds), Security: Turning national solutions into international cooperation (pp. 1-12). Washington D.C.:
The CSIS Press.
Weber, A. M. (2003). Annual review of law and technology: VIII. Foreign & International law: A cyberlaw
cybercrime: The Council of Europe’s convention on cybercrime. Berkeley Technology Law Journal, 18,
Westby, J. R. (2003). International strategy for cyberspace security. American Bar Association.
Wilson, C. (2003). Computer attack and cyberterrorism: Vulnerabilities and policy issues for Congress.
Congressional Research Service ˜The Library of Congress. Retrieved June 10, 2004 from
Zanini, M. & Edwards, S. J. A. (2001). The Networking of terror in the information age. In J. Arquilla & D.
Ronfelt (Eds), Networks and netwars, (pp.29-60). Santa Monica, CA: RAND Corporation.
90 E. Tikk and R. Oorn / Legal and Policy Evaluation
“cyber”, as often the use of information and communication technology serves other,
maybe less vital, interests of the society, such as informational privacy, freedom of
information or access to public services.
The expression “cyber terrorism” is about an intentional negative and harmful use
of information technology for producing destructive and harmful effects. The
consequences of a network or information system may be different. In a society like
Estonia a denial-of-service attack is likely have decreased the functionality of public e-
services as its consequence. The perception of fear therefore needs to be measured by
certain characteristics of the specific society, such as dependence on ICT, and potential
conflicting interests and interest groups prepared to use extraordinary measures for
pursuing their aims.
Obviously, there is not a reasonable basis for talking about any international
agreement or consensus in terms of the expression “cyber terrorism”. However, as the
dependence on ICT is growing, and technology carries with it new possibilities for
terrorist action, the discussion on these topics needs to go on.
2. The Existing International Legal Framework
The United Nations
As mentioned above, there are several legal instruments dealing with different types of
terrorist activities. The UN-banned terrorist actions include: Offences Committed On
Board Aircraft, Unlawful Seizure of Aircraft, Crimes against the Safety of Civil
Aviation, Crimes against Internationally Protected Persons, Taking of Hostages,
Unlawful Use of Nuclear Material, Unlawful Acts against the Safety of Maritime
Navigation, Unlawful Acts against the Safety of Fixed Platforms Located on the
Continental Shelf, Making of Plastic Explosives for the Purpose of Detonation,
Terrorist Bombings, Financing of Terrorism and Nuclear Terrorism.
In addition to the above, the United Nations has launched a global strategy to fight
terrorism, in which it seeks to help its member states develop the capacity to take the
fight forward. Perhaps the most important is the ongoing coordination work done
pursuant to Security Council Resolution 1373. The UN web site gives an excellent
overview of its approach.
We might note, however, that despite all of this work, the United Nations has not
developed a single working definition of terrorism. Instead, the UN has worked ad hoc.
One could argue that the method of developing legal instruments that the United
Nations has used fails because it is too focused on building a consensus about already
employed existing methods used by terrorists. It cannot lead the fight against new
methods (such as cyber terror). Thus, we might consider using the United Nations
experience as an argument to avoid an overly reactive (rather than proactive) approach
to coping with terrorist threats.
The Council of Europe
The CODEXTER (Committee of Experts on Terrorism) pursues its work regarding the
analysis of international law and action against terrorism. The work of the
CODEXTER is currently focusing, inter alia, on the use of the Internet for terrorist
purposes, the notion of cyber terrorism, enhanced co-operation between the Council of
E. Tikk and R. Oorn / Legal and Policy Evaluation 91
Europe and its member States and Interpol, as well as on the consideration of possible
work concerning false identity information as a challenge to immigration authorities.
In the CODEXTER framework the Council of Europe has proposed possible legal
responses to cyber terrorism. Professor Sieber outlined in particular:
a) the harmonization of national substantive criminal law and of national procedural
b) the improvement of international co-operation; and
c) other important aspects, such as, inter alia, the duty to protect infrastructures/data
security certifications and preventive monitoring of data.
As regards the option of cutting off internet resources, in CoE opinion such a
restriction would be difficult to establish as various means of communication exist.
However, such an option could be applied as a sanction, for example, to a particular
server used as a safe harbour for terrorists.
Limited results could be achieved with national filtering techniques. Even if traffic
goes through central server (as in China and Iran) the flow could be controlled for the
general public but there would be many ways to avoid it. Newsgroups are also used for
the diffusion of messages of a terrorist content. Furthermore, it would be difficult to
reach an international agreement on what constitutes illegal content as the current
definition of terrorist content is very vague.
The main common problem of existing international instruments is the insufficient
number of states parties. This is especially true with respect to the Cyber Crime
Convention (ETS No. 185), as well as to the Convention on the Prevention of
Terrorism (CETS No. 196), which are the most important international instruments for
fighting cyber terrorism and other terrorist use of the Internet.
At present, serious threats to commit terrorist acts are not adequately covered
either by this Convention or by other Council of Europe conventions, and this deficit is
not fully compensated for by the instruments of other international organizations.
Considering the effects of threats to commit terrorist acts, we believe that there is a
need for action in this area – possibly in the form of a protocol to the Convention on
the Prevention of Terrorism.
Regarding the possible updating of ETS No. 185, this Convention should be
evaluated with regard to its ability to cover technological advances, particularly in the
area of forensic investigative techniques (such as online searches or the use of key
logger software). In the fast-paced technological environment of cyber crime, such
evaluations, which frequently lead to revisions and updates, are an absolutely normal
process, especially when dealing with high risks such as those posed by terrorism.
Should a decision to amend the Convention be taken, the possibility of excluding the
political exception clause for some of the Convention’s offences might also be
considered, especially in serious cases of data and system interference.
It is necessary for countries to make sure that their domestic statutes on data and
system interference provide sanctions appropriate for cases involving terrorist attacks
against computer systems. Indeed, “effective, proportionate and dissuasive sanctions”
are already required by the Cyber Crime Convention, and it can be left to national
legislatures to achieve this result by means of sentencing rules, aggravated offences on
data interference, or infrastructure offences.
Professor Sieber has proposed that international efforts should focus on developing
repressive and preventive measures that target the dissemination of illegal content on
Sieber in CODEXTER 11th report, clause 88.
92 E. Tikk and R. Oorn / Legal and Policy Evaluation
the Internet and that are both effective and respectful of civil liberties. This could be
done either with a special focus on illegal terrorist content or in a more general way
that would encompass other types of illegal content as well. As far as substantive law is
concerned, this would also require harmonized rules regarding the responsibility of
Internet service providers.
The necessary developments in the areas of criminal procedure and international
co-operation would require specific regulations based on technical control mechanisms
on the Internet that do not unduly inhibit the free exchange of information. In his
opinion, the Council of Europe, with its long tradition of balancing security interests in
criminal matters with the protection of human rights, would be the ideal institution to
tackle the difficult problems posed by the development of such international standards
and procedures for regulating illegal content on computer networks.
OSCE activities on cyber terrorism include the Joint OSCE-CoE Expert Workshop and
Ministerial Council Decision no. 3/04 “Combating the Use of the Internet for Terrorist
Purposes”. The OSCE supports the view that existing legal instruments could provide a
basis on which to fight terrorist-related use of Internet, but this legal basis was not used
sufficiently. Thus, adherence to international instruments, in particular to the
Convention on Cyber Crime and the CoE Convention on the Prevention of Terrorism,
must be promoted. There is significant difference in national approaches – in some
countries “content” offences are considered terrorist offences; in others they imply
interference with the right to the freedom of expression, which is of the utmost
importance. There are other possible actions for the monitoring of sites of a terrorist
content: the setting-up of hotlines, similar to those set up for child pornography
websites, interstate exchanges of information and the restricted use of filtering, e.g. by
educational institutions. As for requests from other states for co-operation, there should
be two options for dealing with requests – if a country cannot close a website on the
grounds of national legislation, it should at least collect information. 4
The European Union
The role of the EU in addressing cyber terrorism issues is significant in that the EU law
has internet as an object of regulation: the issues of ISP liability, fighting against spam,
personal data protection, etc., have been regulated in many EU countries directly
because of the influence of the relevant directives.
Recently, there have been attempts to also regulate on cyber crime and cyber
terrorism issues: The communication on cyber crime sets out the future approach of the
EU-wide combat against cyber crime. The policy aims to include improved operational
law enforcement cooperation; better political cooperation and coordination between
Member States; political and legal cooperation with third countries; awareness raising;
training; research; a reinforced dialogue with industry and possible legislative action. 5
11th report, 100.
A good overview of recent EU activities can be found at
E. Tikk and R. Oorn / Legal and Policy Evaluation 93
As regards different countries, the US has developed substantial means for prevention
and prosecution of cyber terrorist acts. However, the actions of the US, as of several
other nations (France, UK, Austria, Pakistan, India), which have invested in developing
a sound framework against cyber terrorism, are directed mostly to internal cooperation
and a national legal framework. Some useful ideas may also be derived for
The U.S. has stressed that the key threat to cyber security originates in the
relentless criminal attacks by organized criminals, individual hackers and non-state
actors, including terrorists. From this perspective, the benefits of cyberspace can best
be protected by focusing both on the effective criminalization by States of the misuse
of information technology and on the systematic national implementation of measures
designed to prevent damage to critical information infrastructures no matter the source
of the threat; what the U.S. calls the creation of a global culture of cyber security. In
this view, all parties (government, business, civil society) are aware of their
responsibilities and act appropriate to their roles to ensure cyber security.
An attempt to impose borders in cyberspace as a direct challenge to democratic
principles that could easily be used by governments to justify restrictions on the free
flow of information and the peaceful use of information technology.
3. The Attacks on Estonia: A Case Study
Estonia leads in the role of an e-state, not only because it has developed some new and
attractive e-services, but also because Estonians have accepted the Internet as a “human
right” and common living standard for all.
The first steps towards the e-state were initiated by the Estonian private sector after
gaining the independence in 1991. The banks were the first entities to introduce and
promote Internet-based solutions, as it was crucial for them to gain the market and
reach also the distinct rural areas. Together with the introduction of electronic Internet-
based banking solutions, the access to the Internet was made easy by the government
initiative called the “Tiger Leap”, whose aim was to provide free Internet stations at
schools and public libraries. This solved also the banks’ dilemma whether they should
introduce check books or electronic banking cards with coherent code cards for Internet
banking, working a way ahead towards all new Internet-based e-solutions.
The second important step was the creation and development of the national
population registry, which was started by the change of currency from Russian roubles
to Estonian croons on 1992. The population registry marked the beginning of the era of
digital databases and information systems which has by now developed into a
nationwide state information system with its functional infrastructure – data exchange
layer, distributed information systems functionality, and different hardware and
software components like portals, elements of public key infrastructure (PKI),
governmental databases and information systems.
In Estonia, the state information system is regarded as a service-centred
organization, meaning that all operations performed by civil servants, entrepreneurs,
citizens as well as software are considered services. Thus, the state information system
94 E. Tikk and R. Oorn / Legal and Policy Evaluation
is a common service space, which relies on the support systems for the maintenance of
databases and is administered with the assistance of the administration system for the
state information system. Information systems of different organizations communicate
with each other through services, and offer services to citizens and enterprises via the
State Portal “eesti.ee” (though, for the time being, a considerable number of services to
the end-user are provided directly via the organizations’ own portals).
Since users of the state information system may not be very interested in the
structure of the state, but rather in their legitimate right to use services, state authorities
have been obliged to co-operate and ensure the functioning of the state information
system as an integral whole, whereby common single point entries operate in
collaboration with state information systems. Uniform authentication of users is
ensured by the Estonian public key infrastructure (PKI), where the ID-cards are used as
strong authentication measures.
Public services in Estonia are considered to be services provided by a service
provider (for instance an organization) to the end-user, who could be either a citizen or
an organization (including public bodies, enterprises). In addition to public services,
the service space contains nested services that do not necessarily have an independent
meaning for the end user but are used as a part of a public service operation process for
the provision of some other services. In the common service space, services are
provided by central and local government agencies as well as private companies and
third sector organizations. All of them, as well as individuals, are also users of services.
When using public services, the common service space allows individuals to represent,
within the limits of their authority, both themselves and the companies they work for.
For instance, the social security services (altogether 11) are all made on-line.
Important is that these services are fully digitalized – services are used 100% online –
which means that the applications on paper are not possible. In case a person lacks the
knowledge or does not possess a computer, it is possible for him/her to turn to the
public official who will carry out the administrative process on-line on the basis of
his/her ID number. One very good example is the parental benefit on-line: before the
year 2005 there were seven different documents involved in the process of providing
parental benefits. Seven different inquiries in different ministries and agencies were
supposed to be made (the Tax and Customs Office, the Register of Social Insurance
Board (several times in different stages of the application), his/her employer, the
population register and the vital statistics office). Inquiries had to be made personally,
according to opening hours, and taking into account the (sometimes) long queues. The
process normally took two months.
Now it is all done on-line. Five different information systems process the data,
inquiring into it itself, and visualizing the service in the state’s portal “eesti.ee”. The
whole process takes approximately five minutes.
In the use of data services, the application of the data exchange layer (X-Road)
allows transition from an architecture that is based on bilateral agreements to that based
on multilateral ones. Such an approach reduces the number of connections between
information systems and facilitates the management of communication between them.
Organizations providing and using services over the data exchange layer can be
authenticated in a standardized manner and the data exchange between them is secure.
Service providers are obliged to ensure the quality of their service, i.e. systematically to
perform operations necessary for guaranteeing that the service complies with the
requirements established for it. All services provided by the state information system
E. Tikk and R. Oorn / Legal and Policy Evaluation 95
are described by service providers in the state information systems’ administration
system, where they are available for all interested parties.
A part of the description can be published in the public web. Strict rules have been
established for a service description published in the state information systems’
administration system. It should contain at least the syntax and protocol of the service,
the service provision policy (based on which principles, to whom, and for which
purposes the service is provided), and the quality indicators of the service – its
functionality, reliability and efficiency – these are necessary for evaluating and
ensuring the quality of the service.
Therefore the state information system, taken together with its integrated databases
and information systems, could play a crucial role in the context of an information war
and cyber terrorism. It is not possible to point out some information systems that are
more vulnerable to attack than the others, because it forms an integral whole together
with the private sector information systems (mostly the banks, insurance companies,
and stock exchange).
The loss of this freedom of information could affect many if the appropriate
countermeasures are not taken on time. These countermeasures can be technological,
geographical or even educational; their aim is to secure and protect the social order of
the state. In a context where some integrated electronic services are provided only on-
line, without any piece of paper involved, it is important to have the possibility of using
alternative means of communication, which in some cases can only mean turning back
to the paper-based administration. But then again, in ten or more years it could be
rather difficult to turn back to those long and rigid administrative processes.
The fact Estonia is considered to be dependent on the Internet and electronic
services means that it also forms a perfect test base for cyber attacks and information
warfare, as is the best shown in numbers. The concrete numbers say that 98% of
Estonia is covered with Internet penetration: fixed line, broad band, WiFi and KÕU,
which stands for the MNT-based mobile wireless Internet. Basically, the Internet has
been brought into everywhere where people live and travel, leaving some small areas
out because of the hills and forests. Mobile phone penetration is approx. 98%. It is also
true that more than 2/3 of the population in Estonia uses the Internet on a daily basis,
and 95% of the banking operations are carried out electronically. In the year 2007 (tax
year 2006), 80% of natural persons’ income declarations were declared electronically –
this year it is expected to reach 90%. The usage of m-parking (mobile parking)
constitutes approx. 50% of the total income gathered from parking fees, and about 90%
of the performers of state examinations received their results via SMS.
The data exchange layer X-road provides data services for over 70 states’
information systems, which altogether are providing more than 1,000 different
combined electronic services. More than 450 public sector organizations and 30,000
entrepreneurs use X-road every day via the states’ portal (eesti.ee) and over 500,000
citizens have used public sector services via X-road. The traffic on X-road has grown
by 10 times every year.
ID cards have been issued to 83% of the population and they are going to replace
all other authentication measures by July 2008 for security reasons (this requirement
involves also the private sector, i.e. banks). Mobile-ID was introduced this spring and
is already used by thousands of citizens. Mobile ID is similar to the ID card, providing
mobile access, identification and authorization, and it was developed to be an
alternative measure to overcome the loss or possible denial of service by ID card.
96 E. Tikk and R. Oorn / Legal and Policy Evaluation
3.1. Overview of the Cyber Attacks against Estonia
From 27 April to 18 May 2007, Estonia fell under a cyber attack the like of which had
not been seen anywhere in the world before. The cyber attacks that were launched this
spring targeted both key governmental and private web sites, meanwhile selecting
some critical information infrastructure targets while using a wide array of offensive
techniques. At the highest moments, the amount of cyber traffic from outside Estonia
targeting governmental institutions was almost 400 times higher from its normal rate.
The cyber attacks’ implementation had two distinctly different phases. The first
phase took place from 27–29 of April 2007 and was considered rather emotional as the
attacks were relatively simple Denial of Service (DoS) attacks against government web
servers and Estonian news portals. Many Estonian news portals went off-line for a
period of time during the beginning of the conflict. There were also a few cases of
targeted web defacement attacks where the information on web sites was changed and
Figure 1. The attacks as monitored by CERT Estonia, April 27-28
The campaign which launched the attacks included the following information:
“9th of May a massive attack is planned against Estonian web sites. Action needs the support of the
people. The reasons you all know. If possible, don’t remain in stand by! Our ambitious plan is to overload
and lose Estonnet.”
E. Tikk and R. Oorn / Legal and Policy Evaluation 97
The propaganda was easily found from Google and read as follows: “
! chtoby internet u nih zavis!”
“ “site:.ee ”(
( !!!), ( -> -> cmd)
“ping -n 5000 -l 10000 _ -t”. . !!!
: “ping -n 5000 -l 1000 www.riik.ee –t”, and “just run this script.”
“ ( ?),
DNS SMTP .
DOS- . , ,
100 . ,
These instructions followed:
echo Pinguem estonskie servera, chtoby internet u nih zavis!
ping -w %PING_TIMEOUT% -l 1000 -n %PING_COUNT% sunic.sunet.se
snip out long list of targets
ping -w %PING_TIMEOUT% -l 1000 -n %PING_COUNT% ns.gov.ee
ping -w %PING_TIMEOUT% -l 1000 -n %PING_COUNT% mail.gov.ee
The first phase was followed by the main attack, from 30th of April until 18th of
May. It can be said that the second phase was much more sophisticated because of the
use of larger botnets and the professional coordination of all of the attacks that
appeared. Most dangerous were Distributed Denial of Service (DDoS) attacks against
critical national information infrastructure, which were sometimes temporarily
successful. For example, the two biggest banks in Estonia came under heavy DDoS
attacks, of which one lasted for almost two days and on-line services were unavailable
for several hours.
Several attacks were also performed against critical routers at the Internet Service
Providers level, which did manage to disrupt the government’s Internet based
communication for a short period of time. Large scale DDoS attacks were also
organized against government web sites. Some of the sites experienced difficulties and
temporary loss of service.
Fortunately none of the attacks were targeted against the state’s information
system or its most important central components, and those which were affected were
working again after some hours.
98 E. Tikk and R. Oorn / Legal and Policy Evaluation
Figure 2. The first week-end
3.2. General Assessment of the Attacks
In all, there were two separate phases that were tied together by the same political event.
The attacks came in waves, with strongest ones coordinated for politically significant
dates. For example, the most massive attack wave on the 9th of May coincides with the
day of the victory in WW II is celebrated in Russia. Based on available information, the
work of vital databases, systems or registers of public and private sector was not
disturbed. The main objective of the politically motivated attacks was to bring down
the Internet system by overloading it.
It is not clear which persons, groups or organizations were behind the attacks. The
anonymity of the Internet makes it difficult to identify a specific attacker. The only
known self-proclaimed attacker so far is a commissar in the pro-Kremlin Russian youth
group Nashi. However, it’s possible to affirm that while the first phase was mainly an
emotional and spontaneous response of simple hackers to the political events, highly
skilled cyber attack specialists were involved in the second phase. Many attacks in the
campaign were well coordinated, which usually requires significant resources. 7
3.3. Estonian Legal Responses to the Cyber Attacks
On the basis of the recent attacks against Estonian computer systems and the
Communication of the European Commission from May 2007, regulating the general
Evaluation of the situation by the Ministry of Foreing Affairs of Estonia.
E. Tikk and R. Oorn / Legal and Policy Evaluation 99
Figure 3. Measuring the amount and capacity of the attacks
Figure 4. Paid botnets time ended shortly after midnight
policy of fight against cyber crimes in the EU, the Estonian Government has begun to
analyze regulations on cyber crime and related legal fields in national as well as
international law. Estonians hold the opinion that additional protection measures should
be taken with respect to certain critical infrastructure and computer systems which are
used to provide public services.
It is difficult to tell the Estonian case study in legal terms – as there are no suitable
terms available. Instead, we will next present the legal framework of what happened,
together with solid facts.
100 E. Tikk and R. Oorn / Legal and Policy Evaluation
In terms of the existing cyber crime framework, Estonia suffered denial-of-service
attacks against governmental, and to some extent also private, networks. Also, few
defacements of websites took place. Loading extra traffic to websites is nothing new or
extraordinary in itself.
It is the context of the April events that needs to be clarified in order to justify the
terms like “cyber war” and “cyber terrorism”, often used by the Estonian and also
foreign media and politicians. The term “fear” obviously has many characteristics in
common for every nation in the world, but at the same time depends on the political,
historical and other factors individual for a specific country.
The cyber attacks were investigated based on national criminal law. As there is
currently no specific provision in the Estonian Penal Code about computer crimes as
terrorist crimes, the investigation followed the rules of criminal proceedings. Estonia
obtained the cooperation of several countries during the investigation. Charges were
pressed against one person residing in Estonia and requests for legal cooperation were
submitted to Russian Federation.
At this point the criminal proceedings faced the first significant drawback: As
Russia has not criminalized computer crimes, the requests for cooperation remained
unanswered. This means practically that the Estonian authorities have no legal or other
means to continue the investigation.
Without an investigation there is in practical terms no prosecution. When it comes
to prosecution, the maximum penalties imposed for computer crimes are up to one year
imprisonment. Again, the drafters of the Penal Code as well as the Cyber Crime
Convention never viewed these acts as (publicly) organized and activity targeted on
interests other than financial.
Even if cross border criminal proceedings are possible, it would be difficult to get
to prosecution as there is no general agreement on what data the communication
service providers need to gather or submit to the authorities. To convict a person, the
evidence has to indicate that person’s direct involvement in the committing of the
crime. Normally, preparing a compute crime, providing assets or resources, or training
for it are not sanctionable actions.
The case would be different when reviewing the same action as a terrorist act. In
cases where a terrorist purpose for the actions can be determined, the means of
investigation and prosecution improve.
The Estonian national law has been reviewed on a much broader plane. We have
introduced computer-related crimes as possibly terrorist acts and thereby provided for a
more efficient set of investigation and prosecution tools.
In the EU legal framework strict rules apply for personal data processing. The
provisions on processing personal data require a sound legal basis for each action
performed by public authorities. Therefore, the legal capacity and tasks of different
authorities have been reviewed to create a transparent chain of reaction, and also to
provide more legal certainty in terms of information privacy.
As a country with high IT-ego, Estonia has comprehensive provisions on the
publication of public sector information. Every governmental authority is obliged to
maintain a website and post more than 30 categories of information on it. The potential
threat of loss of information or unwanted publication has determined the need to review
the IT legal policy and legal regulation of information systems.
Another area of legal attention is the rights and obligations of internet and other
communication service providers – as long as no understanding exists of what units of
data need to be logged and saved, there is no certainty that this information will be
E. Tikk and R. Oorn / Legal and Policy Evaluation 101
readily available for investigation. Therefore the legal framework of rights and duties
of ISPs has been thoroughly revised.
Other less comprehensive amendments concern law on electronic communications
in general, state secrets regulations, additions to IT legal policy and an additional
systematic approach to cyber defence issues in state defence law. As a consequence of
the April events, Estonia has revised the whole legal framework with a view to
potential attacks and their impact on society.
One must keep in mind that regulating an area so new and developing is dangerous.
Laws must be viewed as stabilizing and balancing factors in the community and
therefore over-regulation or legislation of poor quality may lead to even more loss of
control than any cyber attacks. Therefore the cyber security legal expert group has
introduced several instruments of draft law and self-regulation (information system
security auditing, consulting processes, contractual cooperation between public and
private sector, etc.).
As the work of the legal expert group is still ongoing, we will introduce one of the
interim results, namely the Estonian initiative at the EU.
3.4. The Estonian Initiative in the EU
We are currently preparing a draft in order to amend the Estonian Penal Code, but we
also consider bringing up that issue and initiating possible legal changes on the
European Union level. The act concerned would be the Framework Decision from the
24th of February 2005 on attacks against information systems 2005/222/JHA.
Although in many EU member states attacks against computer systems may in
certain cases be treated as terrorism, we find that at present it would be necessary to
amend the Framework Decision on attacks against information systems. Currently the
framework decision covers all attacks, whatever their range and aim. The Framework
Decision includes only minimum standards and member states can lay down additional
regulations in their national law.
The concept of “cases which are not minor” is used in Article 3 (Illegal Access to
Information Systems), or Article 4 (Illegal Interference with Information Systems) of
the Framework Decision. In point 13 of the preamble of the Framework Decision it is
noted that the aim is to avoid over-criminalization, particularly of minor cases. Point 15
provides that it is appropriate to provide for more severe penalties where such an attack
has caused serious damages or has affected essential interests. Thus member states
have some flexibility in deciding which cases are important and which not. Therefore,
in order to harmonize the law and practice of member states on the EU level, the
framework decision should be amended in such a way that attacks which are directed
against the critical infrastructure and attacks which threaten public services would be
treated as involving aggravating circumstances.
Currently the Framework Decision does not differentiate between the various
kinds of attacks against information systems – it is of no importance whether these are
directed against public or private information systems. But the impact of disrupting and
hindering these systems differs greatly when state and public interests are concerned.
The framework decision should be amended in such a way that attacks against vital
spheres (critical infrastructure) would always be punished as a crime, and a more
severe penalty than usual would be imposed in these cases.
102 E. Tikk and R. Oorn / Legal and Policy Evaluation
Based on the above, Estonia has proposed to make the following addition into the
Framework Decision on attacks against information systems (2005/222/JHA), Article 7
(Engraving circumstances), p.3:
“3. All member states take appropriate measures to ensure that offences listed in
articles 2–4, which are directed against critical infrastructures or disturb the providing
of public services, are punishable with criminal penalties of a maximum of at least
between two and five years imprisonment.”
Such a proposal is not entirely new. When the Commission presented the
Framework Decision COM(2002) 173 final form on 19.04.2002, its Article 7
(aggravating circumstances) included a regulation according to which one of the
aggravating circumstances was the causing of substantial damage to critical
infrastructure of a member state.
As there are currently discussions going on in regard to Commission proposal
COM 2006 (787): “Proposal for a directive of the Council on the identification and
designation of European Critical Infrastructure and the assessment of the need to
improve their protection,” we are on the opinion that, after it is adopted and an
agreement has been reached on the definition of the critical infrastructure, it would be
appropriate to make the amendments to the Council Framework Decision
2005/222/JHA as well.
Estonia sees the need for the fight against cyber crimes in the EU in much broader
terms than that. We believe that the impact of cyber crimes on the competitiveness of
the EU would need a more through analysis and that it should be discussed in the
framework of the Lisbon Process. The adequacy of the EU legal basis in regard to new
dangers should be studied in that context.
The Internet will be a perfect battlefield of the 21st century as countries develop more
dependence on the networks, and new generations feel more and more comfortable and
skilled in using all the features of ICT. Countering cyber threats requires a significant
increase of assets in terms of improving awareness, training, investments in technology,
as well as advancing conceptual and doctrinal approaches. Increased dependence on the
Internet, on-line services, and on critical information infrastructure in general, makes
modern societies increasingly vulnerable. Politically motivated cyber attacks pose a
challenge to governments, as cyber attackers are attempting do destabilize the society.
As Estonia was the first EU member state to suffer massive and coordinated cyber
attacks, in May this year, Estonia has a special interest in the subject, and we would
like to take an active part on the international level in developing a policy against cyber
crimes. Cyber crime and cyber terrorism is not a problem specific to Estonia, but a new
danger, to which any developed country in the world using actively IT systems could
become a victim. This danger should not be underestimated. The first priority for
achieving cyber security should be the further development of international as well as
national legal systems.
As a result of effective political propaganda, a significant number of people could
be motivated to launch a massive cyber attack almost instantly. Hence it is possible to
inflict serious damage to critical information infrastructure even in case of ad hoc and
amateur level attacks. For example, blocking all cyber traffic coming from outside a
state is one of the countermeasures against cyber attacks. This might cause an
E. Tikk and R. Oorn / Legal and Policy Evaluation 103
information blockade for the attacked one. However, an information blockade might be
the main goal for the attacker. In such a case a defensive action becomes a tool in
achieving the objective for the attacker.
Therefore, fighting cyber terrorism is not only about ad hoc reactions or even
concerted reactions. There is often no time to react when under attack. Therefore,
proactive measures will be increasingly important in combating cyber terrorism.
Cyber attacks could have military consequences if a considerable amount of
military technological systems are dependent on civil telecommunication services. It is
possible that terrorist groups or rogue states will include cyber attacks in their arsenal.
The usability of the existing political, diplomatic and legal framework is limited as it is
difficult, if not impossible, to track down the origins of an attack. Dealing with the
cyber attacks is even more complicated as there is no common definition of the
The only effective way to fight cyber attacks is through strong co-operation within
the international community (similar to terrorism and drug trafficking). Efficient
response to cyber attacks requires a rapid reaction, pre-existing international
arrangements between states, and between a state and its private entities.
It is vital to create and understand the legal environment of cyber warfare/cyber
terrorism and other related items. Nations should exchange information and lessons
learned concerning the cyber attacks.
Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism 105
Moreover, without the internet, the radical groups making up the global jihad’s
cadre of militants would remain a widely dispersed and isolated group of cells that
happened to claim the same historical roots. It is the internet which has “globalized”
the jihad movement. The network of global jihad is a product of the communications
revolution. But of course, the same can be said of Microsoft. The internet has changed
the way large organizations operate, be they multinational corporations or political
movements. The internet is a facilitator of globalization and the global jihad is by
definition a global movement.
The internet supplies the jihad movement with more than its recruiting and
propaganda interface. It also provides the organization with the means for ideological
growth and the exchange of ideas. Without free and open communication, a movement
of this size breaks down. The jihadi online presence is literally the physical brain of the
global jihad movement.
The very openness and accessibility of this medium provides the intelligence
community with a wealth of material for foundation intelligence and analysis. This
resource has been neglected in recent years due to lack of qualified researchers and
linguists. The key to countering these problems may lie in harnessing the power of the
private and academic sectors as unofficial research arms of the counter-terrorism
1. The Internet as Training Camp: To Shut Down or to Tune In?
A common refrain over the past few years has been the constant complaint that the
terrorists are “winning the battle in cyberspace.” They’re technologically creative,
highly mobile, unfettered by either moral or bureaucratic constraints. They’ve got
websites out there to fight their battle for the hearts and minds of supporters and
potential supporters, to terrify their enemies, and in general “win friends and influence
people.” And of course, you can’t shut them down. If you close down a website,
assuming that you can persuade the service provider to do this, then you can be sure it
will just pop up again somewhere else.
It was some time before the analysts began suggesting that, instead of engaging in
the futile effort to close down websites, we should make full use of the potential to
learn about our enemy from what they say about themselves, and even more
importantly, among themselves. After all, a good intelligence agency should make a
point of reading everything that the enemy writes, squeezing every drop of information
on the opponent’s psychological state, tactical capabilities, and strategic planning. This
is what intelligence agencies do. Only it wasn’t being done—or wasn’t being done very
well—with regard to the vast publishing empire of the internet. And with good reason.
The sheer number of websites out there dealing with stuff that we should know about is
daunting. Its content is ever changing. And of course there are linguistic issues, as well
as cultural issues. To really make sense of it all would require the services of a
veritable army of qualified personnel, and would be far beyond the budgetary—not to
mention the bureaucratic—capabilities of most intelligence agencies.
But such an army of personnel does exist, even if it’s a modest and rather irregular
army. Independent research bodies and individuals have been monitoring terrorist
websites and listening in on jihadist forums for years. Some of these people are
contributors to the current volume—people like Gabi Weimann, who catalogued
106 Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism
terrorist websites long before it became fashionable to bemoan the terrorists’
subversion of the internet; or the folks at MEMRI, who’ve been translating relevant
documents for years. Aharon Weisburd has been sleuthing into the identities of the
jihadi webmasters and forum posters. The Arizona Artificial Intelligence Lab has
pioneered new tools for finding out who’s who on the “jihadnet,” and analyzing their
methods of persuasion.
Note that all of this has come from the private sector. Smart governments realize
the usefulness of these skills early on, and have taken some steps to make effective use
of them. Arizona’s AI Lab has been the beneficiary of more than $20M in research
funding from federal agencies.
And of course, government think tanks and institutes are also dealing with jihadi
materials more and more. Of particular note, the Combating Terrorism Center (CTC) at
West Point has done some outstanding analysis work in applying what is learned on the
web to concrete tactical operations. Some the examples cited here of intelligence
gathering from Islamist online materials come from Stealing al-Qaida’s Playbook, by
Jarret M. Brachman and William F. McCants  of the CTC. Just to give a taste of
what such analysts have come up with over the past two years, I would like to present
some examples of how open source datamining can clue us into how the “bad guys”
think, and what to do about it.
2. Intelligence from the Web
Before going further, I would like to review briefly what good intelligence is and is not.
Intelligence is not “news”. Governments often press intelligence agencies into
service as open source news monitoring agencies, insisting on getting up-to-date
reports on things that are covered by the mainstream wire services. This kind of
pressure is often detrimental to the agencies’ primary tasks, which is providing an
insight into fundamental processes. Yes, an intelligence agency should be up to date
with what’s going on in a particular sphere of interest. But intelligence gathering is not
meant to be news reportage.
At its best, intelligence leads to understanding. Properly understood,
intelligence-gathering should lead to a fundamental understanding of what is going on
in the sphere of interest, who the main players are, and who their friends and enemies
are. With regard to a specific opponent, this intelligence should include what the
opponent is doing and what the opponent is thinking. This is called “foundation
intelligence”, and without it, an intelligence agency is no more than an under-funded
and under-staffed news agency.
Understanding leads to predictions. Proper foundation intelligence can lead to a
better understanding not only of how things are likely to unfold in the sphere of interest,
but also what effect contingencies outside of that sphere may have on events.
Extrapolation from foundation intelligence is the work of professional analysts, who
provide the crucial link from foundation intelligence to tactical intelligence.
Essentially, good foundation intelligence helps to formulate answers to the
following questions regarding the opponent
What are they saying?
What can we learn from it?
Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism 107
What should we do about it?
While the Internet is unlikely to be a lucrative source of reliable tactical
intelligence, it is a goldmine for foundation intelligence. This kind of intelligence deals
with the following basic issues regarding the opponent:
Ideology. What are their core beliefs? What divisions are there in the
Strategy. What are their ultimate goals and overall game plan?
Tactics. By what methods do they propose to reach these goals?
Structure. How do they make decisions, and who makes them?
3. What We Learn from Jihadist Websites and Forums
The real heart of the global jihad is expressed online. This is the venue where ideas are
hashed out, dissent is either neutralized or accommodated, and strategies and tactics are
discussed. For the most part, we don’t expect to find online discussions of actual attack
planning. But we can learn how ideology and opinion are shaping in the larger Muslim
community who form the jihad’s target constituency and who supply the movement’s
pool of recruits.
In essence, Al-Qaida’s flight into cyberspace was necessitated by the destruction
of jihadi training camps following the September 11 attacks. The movement’s leaders
have had to turn to cyberspace as a way of maintaining contact with a geographically
dispersed constituency. However, the use of the web as a primary venue for discussion
was not only mandated by necessity, but was also a matter of choice. Since its
inception, the global jihad has relied very heavily on the internet and the nature of
online communities to further its aims.
3.1. Ideological Lessons
The jihad movement’s internet presence is most felt in ideological discussion. The web
is essential to the movement’s ideological development, as well as to the actual
dissemination of this ideology to potential recruits and supporters. Such freely
accessible discussions offer analysts a window into the jihad movement at both the
“grass roots” level and the level of its top-level leaders. Senior ideologues, as well as
mid-level operatives and up-and-coming scholars write on these sites. This is
intelligence straight “from the horse’s mouth.”
Downing and Meese of the CTC point out that a fair amount of the jihad’s key
doctrinal literature is available online, in addition to documents that have been captured
by the intelligence agencies of different countries.
One of the best ways to learn about al-Qa’ida is to read the papers, manuals, and
other documents which al-Qa’ida leaders have written to guide and discipline their own
enterprise. Many of these documents have been captured by military and law
enforcement forces and can provide insight into the way the organization works. Other
key references are readily available on the World Wide Web.
They emphasize that the more access is provided to these documents, the more
benefits will accrue to the counter-terrorism community as a result. As archives of
translated jihadi documents become more accessible to analysts, the understanding of
108 Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism
the movement’s key ideology, strategy, and motivation is growing. What is interesting
is that such analysis is increasingly coming from the private and academic sectors.
An example of how analysis is leading to a greater understanding of the jihad
movement’s vulnerabilities comes out of the Combating Terrorism Center (already
mentioned in full). In Stealing al-Qaida’s Playbook, Jarrett Brachman and William
McCants demonstrated how “jihadi strategic studies” can be used to identify and
exploit the weaknesses of the jihadi movement. The authors point out that the key to
defeating the global jihad from an ideological point of view is to understand its
ideology from the inside out: who the main ideologues are, and the significant issues
that unite and divide the movement. The authors note that jihadi leaders are remarkably
open and blunt when discussing who their biggest competition is and what their public
relations vulnerabilities are.
In a sense, members of the jihadi movement have put their team’s playbooks online.
By mining these texts for their tactical and strategic insights, the United States will be
able to craft effective tactics, techniques, and procedures to defeat followers of the
I’d like to give a few brief examples of the kind of intelligence that can be gleaned
from examining some of the strategic dialogue of the global jihad movement. The
following examples are from Stealing al-Qaida’s Playbook.
3.1.1. Example 1: Abu Bakr Naji, The Management of Barbarism, 2004
Abu Bakr Naji is one of the more prolific Al-Qaida ideologues of the new generation.
He is well-read and articulate, and his works are cited on numerous jihad websites, a
testament to the high regard in which he is held by the movement. In The Management
of Barbarism, Naji presents a thoroughgoing analysis of his own movement’s strengths
and weaknesses, as well as those of his opponents. Obviously, such an analysis is
useful for us in that it allows us to see how our enemies see themselves. But no less
important is the information they give us as to how they see us. This point is well
illustrated by the examination of Naji’s writings.
Brachman and McCants studied The Management of Barbarism; below are some
key points from Naji’s work, as cited by Brachman and McCants.
Naji urges fellow jihadis to study Western works on management, military
principles, political theory, and sociology, in order to borrow strategies that
have worked for Western governments and to discern their weaknesses.
The jihadis cannot defeat the United States in a direct military confrontation.
Rather, the clash with the United States is more important for propaganda
victories in the short term, and the political defeat of the US is viewed as a
long-term goal, as American society fractures and its economy is further
Naji also discloses weaknesses in the jihadi movement and the problems that
predictably confront such an entity, such as difficulties in resolving chains of
command, ferreting out spies within the organization, and reining in
There is concern that the momentum of the movement may be slowed by
clerics who challenge its legitimacy and siphon off its recruits among the
Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism 109
Naji observes that the jihadi movement has often split over theological
3.1.2. Example 2: Abu Qatada, Between Two Methods, 1994
Another example of the vulnerability of the jihad movement given by Brachman and
McCants comes from Abu Qatada’s work, Between Two Methods. Abu Qatada is
scathing in his criticism of a popular Saudi cleric, Rabi`al Madkhali, a serious rival of
the salafi movement: “This man is content to claim that he is a Salafi so that he can be
an imam for some inexperienced boys whom he feeds slogans and shimmering
phrases.” Jihadi ideologues are very open about which Muslim religious leaders they
Brachman and McCants point out that although a specific enemy may no longer be
a threat, by understanding why he was a threat in the past, we can look for—and
perhaps exploit—similarly threatening enemies in the present.
Why was Madkahli a threat? To begin with, he was a quietest, and was supported
by the Saudi government. More importantly, his popularity and outreach were such that
he was able to draw off young recruits from the more radical movements.
3.1.3. Lessons Learned
What do we take away from these examples? Perhaps the most salient piece of
information we gain is “what worries them.” Naji openly discusses some of the
vulnerabilities of the jihadi movement from an ideological perspective. From his
discussion, we see that the movement is vulnerable to ideological splits and
knowledgeable clerics who “call them” on their interpretation. What does Naji say
should be done about it? His suggestion is to co-opt religious clerics to back the
jihadi’s interpretations. Where this is not possible, he suggests that rival clerics either
be intimidated into silence or killed.
For his part, Abu Qatada provides us with some keys as to what sort of rival cleric
is the greatest threat to the movement. The answer seems to be one who manages to
appeal effectively to the same target audience, the youth, and yet who espouses a
program directly at odds with that of the jihad movement.
3.2. Strategic Lessons
The term “jihadi strategic studies” was coined by Thomas Hegghammer and Brynjar
Lia, of the Norwegian Defense Research Establishment in Oslo, to refer to books and
articles on the strengths and weakness of the jihadi movement and those of its enemies.
 Hegghammer noted that the Internet has become a vital venue for terrorist cells to
organize and “brainstorm” about tactics in a decentralized way. This allows sleeper
cells to operate virtually autonomously, deriving their inspiration and operational
direction from texts published online by individuals on other continents.
Hegghammer argues that it is online that “…you really get the early signs of the
ideological developments, which are later going to affect us, or might affect us,
At the same time, the increasing use of the internet as the central brain of the
movement has also made the movement more transparent to onlookers.
Terrorist/Jihadi thinking is public and susceptible to infiltration. Hegghammer
110 Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism
encouraged counter-terrorist agencies to create an “atmosphere of paranoia” on these
websites, by posting fraudulent texts and subverting the readers’ trust in the literature.
3.2.1. Example: “Jihadi Iraq, Hopes and Dangers”
Hegghammer and Lia analyzed a document on the Internet, “Jihadi Iraq, Hopes and
Dangers”, which detailed how terror attacks ahead of Spain’s general election could
drive Madrid to pull its troops out of Iraq and thus harm the US-led coalition. Brynjar
Lia came across the document in December 2003 on a website called “Global Islamic
Media.” According to Hegghammer and Lia, “The main thesis proposed in the
document is that America cannot be coerced to leave Iraq by military-political means
alone, but the Islamist resistance can succeed if it makes the occupation of Iraq as
costly as possible—in economic terms—for the United States.”
Their analysis led them to see in the document a blueprint for driving a wedge
between coalition members.
The document therefore offers a number of specific “policy recommendations” in
order to increase the economic impact of the insurgency and the jihadi campaign in Iraq.
The most important of these recommendations consists of trying to limit the number of
American allies present in Iraq, because America must not be allowed to share the cost of
occupation with a wide coalition of countries. If the mujahidin can force US allies to
withdraw from Iraq, then America will be left to cover the expenses on her own, which
she cannot sustain for very long. The intermediary strategic goal is therefore to make one
or two of the US allies leave the coalition, because this will cause others to follow suit,
and the dominos will start falling .
The document’s anonymous author emphasized that:
...It is necessary to make utmost use of the upcoming general election in Spain in
March next year. We think that the Spanish government could not tolerate more than
two, maximum three blows, after which it will have to withdraw as a result of popular
pressure. If its troops still remain in Iraq after these blows, then the victory of the
Socialist Party is almost secured, and the withdrawal of the Spanish forces will be on its
electoral programme. 
A few months later, on 11 March—just prior to the elections—Madrid was rocked
by a series of train bombings that killed 190 people. Partly as a result, Spain’s
conservative government, which supported the Iraq war, lost the vote to the opposition
Socialists, who later pulled Spanish troops out of Iraq.
It would be hard to believe that the bombers were unaware of the “Hopes and
Dangers” document, given its depth of detail and its widespread distribution. In fact, as
pointed out by Lia and Hegghammer, the “nom de terror” chosen by an alleged Al-
Qaida video spokesman after the attack—Abu Dujana, a warrior and contemporary of
Mohammed—matches one mentioned in the “Hopes and Dangers” document.
Further evidence that the bombers had considered the political effect of their
actions was provided by the behavior of an alleged ringleader of the Madrid attacks. A
cell phone on an unexploded bomb led Spanish police to Jamal Zougam within a day of
the bombings. As the New York Times reported: “When Mr. Zougam arrived in court
after five days incommunicado, he reportedly asked the clerks, ‘Who won the
Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism 111
3.2.2. Lessons Learned
The “Hopes and Dangers” document is one example of the kind of basic intelligence
that is freely available on the Internet. What can be learned from this example of jihadi
strategic studies and the way it was put to practical use?
One of the most obvious messages is that the new generation of jihadi strategists
place a greater emphasis on pragmatism, and less on ideology. The “Hopes and
Dangers” document provides a cool analysis of political realities, with fewer references
to historical battles and quotes from the Quran. Eschewing flowery rhetoric and
exaggeration, it goes to the heart of current events and possible consequences. Clearly,
Al-Qaida’s future ideological leadership is evolving in the direction of greater
3.3. Tactical Lessons
Just as the jihad uses the web for ideological discussion and dissemination of ideas,
tactical discussions and training materials are also freely available online. Among the
intelligence that can be gleaned from these documents is information on the tactics they
see as effective, the weapons they favor and why, and perhaps even more importantly,
their assumptions regarding the effectiveness of these weapons.
The following two examples are from Brachman and McCants’s Stealing al-
3.3.1. Example 1: Abu Mus’ab al-Suri.
Abu Mus’ab al-Suri (aka Mustafa Setmarian Nasar) has made a study of failed jihads in
the contemporary world. He identifies various reasons for such failures, including:
The co-operation of local governments in countering jihads, and the failure of
the jihadists to organize simultaneous attacks in neighboring countries. Suri
cites as an example the co-operation of Syria with Jordan, Iraq and other
neighbors during the 1960s to 1980s. He suggests that if the neighboring
states had been struggling against their own jihads, they would not have been
so quick to assist Syria.
The failure to consider the influence of ethnic minorities and tribes, or the
possibility that these populations may be co-opted by the state.
The failure to provide jihadi fighters with a sense of personal connection to
their leaders, or with the vision that they too may become leaders.
The failure to gain popular support from the Muslim majority; Suri identifies
the role of propaganda as being crucial in this regard.
The insufficient involvement of Muslim clerics. Suri argues that clerics’
involvement is essential for developing new local jihad groups.
3.3.2. Example 2: Abu Bakr Naji
Abu Bakr Naji suggests various ways in which the jihad movement could be
strengthened. He outlines three stages for establishing the Khaliphate, beginning with
the bombing of crucial targets in order to draw the local security forces in around these
centers. The ensuing chaos would allow jihad leaders to assume control of the more
112 Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism
remote regions, and from there the jihad administrators could network towards
establishing a Khaliphate in that country.
Naji also suggests that low-ranking jihadists should not be allowed to launch their
own attacks, other than small to medium ones. He argues that major attacks such as
9/11 must be organized only by the High Command, since the wrong attack at the
wrong time would undermine the movement.
Naji notes that mass-scale Muslim support is of prime importance, and that already
the Muslim public is wary of the jihadists’ use of violence, and may view the jihadists
as trouble-makers. Without Muslim support, Naji cautions, new recruits cannot be
Finally, Naji argues that the education of young people is only complete when they
participate in jihad. He views the education provided by Muslim religious leaders as
being of lesser importance, while jihad involvement is seen as providing essential
training. The involvement of youth in jihad is viewed as a further step towards
establishing the “global Islamic resistance” and, ultimately, the global Khaliphate.
3.3.3. Lessons Learned
One way to counter the jihadis’ tactic would be by helping local surrogates establish
their own enclaves in those regions left unprotected by security forces. Local ethnic
groups can play a role in preventing security vacuums from forming.
The jihadis and the counter-terrorism community are competing for the same
audience; however, public opinion is more important to the “irregular” side in a low
intensity conflict. For this reason, a greater emphasis must be placed on psychological
and information operations in the sphere of influence, in order to undermine the
popular support on which the jihad movement is dependent.
4.1. Terrorism Websites as a Key to Efficacy
As mentioned, the jihad relies heavily on the web for the dissemination of information
from the upper echelons, as well as for discussion at all levels. Statements by the
leaders of the movement should be considered a useful input for intelligence analysis.
Content analysis of such statements may give some hint of intentions, although there is
a significant amount of bluster, hype, and misdirection present in much of these
statements. Context analysis may therefore be of greater utility. This kind of analysis
can determine what the person making the statement thinks that his followers want to
hear. Thus, context analysis can provide some measure of the “temperature” of the
“street.” This is a useful input to foundation intelligence, as well as an aid to
determining the focus of tactical intelligence gathering.
Special attention should be given to the language, focus, and design of jihadi
websites. The languages used can tell us who the jihadis see as their primary audience
for recruits. In some cases, this points to perceived vulnerabilities among the targeted
group. But it can also tell us who the jihadis would like to have as recruits—who can be
of most use to them. For example, European Muslim converts are increasingly the
focus of “narrow casting” on jihadi websites.
Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism 113
Another point of consideration is the imagery and design of the sites. These sites
are frequently the work of some of the best and brightest of the new generation jihadi
recruits. They know their audience, and they know what techniques are likely to be
effective. With this in mind, we can say that imitation is the sincerest form of counter-
But it isn’t only the style of outreach that can be copied. Here too, a bottom-up
approach can yield benefits that would be unthinkable for top-down institutionalized
responses. Web designers from the jihadis’ own target audience can be recruited by the
counter-terrorism community to build a counter-offensive. The success of this kind of
campaign depends on working at the “grass roots” community level. The main allies of
the counter-terrorism community will be those singled out for recruitment by the
jihadis themselves. Terrorists and counter-terrorists are competing for the same
audience. The techniques used successfully by both sides will reflect this.
4.2. Psychological Operations
Analyst Stephen Ulph of the Jamestown Foundation has been monitoring jihadi forums,
with a special emphasis on those dealing with the situation in Iraq, the new training
ground for the jihadi movement. In July 2005, Ulph noted how news of ongoing
discussions between the US military and the Iraqi insurgents was affecting traffic and
commentary on jihadi forums :
The news evoked considerable notes of distress on the jihadi forums. On the al-
Qal’a forum one signing himself al-Sharif al-Idrisi, noted, on June 28, the similarity of
this potential development with the situation in Afghanistan, “when those fleeing the
Tora Bora caves were met by the Pakistanis not intent on helping them but in selling
them to the Americans. We pray God that this doesn’t happen to our brothers in Iraq”
This kind of commentary highlights a key weakness as perceived by the jihadi
militants themselves—their vulnerability to betrayal by the wider society in which they
operate. Such fears are, of course, easily played on. One obvious stratagem for
exploiting this sense of paranoia would be to “feed” news of betrayals to local news
media, then cast blame in the relevant forums upon elements within the organization, or
in rival organizations.
Ulph also noted that the news of meetings between coalition leaders and insurgents
was met with denial by many:
At the same time strenuous denials were being posted on the internet forums that
any such meeting took place, including from groups said to have participated in the talks.
One posting on June 30 appeared on the al-Qal’a forum signed by The Islamic Army in
Iraq, the Army of the Mujahideen and the Army of Ansar al-Sunna. It expressed
exasperation at Ayham al-Samarrai’s “lies and America’s games” and swiftly pointed to
the impending peril for the Islamist mujahideen in Iraq: “its intentions are to split the
ranks of the mujahideen … to divide the Iraqis from non-Iraqis ... to pull the rug from
under the mujahideen … How can a heroic mujahid Muslim brother in any country be a
What is significant here is the perceived motive of these “American games,”
namely, “to split the ranks of the mujahideen … to divide the Iraqis from non-Iraqis ...
to pull the rug from under the mujahideen.” One can gain a good deal of insight into
the state of insecurity of the opponent from this sort of posting. Obviously, one forum
posting or internet statement does not give an indication of the psychology of a whole
114 Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism
organization. However, if monitored on an ongoing basis, the total compendium of
such statements can provide a real “feel” for the psychological state of the opponent.
And if “being sold out” is what they fear, then by all means, one should play up
any and every possible case of such a sell-out, and milk it for all it’s worth.
The potential of such suspicions to turn the opponents’ forces against his own is
indicated by the continuation of the same statement quoted by Ulph above:
With America’s designs being “to return the Baathists to power, in the name of the
resistance” the statement accused Iyad Allawi of “giving orders to the Baathist Ayham
al-Samarrai to intrigue against the mujahideen and the resistance … So we proscribe the
life of Ayham al-Samarrai, and declare him to be a target of the mujahideen in general
and in particular of all members of the three groups (The Islamic Army in Iraq, the Army
of the Mujahideen and the Army of Ansar al-Sunna). … Anyone who allows himself to
be seduced into doing what the fantasist Ayham is doing will share the same fate”
In other words, whether correct or not, the suspicions served to drive a wedge
between the organization and its perceived enemies. Ulph points out that if the same
suspicion can be cast upon elements within the organization, instances of “red on red”
firing between opponent groups will be seen to increase.
4.3. Countering Recruitment and Propaganda
The global jihad movement, like any other major social movement, depends on a broad
base of support. Positive public opinion from within its constituencies is a must, not
only for bringing new recruits into its cadres, but also for garnering support for its less
obviously goal-driven activities.
As has been pointed out by Yoav Mimran, one of the key values of Muslim
societies is social unity and harmony. Anyone seen as sowing discord or endangering
public order is likely to be seen as an enemy of the public good, no matter how
otherwise worthy are his goals. Brachman and McCants have noted that the movement
“declines in popularity when it is perceived to be attacking fellow Muslims, causing
public disorder, damaging critical national industries, or engaging in sectarianism.” .
They point out that one effective point of counter-attack would be to “harness the
power of the ‘Shayma Effect’ [referring to an incident where an Egyptian schoolgirl
was killed in a jihadi attack], broadcasting images of jihadi attacks that have killed
Muslim children. 
The authors point out, however, that any such campaign must be managed very
much “from the rear” and by proxy. To this we may add that an institutionalized
campaign can never have the same power or reach as a genuine “grass roots” campaign
among the potential constituency of the opponent. Only when we are able to inspire
local actors to join the fray will such a media counter-offensive really be effective. A
government-sponsored campaign, no matter how skillfully managed, is no substitute
for the participation of local bloggers, media people, and commentators.
4.4. Undermining Trust
From articles which are available online regarding the training of activists, we can learn
of areas that the jihad movement itself sees as weaknesses, the better to exploit them.
Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism 115
For example, a number of articles have been posted warning forum posters of possible
digital interception, and suggesting ways of getting around the problem.
In other instances, internal debate can point to potential splits within the movement,
or to a lack—or perceived lack—of leadership. In addition, these kinds of debate can
show what issues are of greatest concern to the jihadis themselves.
4.4.1. Example 1: Divide and Conquer
In fact, the penetration of Islamist forums by counter-intelligence agencies has resulted
in the arrests of several key figures. These may include the arrests of forty mujahideen
in Saudi Arabia, and the arrests of the attackers of the Abqaiq (Buqayq) oil facility.
Most certainly, the arrest of the infamous “internet jihad” Irhabi007 was due to a fairly
common lack of attention to basic security procedures online.
A significant spin-off of such events is the mistrust and confusion which abounds
on jihadist forums in their wake. During the first half of 2005, Stephen Ulph and other
researchers at the Jamestown Institute noted a spate of warnings and debates which
appeared on jihadist forums. The warnings were to the effect that forum participants
should not enter certain websites—not even as a visitor—for fear of being identified by
the “dogs in intelligence” (cited by Ulph, as posted on the Syrian site “Minbar Suriya
al-Islami”). The debates concerned the authenticity of certain jihadist forums, or of site
administrators or participants who were suspected of being counter-intelligence spies
The end result is that jihadists’ confidence in their ability to dodge state control via
the use of Internet forums has dropped significantly in the past couple of
years. Despite the jihadist forum administrators’ best efforts to use proxies and to
conceal participants’ identities, this kind of confidence may not be all that easily
4.4.2. Example 2: Encourage Sectarianism
According to Ulph, “the pool of experienced, credible ideologues may be draining”
amongst jihadist supporters. Ulph has noted that in the wake of the kidnapping and
assassination of the Egyptian ambassador to Baghdad, al-Zarqawi’s Al-Qaida group
was criticized by the two main Egyptian militant Islamist organizations.  These
detractors argued that Al-Qaida in Iraq was more focused on destroying the Shi’a and
Kurd populations than it was on fighting the enemy occupier.
They also suggested that the organization was unable to learn from its past
mistakes, and that it was causing “the average Muslim” to feel alienated from Islamist
groups in general. The latter criticism was echoed by Abu Muhammad al-Maqdisi
of the al-Tawhid wal-jihad movement, who argued that the true nature of jihad was
being distorted by al-Zarqawi and other mujahideen in Iraq. In addition, criticisms
regarding the London bombings were posted on jihadi forums by Abu Baseer al-Tartusi
[www.abubaseer.bizland.com]. These kinds of criticisms are particularly important
since they have been publicly aired by members of the Muslim community.
In both instances cited above, internal debate and dissent can work to undermine
the confidence of the jihadis in their own organizations. This drop in confidence can
affect the organizations’ infrastructure, as in the case of the perceived use of Internet
forums by counter-terrorism operatives; alternatively, confidence in the leaders
themselves may be affected, as in the case of the criticism of Zarqawi.
116 Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism
5. Conclusions and Recommendations
Terrorists’ use of the Internet for command and control, propaganda, and intelligence
gathering has been bemoaned for years by law enforcement officials and intelligence
agencies. Too often, the field has been ceded to the terrorists, with the counter-
terrorism community struggling to catch up—amid allegations of inefficiency,
misplaced funding, and organizational ineptitude.
The examples presented above show the kind of conclusions that can be drawn
from jihadi texts and inter-organizational dialogue, as well as examples of practical
lessons learned. The fact that almost all of the raw material for this analysis is
available online should not detract from its importance in the eyes of intelligence
agencies. There is a tendency for intelligence agencies to get caught up in the “top
secret implies top value” mentality, leading them to overlook some of the most crucial
inputs to intelligence that are freely available to all takers.
5.1. Horizontal Dataflow versus Vertical Dataflow
In order to fight the type of terrorist entity that has evolved out of the communications
revolution, intelligence agencies will need to learn the lessons taught them by the
terrorists themselves. This means the establishment of a “ground-up” grassroots
approach to counter-terrorism—a horizontally-structured counter-terrorism apparatus to
replace, or at least complement, the older top-down hierarchical model. What is
needed is not only a technological shift (which is now underway), but an organizational
shift. In practical terms, this means that information flow, too, will need to be less
vertical (from the top down) and more horizontal.
At the same time, the organizational structure of the counter-terrorist community
as a whole will need to be reworked to take full advantage of the Internet, both as a tool
for intelligence gathering and as a means for command and control.
It’s a tall order. But the reality on the ground increasingly calls for it. What’s more,
the means now exist for doing it. If they can do it, why can’t we? And in fact, it’s
already happening. Increasingly, we’re seeing the initiative for intelligence gathering
and analysis shifting from the hands of government agencies into private hands. This is
as it should be. Terrorism endangers us all—citizens as well as military and law
enforcement personnel. In fact, due to the nature of terrorism as psychological warfare,
it is the private sector that is most at risk; and this is also the designated target. It is
important that the “professional” intelligence community understand this shift from
governmental to private inititiative, and in fact embrace it. They need to learn to make
proper use of the ground-up efforts of academics, internet sleuths, and independent
Brachman and McCants note that at present few agencies have access to the kind
of experts who have a deep enough background in the culture and language of the
opponent to provide the kind of analysis essential for good foundation intelligence.
Even when they do, such analysis tends to remain within the “orbit of the agency where
it originated.” They suggest that the United States government “might consider
establishing a think tank staffed with highly trained experts on the Middle East and
counterinsurgency whose sole purpose would be to identify the major jihadi thinkers
and analyze their works.” 
Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism 117
While such a think tank is a worthy goal, these problems will not be overcome by
the establishment of yet another government-sponsored entity, no matter how well-
funded or well-staffed. It is the nature of bureaucracies to become monolithic, self-
perpetuating, and inward-looking. A better solution is for governments to establish
links of mutual support with the grassroots organizations already doing these analyses.
This means that government agencies need to know who these entities are, what they
produce, and what they need in order to keep working—usually money. What is needed
is a working relationship, though it isn’t clear whether this should be based on a
“consumer/supplier” relationship, or on cooperation.
In addition to fundamental intelligence gathering and analysis, information
operations too are shifting from the government to the private sector. This is a positive
step, regardless of the potential for “vigilantism”. Governments will need to recognize
the potential of the private sector, particularly in the sphere of interest, to manage their
own information and media operations.
To be effective in low-intensity conflict, our definitions of tactical counter-terrorist
operations will need to be expanded to include web-based operations. In particular,
web-based PsyOps and counter-propaganda should be seen as key elements in the
counter-terrorist arsenal. It is crucial that any information campaign make use of the
same tactics and the same venue as those used by the jihad movement itself.
It is also crucial that the counter-terrorism community understand the implications
of the change brought about by the communications revolution. Today’s battles are
being fought more and more in the sphere of public opinion rather than on the
battlefield. The counter-terrorism community is competing for the same audience as the
jihadis themselves. In this type of warfare, the Internet is both battlefield and weapon.
For the jihadis, this is a two-edged sword; the greater their dependence on the Internet,
the greater their reach and efficiency, but also the greater their vulnerability.
 Jarret M. Brachman, William F. Mccants. “Stealing al-Qa’ida’s Playbook.” CTC Report. February 2006.
 Wayne A. Downing and Michael J. Meese, “Harmony and Disharmony Exploiting al-Qa’ida’s
Organizational Vulnerabilities.” Combating Terrorism Center Department of Social Sciences United
States Military Academy 14 February 2006.
 Jihadi Strategic Studies: The Alleged Al Qaida Policy Study Preceding the Madrid Bombings Studies in
Conflict and Terrorism. Routledge, part of the Taylor & Francis Group, Conflict, Security and Strategic
Studies, Volume 27, Number 5/September-October 2004. p. 355-375. August 19, 2004.
 Australian Broadcasting Corporation. TV Program Transcript: Al Qaeda weaves web of terror. Broadcast:
 Brynjar Lia and Thomas Hegghammer. “FFI explains al-Qaida document.” Forsvarets forskningsinstitutt.
19 March 2004.
 New York Times. “As Europe Hunts for Terrorists, The Hunted Press Advantages.” March 22, 2004,
Section A, Page 1, Column 1.
 Stephen Ulph. “Islamist insurgents seek to contain PR disaster: notes of defeatism.” Terrorism Focus.
Volume 2, Issue 13 (July 13, 2005)
 Stephen Ulph. “Zarqawi’s declining ideological support among Islamists”. Terrorism Focus. Volume 2,
Issue 14 (July 22, 2005)
 www.alsakifa.net, July 14, 2005; cited in Ulph .
P. Everard / NATO and Cyber Terrorism 119
which at present allow terrorists to conduct their operations with little or no risk to
The current NATO Definition of cyber terrorism is: “A cyberattack using or exploiting
computer or communication networks to cause sufficient destruction or disruption to
generate fear or to intimidate a society into an ideological goal.” This originates in a
NATO document, but the report goes on to concede that due to its non-physical nature,
accurate definitions of cyber terrorism are not easy to produce. The NATO Office of
Security does recognize that it is becoming increasingly feasible to exploit the many
vulnerabilities of cyber space, especially with regard to those services that rely on
computer and communication networks.
The National Infrastructure Protection Center, now part of the US Department of
Homeland Security, states as their understanding of cyber terrorism: “A criminal act
perpetrated by the use of computers and telecommunications capabilities resulting in
violence, destruction and/or disruption of services to create fear by causing confusion
and uncertainty within a given population, with the goal of influencing a government or
population to conform to a political, social or ideological agenda.”
The Federal Bureau of Investigations has the following definition of cyber terrorism:
Any “premeditated, politically motivated attack against information, computer systems,
computer programs, and data which results in violence against non-combatant targets
by sub-national groups or clandestine agents.”
In his 2002 report “Assessing the risk of cyber terrorism, cyber war and other cyber
threats”, James A. Lewis of the Center for Strategic and International Studies (CSIS)
gives another widely-quoted definition: “The use of computer network tools to shut
down critical national infrastructures (such as energy, transportation, government
operations) or to coerce or intimidate a government or civilian population.”
These definitions have much in common, although the emphases differ. The results
of cyber terrorism may be measured by the terrorist having the ability ‘to affect
physically’ something which is of importance to the victims. However, even if attacks
are not ultimately successful, the attacker may manage to spread the fear of attack
among many, with often painful economic results for businesses.
Although perhaps the most likely use of the internet for what would
unquestionably be an act of terrorism would be in the form of a ‘hybrid attack’, with a
Denial of Service attack combined with a conventional attack, what I think of as true
cyber terrorism is the sole use of a network for an attack, that is, the network’s use as
the method of delivery for the attack.
120 P. Everard / NATO and Cyber Terrorism
It is certainly possible to think of ways in which the networks could be abused in
ways that result in mass casualties. Considering the Internet or networks, the attacker
will want to disrupt or destroy traffic passing through, install malicious software
(‘malware’) onto systems, initiate fraudulent transactions with a desire to erode
confidence in world marketplaces, or access sensitive information and to exploit it for
further attacks that may not be network based. Attacks through the networks could be
on air traffic control systems, or on the operation of train signals, particularly those
located at busy intersections. A successful attack against air traffic control facilities, for
example at London’s busy Heathrow Airport, could result in a triumph for the attacker
able to carry it out.
Profile of the Cyber Terrorist
Another approach to looking at the issue of cyber terrorism is to ask: who are the cyber
terrorists? For the most fatal forms of attack they would have to be hackers, i.e.
advanced computer users who dedicate their time to finding vulnerabilities in IT
systems. Our typical impression of hackers is of people generally lacking the
motivation to cause severe economic or social harm. Hackers in the news include, for
example, the two teenagers who in 1998 were found to be accessing US airforce IT
systems, amongst other things, and who were eventually brought to justice. However,
interest in using hacking for terrorism has certainly featured in al-Qaeda
It is frequent that terrorist activities overlap with more widespread kinds of
criminality. There are already innumerable computer criminals, determined to commit
any form of fraudulent activity generally for financial gain. We could find terrorists
making use of such methods as phishing, extortion using e-mails, and the insertion of
viruses, especially Trojans.
Anyone with an average ability to use the Internet, and enough money and
motivation, could mount a Denial of Service attack. The use of bot-nets is available for
a price on the Internet.
Aspects of Cyber Terrorism
Cyber terrorism involves offensive information technology, whether it operates alone
or in combination with another form of attack. Cyber attacks are usually limited to non-
physical effects like the destruction of data. However, we should bear in mind that
although protection against attacks with physical effects is paramount, the wiping out
of files and data on systems could be disastrous to an organization, while the
destruction of health records could endanger lives.
There is the possibility that hostile actions would threaten to bring down the
Internet itself. However, the terrorist requires the network to be in place, which poses
the question how far does he go in his effort to destroy/disrupt? One distinctive factor
of this kind of terrorism is that the attacker requires the network to be kept in place in
order to carry out the attack, or to retrieve more information from it. Specific areas of
the network are undoubtedly targeted and services denied, but the attacker uses the
network. Only if it was essential would the terrorist want to cause wholesale the closure
P. Everard / NATO and Cyber Terrorism 121
For one thing, terrorist communications are to a large extent over the Internet.
Terrorist propaganda also has the ability to substitute their ethics for our own, i.e.
broadcasting by states or established companies is replaced by their own. They use the
freedom of the Internet to bypass normal moral restraint in favour of using shocking
media. We have seen the broadcasting of horrific scenes, particularly of the treatment
What Are the Objectives of Attack?
What might be the objectives of an attack over the networks? When we list the aims of
terrorism in general, in each case we find that these aims can be met by attacks through
the networks. Terrorists want to cause:
Loss of integrity Contaminated systems could lead to fraud, incorrect
decisions being made, or may be the precursor to loss of availability and
confidentiality. Information must be protected from unauthorized changes.
Loss of confidentiality Disclosure of data could lead to loss of public
confidence, especially during times of crisis.
Loss of availability of services This could prevent governments or other
organizations fulfilling their mission, whatever or wherever it may be. Support
services could be hampered or prevented in their efforts to provide a service to
Physical destruction The is the possibility of creating physical harm through
the use of IT. We should be aware of the danger of hacking attacks on the
SCADA (Supervisory Control and Data Acquisition) systems that manage our
modern world, our power, water treatment and distribution, and other aspects
of our critical infrastructure. We will look at this in more detail later.
It is a good point to consider that the high demand for, and dependence on,
resources globally greatly enhances the impact of this potential threat.
Examples in the News of Attacks over the Networks
Attacks on Organizations
The following are examples of the Internet-connected attempts to disrupt services
which later appeared in public news reports. We begin by noting the cyber attacks in
response to NATO’s operational activities. To quote from CNN (31 March 1999):
“Access to NATO website disrupted. The NATO website has been under a
deliberate bombardment from Yugoslavia that has made e-mail service and access to
the site ‘erratic’, NATO spokesman Jamie Shea said Wednesday …”
The following is taken from Reuters (2 Sept 1999):
“Chinese hackers mounted a cyber blitz against US and NATO. Hackers with
Chinese Internet addresses mounted a cyber blitz against US and allied forces, after
NATO bombed the Chinese embassy in Belgrade, a top US Air Force officer said on
Wednesday. Lt.-Gen. William Donahue, Commander of the Air Force Communications
and Information Center at the Pentagon, said hackers ‘came at us daily, hell-bent on
taking down NATO networks’.”
122 P. Everard / NATO and Cyber Terrorism
It is the increasing frequency of events such as these that put the issue of cyber
defence firmly on the agenda during the 2002 NATO Prague Summit.
There are also examples of attacks on other organizations. Very recently, in the
past months, the United Nations (UN) has been hit by a string of hacking attacks aimed,
among other things, as building ‘botnet’ hordes. 1 These financially-motivated
incursions, launched from the same remote location, infected a server common to three
websites and downloaded a Keylogger and a Trojan to ‘visitor computers’ via ‘drive-by
attacks’. The quote is from Darren Pauli of Computerworld Australia:
“Keylogger and Trojan target United Nations. UN serves dangerous malware after
online attack: The United Nations (UN) has been hit by a string of hacking attacks
aimed at identity and credit card theft, and building botnet hordes. The attack on the
UN Asia Pacific website is believed to originate from the same group responsible for
attacks on the US-based Biotechnology Information Organization and the prominent
Indian Syndicate Bank. It is unknown if the group is responsible for more attacks.”
Targeted Trojan e-mail attacks have become a more pervasive threat over recent years.
The attack will initially depend on the unsuspecting user casually clicking on an
attachment in an e-mail to release the malware onto the host. The processes used are
sophisticated, and the e-mails are made to seem credible. Once activated, Trojans can:
Upload documents/data to a remote computer.
Collect usernames and passwords for user accounts.
Collect critical system information and scan network drives.
Use infected machines to compromise other computers and networks.
Download further programmes (e.g. worms, or more advanced Trojans).
Although one variety of these Trojans appears to do nothing more than to harvest
e-mail addresses for use in spam emailing, there are a growing number of reports of
much more severe consequences such as:
Erasing or overwriting of data.
Creating a back door programme to allow the exfiltration of documents.
Installing keyloggers used in the theft of user accounts credentials.
There are also many other facets of such attacks. Some compromises of sensitive
data have already been attributed to this method of attack. The perpetrators are very
rarely tracked down due to the liberal, uncontrolled nature of the internet.
One of the most common types of Trojan aims at building botnet hordes. Here the
malware maintains a ‘backdoor’, allowing attackers to monitor and hijack user
machines. A ‘Websense Australia and New Zealand’ network official has recently
commented that such attacks “exploit remote servers with weak security and typically
target common brand names to maximise exposure.” In other words, cyber groups will
target ISPs which do not have sufficient security, employ common brands of servers,
and place those servers in locations without tight controls or law enforcement.
‘Botnets’ are a collection of compromised systems that are tasked by the attacker via the use of
malicious software which runs processes on a system that its user is generally unaware of.
P. Everard / NATO and Cyber Terrorism 123
Cyber Attacks for Sale
To illustrate how easily Denial of Service (DoS) attacks can be bought on the Internet,
here is an excerpt taken from an article from the PandaLabs blog website:
“DDoS 1 hour US $10-20 (depends on the seller), 2 hours US $20-40, 1 day US
$100, more than 1 day from US $200 (depends on the complexity of the job).”
The price usually depends on the attack time. Later we will look at the Estonian
incident, where attackers purchased such packets of DoS attacks for use against
government computers and others.
The following advertisement aimed at financial fraudsters is also quoted. It was
posted by pmontoya on 23 April 2007:
“Accounts, FTP accounts: US $1 per account. 50MB of limbo Trojan logs US $30
(contains e-mail accounts, bank account numbers, credit card numbers, etc.. A
percentage is guaranteed…).”
The writer of the article went on to ask the questions: “How do hackers make
money out of programming malware? Where do they sell their creations? For how
much?” And, interestingly: “Who buys the malware and what for?”
Digital espionage is a tool that is available to the cyber terrorist for his intelligence
purposes for future attack.
Attacks on SCADA Systems
To illustrate the danger of attacks on SCADA systems we can look at a US Department
of Homeland Security-commissioned experiment to exploit a vulnerability in such a
system. The exercise was intended to demonstrate how a remote digital attack by
hackers could cause real world damage. Following the experiment, in which part of a
power grid caught fire, the press report read: “Simulated cyber-attack shows hackers
blasting away at the power grid …”
Such attacks are not science fiction. US government officials in 2002 claimed that
they had evidence, retrieved in the form of training manuals from al-Qaeda training
camps, that terrorists had explored such vulnerabilities in SCADA systems with the
intention of conducting attacks.
The Australian authorities are also taking the potential threat to critical systems
very seriously, having experienced the results of an attack of this nature. Symantec’s
security reports also highlighted the Australian case, in which a disgruntled ex-
employee, Vitek Boden, hacked into a computerized waste management system in
Maroochy Shire, Queensland, and caused millions of liters of raw sewage to spill out
into local parks, rivers and even into the grounds of a Hyatt Regency hotel in March
2000. The incident was reported in this way:
“SCADA Systems a Real Cyber Security Threat, Brisbane, March 02, 2005. ‘Most
Australian SCADA-dependent utilities are currently ill prepared for a cyber security
breach meaning that some of our most critical infrastructure services, such as electricity
and water are in danger of becoming seriously compromised … The ongoing
integration of SCADA systems with technologies such as the Internet and wireless, and
the integration with other business systems, means that these systems are now more
accessible and vulnerable to electronic attacks,’ said Kim Duffy, managing director of
Internet Security Systems Australasia (ISS) (Nasdaq: ISSX).” 2
124 P. Everard / NATO and Cyber Terrorism
The famous ‘Slammer Worm’ of early 2003 was 400 times faster than the ‘Code Red
Worm’. It disrupted banking, airlines, infrastructure and emergency services, and the
disabled the safety monitoring system at a nuclear power plant for combined period of
11 hours. Although site staff stated that there had been no threat posed to safety, the
potential for failure had already been identified in a governmental report some 6 years
earlier. The 1997 report was compiled after a six-month investigation of power grid
cyber security, described a “national system controlled by byzantine networks riddled
with basic security holes.”
For a number of days during April–May 2007, Estonia experienced a mass cyber attack
by attackers which succeeded in mounting a large-scale Distributed Denial of Service
(DDoS), in which selected sites were bombarded with traffic in order to force them
Nearly all Estonian government ministry networks encountered difficulties
because of the quantity of directed traffic, and there was disruption to international
connections and general performance levels.
Also, the party website of Estonia’s Prime Minister Andrus Ansip featured a
counterfeit letter of apology for removing a Russian World War II memorial statue, an
event seen as linked to the motive behind the attack. Estonia is thought to be one of the
most ‘wired’ countries there is. Even so, the attack had a significant effect.
NATO’s Improving Cyber Security
The effects of NATO’s policies for protecting against cyber attacks are illustrated by
the fact that we were able to detect an attack that occurred some time ago on one of our
mail servers. A Denial of Service was detected by our network monitoring devices, and
our team was able to respond appropriately before much damage could be done.
During the period 9–10 August 2006 a NATO mail server came under a distributed
attack from a network of infected systems. We were able to reconstruct the attack with
a diagram in which each red node represented an individual attacking system, and blue
nodes were the type of attack carried out. Somewhere in the middle was a white square
indicating the attacked system. In total, over a 15 hour period, around 25,000 attempts
to relay traffic through the target were observed.
The target mail server in this case was incorrectly checking emails that were not
for its internal network, and appeared to offer the capability of relaying e-mail traffic.
At some time during the morning of 9 August, one ‘system’ connected to the server
and identified a way of spreading spam emails across the Internet. This system then
contacted all the other members of its network (the botnet), which then tried to attempt
to relay traffic through the server.
In the event, NATO was able to stop the attack by re-configuring the mail server to
respond correctly to the attempted e-mail relay traffic.
P. Everard / NATO and Cyber Terrorism 125
NATO and Vulnerabilities
NATO depends on the Internet for much of its business, either directly, for contacts
with governments or commercial organizations, or as a bearer, and during the Pakistan
relief operation not long ago the Internet was the primary means of co-ordination.
The following are threats that I believe we at NATO should prepare ourselves
The malware within: that which is already present behind our defences.
Targeted espionage: prolonged attempts to compromise our network which we
may not detect.
Classified information leaks: are our users practicing good security?
Vulnerabilities exposed by poor maintenance: are we responding quickly
enough once they are identified, and what is in place to prevent re-occurrence?
System privilege abuse: do we practice a good security policy based on the
need to know or the requirement to access certain areas of our network? Do
we know exactly who our system administrators are?
NATO’s dependence upon information technology in every area of its business,
brings with it an attendant level of risk in fact the same sort of risk as the rest of the
world’s major organizations face.
We have either direct or indirect connections to many global networks, and thus
face the same global threats. An incident or attack against one part of the Internet, for
example in South America, can directly affect our own infrastructure within minutes.
And let us not forget that, even though our internal networks are supposedly ‘closed’
and separated from the Internet, documents, messages and other data is being uploaded
onto the internal network from external networks at almost every minute of every day.
We can assume that cyber terrorism will utilize the processes of cyber attack that
we have seen, and probably there are others that we have yet to see. The defenders need
to be constantly alert, and ask themselves:
How do we know that what we daily observe is not cyber terrorism?
Do we ignore the threat of cyber terrorism and simply defend against attack?
If we are pro-active, how can we identify the target before the attacker?
The NATO Computer Incident Response Capability (NCIRC) is a new addition to
NATO’s InfoSec Services, arising from a security review following the events of 9/11.
The review identified risks to critical infrastructure in particular.
The 21 Nov 2002 Prague Summit, attended by the leaders of the NATO nations,
announced a Cyber Defence Initiative in the final communiqué “to strengthen our
capabilities to defend against cyber attacks”.
As a result, the NCIRC and NCIRC IDS (Intrusion Detection System) projects
were approved. It was decided that an initial operating capability would be established,
with a transfer to a full operational capability starting in 2009. It will provide a full
24/7 operation. The NAC has approved NATO’s Cyber Defence Programme. The
NCIRC, with the IDS and IOC projects, were seen to be an urgent requirement. The
NCIRC and IDS in particular provide a centralized incident detection and response
capability, and expertise in computer and network security.
126 P. Everard / NATO and Cyber Terrorism
In general, a requirement was identified for cyber attack ‘counter-measures’ based
on good technology. The NATO Office of Security identified the threats that exist
because of the access to the means of cyber attack that we know the terrorist has. It is
also aware that terrorists already utilize the Internet extensively, as a primary tool to
support their activities: Terrorists raise funds, spread propaganda and to communicate
amongst themselves. It has also long been accepted to be a primary intelligence tool.
There are three main areas where further action is recommended:
Legislation: Can the Internet be placed under a common legislation?
Co-operation: How can national cyber defense capabilities work better
Setting the Example: What is the role that NATO can play to help defend
against world-wide cyber terrorism threats?
Cycle of Security
The cycle of security that we strive for, based on NATO’s requirement, is as follows:
Protect: This involves system hardening measures, full coverage of anti-
malware support, and specialist advice to projects.
Prevent: Conducting vulnerability assessments, comprehensive vulnerability
notification, and training and awareness.
Detect: Utilizing IDS and mail content checking. This includes out of hours
monitoring of those IDS systems.
Respond: Providing a 24/7 incident response capability.
Recover: Maintaining a highly responsive on-line or on-site incident recovery
Conclusion: Recognize the Cyber Terrorists
The cyber terrorist needs the cyber attack to act, although it may not of itself amount to
cyber terrorism. Will we know which attackers are the terrorists? They use the methods
of cyber attack to achieve their aims. The motivation for the attack could be: blackmail,
destruction, exploitation, or revenge, and knowing the motivation is the key to
distinguishing which is a terror attack.
The Internet has become such powerful medium that the terrorist is bound to
utilize it. ‘Economy of effort’ is one of the principles of war, and the nature of attacks
through the Internet is such that the terrorist can continue to perpetrate crimes time and
time again, without the requirement for martyrdom or any risk to themselves. The
funds required for such activity are minimal.
Checks conducted by the NCIRC have confirmed that some cyber attacks are
being directed against NATO networks that are connected to the Internet. Although it
can be a slow process, with co-operation sometimes proving complicated, we are
working together with NATO members’ security teams to identify the extent of this
threat and to put in place measures to protect our networks.
128 E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability
the link saw the responsibility communiqué and frog images in the place of IED system
photographs, which the PKK/KONGRA-GEL site alleged was taken from
turkintikantugayi.8m.com. The reason why frog pictures appeared in the site was that
the website did not have enough capacity to store the IED system pictures that were
published in the PKK/KONGRA-GEL’s news story. The PKK/KONGRA-GEL
terrorist network already had the pictures before the bombing. This was their very
deliberate psychological campaign to take the advantage of the incident. However it
was prepared very unskillfully. The bombers, story makers, website designers, and the
provocateurs all proved to be the same group, which was the PKK/KONGRA-GEL.
Investigations later showed that the bomb was a PKK/KONGRA-GEL device that
exploded prematurely before it could be planted next to a big police station very close
to the children’s park.1 The incident was an illustration of how a modern terrorist group
uses the internet. What was the group that killed seven children and attempted to
misinform the people using black propaganda to provoke ethnic hatred? What were
their aims? It is useful to describe the group in the context of Turkey’s terrorism
experiences in its 72 year history.
Turkey’s PKK/KONGRA-GEL Problem
On August 15, 1984, a small group of Kurdish separatists began to attack Turkish
military outposts in the Southeastern region of the country. The separatist terrorist
group, which called itself the Kurdish Workers Party, commonly known as
PKK/KONGRA-GEL, engaged in a massive terrorism campaign which has resulted in
more than 30,000 fatalities, mostly terrorists, civilian ethnically Kurdish citizens, civil
servants, security forces and anti-PKK/KONGRA-GEL village guards.2
Abdullah Ocalan, who was born in 1948, founded the terrorist organization
PKK/KONGRA-GEL. He studied political science in Ankara University where he
became a Maoist. By 1973 he had organized a Maoist group whose goal was socialist
revolution in Turkey. After years of indoctrination and recruiting, the PKK/KONGRA-
GEL terror network was formally established on 7 November 1978. Since then,
PKK/KONGRA-GEL has been using its terrorism campaign to support its political
goal of building a Maoist Kurdish state in areas of Turkey, Iran, Iraq and Syria. As a
result of the successful military operations against the PKK/KONGRA-GEL and
determined behavior of Turkish Government against the countries that supported the
organization, the Turkish Special Forces in Nairobi arrested Ocalan after reportedly
following a tip-off from American intelligence.3 Although the capture of Ocalan caused
the terrorist network to lose support for its armed campaign, the group reorganized
itself in the power vacuum areas of northern Iraq and began its intensive terrorist
campaign in August 2004.4
“PKK appears to be behind deadly blast, say police” Turkish Daily News September 16, 2006 available at
http://www.turkishdailynews.com.tr/article.php?enewsid=54200 accessed on 25 October 2006.
United States Department of State Office of the Coordinator for Counterterrorism, “Country Reports on
Terrorism 2005” April 2006, available at http://www.mipt.org/pdf/Country-Reports-Terrorism-2005.pdf
accessed 8 November 2006.
Bruce Hoffmann, “Is Europe Soft on Terrorism,” Foreign Policy, Summer 1999, p. 63.
Country Reports on Terrorism 2005, p. 224.
E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 129
As with other modern terrorist organizations, the resilience of PKK/KONGRA-
GEL comes from the adaptive strategies that the organization implemented through
almost thirty years. The first adaptive strategy of PKK/KONGRA-GEL was declaring
so-called “unilateral ceasefires” when the Turkish military operations intensified and
hurt the infrastructure of the terrorist network. The Turkish authorities for two main
reasons have never accepted these announcements. The first reason is that the terrorist
network is not a main actor in international arena and can not use terms like
“ceasefire,” that connotes some legal status. The second reason is to prevent them from
disguising their weakness from their support base in times of inaction, because terrorist
systems have to maintain a minimum level of violence in order not to be seen as weak
in the eyes of their support base.
The last so-called “ceasefire,” or time period between terrorist campaigns, ended in
2004, after it had been declared following the arrest of its ringleader in 1999. 5 At times
of inaction, the terrorist organization consolidated its power in the uncontrolled areas of
northern Iraq, and resumed its terrorist attacks.
The second adaptive strategy of the PKK/KONGRA-GEL terror network is
imitating other terrorist organization’s successful tactics. Suicide attacks, hunger strikes
in prisons and prison revolts were some the tactics that they adopted from the other
revolutionary terrorist organizations. Ocalan urged his terrorists to imitate Hamas in
1996 but the persuasion tactics of the bombers were a little bit different from that of
Hamas. Rosemarie Skaine explains PKK/KONGRA-GEL’s tactics: “On October 25,
1996 Turkan Adiyaman [a female terrorist of PKK/KONGRA-GEL], was shot by her
own group, [because] she had refused to volunteer for suicide bombing. She was shot
in front of Leila Kaplan [another female PKK/KONGRA-GEL terrorist] as an example
of the fate that befalls shirkers. Kaplan, who was 17 years old, then performed the
The third adaptive strategy of PKK/KONGRA-GEL terrorist network has been to
change its name periodically because different names enable them to escape from the
international pressure that puts the network on designated terrorist lists, and second,
deceive the international community about its violent side. It attempts to give the
impression that the main terrorist group PKK/KONGRA-GEL does not use violence.
Since its foundation, the organization has been operating with the names of
“PKK/KONGRA-GEL,” “Kongra/GEL,” “KADEK,” “HPG,” “TAK,” “KKK,” and
“PJAK (Iranian branch).”7 TAK (Teyrêbazên Azadiya Kurdistan, Kurdistan Freedom
Hawks in English), for example, engaged in a bombing campaign in the big cities like
Istanbul and recreation centers of coastal Turkey. 8 The first attack of TAK was on
August 2004 and this date coincides with the announcement that PKK/KONGRA-GEL
would begin its terrorism campaign again after five years of inaction, demonstrating
that TAK is a subordinate group of the PKK/KONGRA-GEL terror network directed
by the organization’s hierarchical leadership.
Lenore G. Martin, “Turkey's Iraq Problem,” Washington Post, September 16, 2006; p. A21.
Rosemarie Skaine, Female suicide Bombers, (North Caroline: McFarland Company Inc.), 2006 p. 84.
United States Department of State Office of the Coordinator for Counterterrorism, “Country Reports on
Terrorism 2005” p.224 April 2006, available at http://www.mipt.org/pdf/Country-Reports-Terrorism-
2005.pdf accessed 8 November 2006.
“Turkish resort blast kills five,” BBC news, 16 July 2006, available at
http://news.bbc.co.uk/2/hi/europe/4688575.stm accessed on 14 November 2006.
130 E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability
The fourth strategy of the terrorist network is its technological adaptation.
PKK/KONGRA-GEL is, perhaps, the first terrorist network to have a private satellite
TV by which they can mobilize people with extensive propaganda on a 24/7 basis. The
Roj TV station, a television station of PKK/KONGRA-GEL, has been banned in the
UK and France, but it is still broadcasting from Denmark, despite the Turkish
Government’s efforts to stop it.9
2. Motivational Training Through the Net
The emphasis on the ideological training in the program demonstrates that their first
priority is creating robust, indoctrinated, ideologically devoted terrorists and then
giving them operational skills to kill.
According to Brandon, Internet connection is available from a few computers
through satellite uplinks in the camp.10 Satellite TV is not the only way they can make
their propaganda, transmit their messages, mobilize their people and motivationally
train and sustain the motivational commitment among members. The Internet is largely
used by the PKK/KONGRA-GEL terrorist network for these purposes. As observed by
a political science professor at Concordia University, “when Turkish forces arrested
Ocalan, Kurds around the world responded with demonstrations within a matter of
hours.” He attributed the swift action in part to the Internet and web. “They responded
more quickly than governments did to his arrest,”11 The systematic use of internet by
PKK/KONGRA-GEL for motivational training will be the main focus in rest of the
Below is a list of the most prominent websites of the terrorist organization
PKK/KONGRA-GEL-KONGRA-GEL. The explanation of the table is below the table.
The table is used as an input for further content and network analysis of the
Table 1. List of PKK/KONGRA-GEL websites
1 Web address Language Links Design
2 http://www.rojaciwan.com Kurdish Turkish 3,4,5,6,7,10,12,15,16,17,19 3
3 http://www.pkk.org Turkish Kurdish 4,5,6,7,11,24 3
Farsi English Arabic
4 http://www.hpg-online.com Kurdish Turkish 2,3,5,6,11,26 3
Sedat Laciner, “The West and Terrorism: PKK as A Privileged Terrorist Organization,” Turkish Weekly,
14 May 2006, available at http://www.turkishweekly.net/editorial.php?id=29
James Brandon, “Mount Qandil: A Safe Haven for Kurdish Militants—Part 1,” Terrorism Monitor, 4, 18
Michael Dartnell, quoted in Dorothy Denning, “Activism, Hacktivism and Cyber Terrorism: Internet as
a tool for influencing foreign policy,” 2004, p.256, RAND monograph report available at
http://www.rand.org/pubs/monograph_reports/MR1382/MR1382.ch8.pdf accessed on 10 November 2006.
132 E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability
30 http://www.welatparez.com Turkish none 3
31 http://www.kurdlander.com/k Turkish Kurdish 2,8,11,14,1516,17,18,19,22 3
urd English Farsi Finnish 23,25,35
32 http://www.freedom-for- English Italian 7,15,34 2
33 http://www.flash-bulletin.de Turkish none 2
34 http://www.hernepes.com Kurdish 2,3,4,5,6,78,10,12,15,16,17 3
35 http://www.cmg-team.com Turkish Kurdish none 2
36 http://rastibini.blogspot.com English 3,4,6,7,19,27,33 3
37 http://www.nadir.org German none 1
38 http://www.ciwanenazad.roja Turkish Kurdish none 3
The first two columns are the URL of the websites with a number attached to it.
The third column is the languages in which the websites are published. The fourth
column shows the links from this particular row’s URL to the other sites. The fifth
column shows the design quality of the websites on a number scale of 1 to 3. For
example, the website http://www.gundemimiz.com in the 8th row is being published in
Turkish. It contains news sympathetic to the terrorist network and has a hyperlink to
http://www.cewlik.net in the 9th row. It is professionally designed, has multimedia
content and colorful view, thus it is graded 3 in terms of design quality.
2.2. Content Analysis of PKK/KONGRA-GEL Websites
The content of these 37 websites generally include: the history of the organization,
biographies of its influential people and its killed terrorists, information on the political
aims of the terrorist network, the maps of so-called free Kurdistan, an intensive
informative campaign about the Kurdish ethnicity, history, language, and culture. They
claim that Kurds are the oldest people of the region, beginning from the Sumerian era,
to create and enforce identity based on ethnicity.
PKK/KONGRA-GEL websites avoid mention of the organization’s violent record
and basically highlight positive issues like freedom of speech, democratization,
ecology, and its imprisoned ringleader. They aim at Western audiences who are
sensitive to these norms in order to provoke sympathy in democratic societies.
The websites exaggerate the casualties of the security forces and hide their losses
in order to encourage sympathizers, and make calls to the youngsters not to sign up for
the Turkish Armed Forces.
The main reason for publishing the sites in eight different languages, especially
European languages, is to reach the second or third generation of ethnically Kurdish
immigrants in these countries who can not speak either Kurdish or Turkish. Turkish is
so popular because it is a common language even for the Kurdish speaking people who
E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 133
do not understand each other due to their dialect differences. Arabic and Farsi are used
to reach the Kurdish population living in Syria and Iran.
The web site named “pajkonline.com” aims at the women who were mostly used
in suicide bombings in the past. Abdullah Ocalan urged his militants to imitate Hamas
militants by becoming human bombs in 1996. Female militants have carried out 70%
of all the suicide bombings of the organization.12 The tribal (ashiret in Turkish) nature
of the social structure in the region and its consequences (low education rates, early age
marriages, polygamy, and honor killings) make the young female population very
susceptible to ideological exploitation. The socialist ideology, which claims to
repudiate any dominant factor in the society including masculine dominancy, is used as
an ideological message to attract this vulnerable group of people of the region. Almost
every website in the dataset contains a part dedicated to women and the content of
these pages is very fanatically feminist to a degree that leads one to conclude from
these sites that PKK/KONGRA-GEL is a violent feminist organization. The Iranian
branch of the PKK/KONGRA-GEL or PJAK is published only in Farsi and has no out
links although it has three in links—one from the youth branch’s web site, one is from
PKK/KONGRA-GEL’s own web site, and one from the European branch’s website.
Almost every page alleges that the PKK/KONGRA-GEL terrorist network will not
accept any solution to the so-called Kurdish issue without their ringleader Abdullah
Ocalan. Letters written by the militant terrorists praise him to a degree that one gets the
impression that he is supernatural. His writings reinforce this supernaturalism too. He
defines his capture as crucifixion, and claims that the alternative ideology that he
brings—he names it Ecological Democratic Confederation—is superior to that of
Durkheim, Marx and Lenin. Moreover, he makes an analogy between his so-called
universal struggle and that of a god from Greek mythology—Prometheus, who took
fire from the hearth of the gods by stealth and brought it to men, thus allowing mankind
to keep warm. 13 This situation was observed by Clara Beyler who comments on
the female suicide bombings of PKK/KONGRA-GEL: “The incentive and justification
for suicide attacks were all based on Ocalan’s orders. The leader had such power and
influence on the group’s members, that they did not need the pretext of religion, for
Ocalan himself reached the status of God in the terrorist network. It was on this god-
like leader’s orders that suicide bombings started. It was also on his command that they
stopped.”14 The struggle of PKK/KONGRA-GEL seems to transform into a struggle
for saving Abdullah Ocalan’s skin rather than allegedly pursuing Kurdish rights.
A great majority of the web sites have multimedia content like videos, flash
animations, audio, and colorful views. Some sites gives links to popular new trends like
Kurdish protest rock music, Kurdish hip hop and interviews with popular bands and
singers to attract the youth.
One of the web sites of the network secured with the password “cmg-team.com” is
dedicated to cyber attacks and encourages the members to learn hacking techniques and
provides information about the vulnerabilities of computer operating systems, basic
Robert A. Pape, Dying to Win: The Strategic Logic of the Suicide Terrorism (New York: Random House,
2005), p. 208.
Abdullah Ocalan, “Defense of Free Mankind” vol. 1 translation from Turkish available at
www.abdullah-ocalan.com accessed on 12 July 2006.
Clara Beyler, “Messengers of Death: Female Suicide Bombers,” International Policy Institute for
Counter-Terrorism, February 12 2003, from http://www.ict.org.il/articles/articledet.cfm?articleid=470
134 E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability
knowledge about hacking, computer security, and basic computer programming
The website “zaningeh.yxk-online.com” serves as an intellectual base from which
the organization issues its strategic assessments about the future of their cause. The
website contains assessments of terrorist organizations (especially ETA and IRA), and
derives lessons learned from struggle against their governments, which can be used
against the Turkish government as well.
Critical information, or what the site administrators think is critical information, is
not discussed nor allowed to appear in open channels. The message postings are not
done instantly. First, messages are evaluated by the site administrators, and then those
that are approved are posted on the site. When this author began his research and
monitoring of these sites, “sehid.com” in which the organization posts the killed
terrorist biographies (almost updated) did not exist. Some users were asking questions
about the situations of active members (generally if they are alive or not), especially
after clashes between security forces and PKK/KONGRA-GEL. This reveals that some
of these sites are administered from the main camps of PKK/KONGRA-GEL. In these
situations, site administrators warned the users that they must be aware that the Turkish
Intelligence monitors these sites, and the administrators directed their users to instant
messaging tools like msn messenger to communicate privately.
Some of the websites in the network have shut down by court warrants due to their
terrorist content or access to these sites is denied to the users in Turkey. In this situation,
the other websites that are still active give instructions about how to view these sites by
changing their proxy server and LAN settings or giving direct links to the mirror web
pages of banned sites.
Content analyses reveal that PKK/KONGRA-GEL terrorist network uses the
Internet for communicating with its target audience, be it government, its support base
or the international community. Although this author did not find any operational
training material in these sites, they carry out a massive motivational training through
3. Network Analysis of Pkk/Kongra-Gel Websites
3.1. Why Social Network Analysis?
The Internet has become the main training environment as a result of counter terrorism
efforts to destroy the land-based training camps. For further success, it is essential that
the web presence of the terrorist networks be eliminated. The elimination strategy must
be performed in a systematic way in order to prevent waste of time and workforce.
Social network analyses can be utilized to identify which websites are essential for
eliminating as a way to disrupt the whole network.
Network data are defined by actors and by relations (or "nodes" and "links").
Network analysis focuses on the relations between actors, and not individual actors and
their attributes. This means that the actors are usually not sampled independently, as in
many other kinds of studies (most typically, surveys). Often network data sets describe
the nodes and relations between nodes for a single bounded population.
PKK/KONGRA-GEL websites are the study’s bounded population. The websites are
E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 135
the nodes and the hyperlinks between the websites are the links in our study. Because
we analyzed the attributes of the nodes in content analyses, our focus in network
analyses will be the relations between these websites.
Social network analysts use two kinds of tools from mathematics to represent
information about patterns of ties among social actors: graphs and matrices. Network
analysis uses (primarily) one kind of graphic display that consists of points (or nodes)
to represent actors and lines (or links) to represent ties or relations. There are a number
of software tools that are available for drawing graphs, and each has certain strengths
and limitations. The author used UCINET and NetDraw version 4.14 to draw the map
of the PKK/KONGRA-GEL websites.
Graphs are very useful ways of presenting information about social networks.
However, when there are many actors and/or many kinds of relations, they can become
so visually complicated that it is very difficult to see patterns. It is also possible to
represent information about social networks in the form of matrices. Representing the
information in this way also allows the application of mathematical and computer tools
to summarize and find patterns. The UCINET provides these matrices and statistical
analyses tools. Statistical analyses are used with the graphs for a better understanding
of the PKK/KONGRA-GEL website network.
The first step of the study is constructing the dataset of the web sites. Beginning with
the organizations designated web site (pkk.org), the author traced the hyperlinks that
directed the users to other websites. The same procedure was followed for the each site.
Thirty-seven different websites were identified that have links to “pkk.org.” Some
impartial links like mainstream media organizations like CNN, AFP or REUTERS or
international organizations like Human Rights Watch or Amnesty International were
not included in the dataset.
The number of hits the web sites took on a daily basis are not included in the
analysis because generally sympathizers artificially increase hit numbers by browsing
the same sites multiple times. Although the official web page of Kongra-Gel—the same
organization but with different name—has a lot of links from the other sites, the link is
broken and the page is not currently being published. The same pages that
are published with different names are not included in the dataset. From a basic search
on a major search engine, one can find hundreds of personal web pages that are
sympathetic to PKK/KONGRA-GEL and its cause. These pages also are not included
in the dataset. Individual sympathizers also use common video sharing sites like
You Tube to post the propaganda videos. These sites have search option with key
words. The PKK/KONGRA-GEL propaganda videos usually contains key words like
‘gerilla’, ‘pkk’, ‘Ocalan’, and some popular Kurdish words to attract the sympathizers
and misinform the web surfers who have nothing to do with the terrorist network’s
The second step is the visual and statistical social network analyses of
PKK/KONGRA-GEL linked web pages using network analyses metrics. Instead of
analyzing the network according to all the metrics, centrality, density and connectivity
degrees are analyzed to identify influential websites and to overview the whole network.
The Ucinet® software and analyses tools are used to map the network.
136 E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability
3.3. Centrality Analyses
Figure 1. Multi-dimensional scaling graph of the PKK/KONGRA-GEL website network
The first visual graph of the PKK/KONGRA-GEL website network is obtained
using MDS. MDS is a family of techniques used (in social network analysis) to assign
locations to nodes in multi-dimensional space (in the case of the drawing, a 2-
dimensional space) such that nodes that are "more similar" are closer together. 15 This
similarity is based on the number of ties or connections that the nodes have. The Web
Sites located in the center are also the influential sites in the network. If an actor
receives many ties, they are often said to be prominent, or to have high prestige. That is,
many other actors seek to direct ties to them, and this may indicate their importance.
Actors who have unusually high out-degree are actors who are able to exchange with
many others, or make many others aware of their views. Actors who display high out-
degree centrality are often said to be influential actors.
Robert A. Hanneman and Mark Riddle, “Introduction to Social Network Methods” (Riverside, CA:
University of California, 2005), available at http://faculty.ucr.edu/~hanneman/nettext/ accessed on 12
E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 137
Figure 2. Principal components graph of the PKK/KONGRA-GEL website network
In this graph the sites in the right hand side is more influential ones and can be said
to be the hierarchical structure of the PKK/KONGRA-GEL’s websites.
Centrality of the websites is important because it identifies the influential websites
in the network. In addition, identifying influential websites will give us data to predict
the future structure of the larger network. Even our small sample demonstrates the
principals of “scale free networks.” In “scale free networks”, although most actors have
only a few links to others, a handful of actors (hubs) have enormous amounts of
connections.16 The prospective new websites (nodes) are going to create a link to these
influential networks to increase their popularity and people will exercise and reinforce
bias toward the old influential nodes by observing the increasing incoming links to
Albert Laszlo Barabasi and Eric Bonabeau, “Scale Free Networks” Scientific American, May 2003, p. 64.
138 E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability
these sites. Albert Laszlo Barabasi and Eric Bonabeau explain this tendency: “As new
nodes appear, they tend to connect to the more connected sites, and these popular
locations thus acquire more links over time than their less connected neighbors. This
“rich gets richer” process will generally favor the early nodes, which are more likely to
eventually become hubs.”17
Reliance on the certain hubs in the network seems to be an advantage for
PKK/KONGRA-GEL to disseminate its propaganda quickly by means of controlled
popular hubs, but also it is the terrorist network’s vulnerability. Taking out these hubs
will make rest of the network individual islands that have no connection to the others.
The question in terms of counter terrorism agencies is how many of these hubs have to
be taken down to crash the whole network. The recent research suggests that, generally
speaking, the simultaneous elimination of as few as 5 to 15 percent of all hubs can
crash the subsystem and eventually the whole terrorist system. 18
3.4. Density and Geodesic Distances Analyses
The density measures of the network are somewhat loose. The density ratios are as
• Density (matrix average) = 0.1366
• Standard deviation = 0.3435
These values mean that the network has only 13% of the all possible ties. This
stems from a deliberate strategy of PKK/KONGRA-GEL. Some web pages, especially
newspapers and the web page of the television channel and news agencies of the
terrorist organization, do not have any outer connections to the other main sites of the
organization. This situation creates an impression that newspapers and the news
agencies that disseminate news to the world are impartial, because, simply, they do not
have any links to PKK/KONGRA-GEL sites.
The geodesic metrics are useful for describing the minimum distance between
actors in the network. The web page network of PKK/KONGRA-GEL has a maximum
value of 4 in terms of geodesic distances; any content published in one of the sites can
be reached with a maximum of only four clicks on the hyperlinks. This suggests that
information may travel pretty quickly in this network.
3.5. Connectivity Analyses
Point Connectivity calculates the number of nodes that would have to be removed in
order for one actor no longer to be able to reach another. If there are many different
pathways that connect two actors, they have high "connectivity" in the sense that there
are multiple ways for a signal to reach from one to the other. The website network of
PKK/KONGRA-GEL is very robust in terms of point connectivity. The most
influential sites have higher point connectivity which makes it difficult to deny internet
users the ability to reach these influential sites. The sites that have the highest
connectivity are rojaciwan.com (10), rojame.com (10), dozame.org (10), gerilla-
online.net (10), hernepes.com (10), urmiye.org (10), and pajk.com (9) respectively.
Barabasi and Bonabeau, p. 65.
E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 139
Figure 3. Circular layout graph of the PKK/KONGRA-GEL website network
The circular layout graph is a good illustration of a network’s closed nature in
systems terms. This can be observed from the centrality degree values of the network.
The network has 18 zero out-degree values as opposed to only one zero in in-degree
values which is the indicator of the closed nature of the network to its environment.
Only one website, “flash-bulletin.de” has links to the outer world that has different
view other than that of the organization. This web site has links to the mainstream news
media like CNN and AFP. When you enter the network the links directs you to the
news that PKK/KONGRA-GEL wants you to read, the music that PKK/KONGRA-
GEL wants you to listen, the images that PKK/KONGRA-GEL wants you to view. The
only different point of view comes from welatparez.com which has the same cause, that
is, to build a free Kurdistan including Turkish territory publishing from Denmark, but
criticizes the internal affairs of the organization. The propaganda made in the network
of the websites of the PKK/KONGRA-GEL is enough to demonize Turkey and the
Turks and to create a sense of us versus them on an ethnic-nationalist basis.
The content and the network analyses of the PKK/KONGRA-GEL linked websites is a
good illustration of how modern terrorist systems use technology to their own benefit.
140 E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability
According to Gabriel Weimann there were 4,300 terrorist websites on the Net in 2005
and probably more than that today.19 They use the Net basically as a communication
tool, among various other purposes. The Internet is not only a platform for the
likeminded terrorists to meet and communicate, but also a weapon to attack basic
information structures of their superior enemies on the Net.
The Website network of PKK/KONGRA-GEL is designed in such a way that
when a neutral internet surfer enters the network, he or she is indoctrinated according
to PKK/KONGRA-GEL’s ideology and looks at the world from the terrorists’
perspective. The network is robust in terms of inter-connectivity but vulnerable to
coordinated attacks as are all the “small world” networks. 20 In order to disrupt the
whole network of terrorist websites the most influential sites (hubs) that almost all the
information radiates from must be given priority. Eliminating these hubs will leave the
other nodes as individual islands which are not so influential.
The loosely controlled nature of Net provides new opportunities for terrorist
organizations. The differences between countries about defining terrorism make the
situation more complicated to act in concert against terrorism. Terrorist organizations,
no matter what their ideological bases, are exploiting this situation and using Net as
new safe haven for their various activities.
Aktan, Gunduz and Ali Koknar, in Combating Terrorism: Strategies of Ten Countries ed. Yonah Alexander
(New Delhi: Manas, 2005)
Barabasi Albert Laszlo and Eric Bonabeau, “Scale Free Networks” Scientific American, May 2003
Beyler, Clara “Messengers of Death: Female Suicide Bombers, International Policy Institute for Counter-
Terrorism, February 12 2003, from http://www.ict.org.il/articles/articledet.cfm?articleid=470
Brandon, James “Mount Qandil: A Safe Haven for Kurdish Militants – Part 1”, Terrorism Monitor, 4, 18
Denning, Dorothy “‘Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing
Foreign Policy available at http://www.rand.org/pubs/monograph_reports/MR1382/MR1382.ch8.pdf
reached 10 October 2006
Hanneman Robert A. and Mark Riddle, “Introduction to Social Network Methods” ( Riverside, CA:
University of California, 2005), available at http://faculty.ucr.edu/~hanneman/nettext/ accessed on 12
Hoffmann, Bruce “Is Europe Soft on Terrorism”, Foreign Policy, Summer 1999,
Laciner, Sedat “The West and Terrorism: PKK as A Privileged Terrorist Organization”, Turkish Weekly, 14
May 2006 available at http://www.turkishweekly.net/editorial.php?id=29
Martin, Lenore G. “Turkey's Iraq Problem”, Washington Post, September 16, 2006; p. A21
PKK appears to be behind deadly blast, say police, Turkish Daily News September 16, 2006 available at
http://www.turkishdailynews.com.tr/article.php?enewsid=54200 accessed on 25 October 2006
Pape, Robert A., Dying to Win: Thee Strategic Logic of Suicide Terrorism, (New York: Random House,
Skaine Rosemarie, Female suicide Bombers, (North Caroline: McFarland Company Inc.), 2006
Turkish resort blast kills five”, BBC news, 16 July 2006, available at
http://news.bbc.co.uk/2/hi/europe/4688575.stm accessed on 14 November 2006
United States Department of State Office of the Coordinator for Counterterrorism, “Country Reports on
Terrorism 2005” April 2006, available at http://www.mipt.org/pdf/Country-Reports-Terrorism-
2005.pdf accessed 8 November 2006
Gabriel Weimann, p. 5.
Barabasi and Bonabeau, p.65.
E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 141
Virginia Anderson and Lauren Johnson, Systems Thinking Basics, (Massachusetts: Pegasus Communications
Weimann, Gabriel, Terror on the Internet: The New Arena, the New Challenges (Washington, D.C.:
U.S.Institute of Peace, 2006)
O. Aytaç / Summary of the Working Group Discussions 143
1.2.4 Whole populations: Spam messages might carry the terrorists’ threats into people’s homes
1.2.5 Whole populations: Widely-used systems like traffic lights, rail signalling, etc.
1.2.6 Communication networks
1.2.7 Electricity and power supply
1.2.8 Chemical facilities
It was noted that at present terrorists appear have not mastered the technology
necessary for launching large scale cyber attacks. However, the services of some
‘techies’ are available for hire on the internet. Notably, bot-masters offer to hire out
their networks, which can be used for Distributed Denial of Service attacks.
Furthermore, it is probably only a matter of time before a new generation of terrorists
embraces cyber terrorism.
Question: What measures might disrupt terrorist use of the Internet?
2.1 ‘Noise’. Peaceful interference in a chat-room
2.2 ‘Hack back’ with:
Counter-propaganda, for example by placing links to websites offering
a different message
Changing formulas and recipes in training manuals
Sowing distrust with false messages
2.3 Exploit observed vulnerabilities experienced by the terrorist groups, for example
concerning challenges to authority
2.4 ‘Active defence’ (imposing a penalty on the attacker). Methods exist to put costs on the
perpetrator of an attack
2.5 Censorship. Efforts to censor the Internet are unlikely to succeed, however
2.6 Search engine ban. Cooperation with google, yahoo, etc.
Considerable doubts were expressed by participants concerning intervening in
these ways to disrupt terrorist use of the Internet. There are problems of legality, and it
would be difficult to create a system of warrants. The probability of making mistakes
would be high, and mistakes could easily have violent consequences. Problems might
be created at an international level. Some participants felt that, if such covert attacks
are to be launched, they should be made mainly be volunteers and the private sector,
and ‘governments would take a back seat’.
Question: What measures might be taken to deal with cyber attacks?
3.1 Within government departments and other organizations use different, not off-the-peg,
3.3 Emergency response systems in place, including international mechanisms
3.4 SCADA systems must be made more secure. Security “a factor to be considered over the
144 O. Aytaç / Summary of the Working Group Discussions
entire life cycle of any system that is part of the CII.”
3.5 Countries must build cadres of capable defenders, including national-level CSIRTs
(Computer Security Incident Response Teams).
3.6 The existing Cyber Crime Response Unit to be expanded
first among the G-8 countries
now approximately 35 countries, but more are needed
widen the scope (add cyber terrorism)
3.7 International body under UN auspices
Question: What security measures might protect against cyber terrorism?
4.1 Consequence Management Systems, involving:
4.1.1 Band width availability (coordinate approach with ISPs)
4.1.2 Off-site back-ups
4.1.3 Systems in place to ensure international cooperation
4.1.4 Rapid response to re-build connections
4.1.5 Intrusion detection systems
4.2 Increasing awareness and education (basic security measures like using passwords,
regularly changing them)
4.3 Encouragement of techno-diversity (everybody uses Microsoft)
4.4 Develop more usable security
4.5 Defeat anonymity with electronic signatures. This is technically possible, but there are
ways to avoid detection. It was generally agreed that anonymity is difficult to fight
4.6 ‘Neighbourhood Watch’ schemes to monitor terrorist websites
We were reminded that one hundred years ago there were no civil aviation
conventions, but new technology was followed by effective international legislation
and control. The same could be done to protect cyberspace.