• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
1586038362
 

1586038362

on

  • 17,156 views

 

Statistics

Views

Total Views
17,156
Views on SlideShare
17,156
Embed Views
0

Actions

Likes
0
Downloads
75
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    1586038362 1586038362 Document Transcript

    • RESPONSES TO CYBER TERRORISM
    • NATO Science for Peace and Security Series This Series presents the results of scientific meetings supported under the NATO Programme: Science for Peace and Security (SPS). The NATO SPS Programme supports meetings in the following Key Priority areas: (1) Defence Against Terrorism; (2) Countering other Threats to Security and (3) NATO, Partner and Mediterranean Dialogue Country Priorities. The types of meeting supported are generally “Advanced Study Institutes” and “Advanced Research Workshops”. The NATO SPS Series collects together the results of these meetings. The meetings are co-organized by scientists from NATO countries and scientists from NATO’s “Partner” or “Mediterranean Dialogue” countries. The observations and recommendations made at the meetings, as well as the contents of the volumes in the Series, reflect those of participants and contributors only; they should not necessarily be regarded as reflecting NATO views or policy. Advanced Study Institutes (ASI) are high-level tutorial courses to convey the latest developments in a subject to an advanced-level audience. Advanced Research Workshops (ARW) are expert meetings where an intense but informal exchange of views at the frontiers of a subject aims at identifying directions for future action. Following a transformation of the programme in 2006 the Series has been re-named and re- organised. Recent volumes on topics not related to security, which result from meetings supported under the programme earlier, may be found in the NATO Science Series. The Series is published by IOS Press, Amsterdam, and Springer Science and Business Media, Dordrecht, in conjunction with the NATO Public Diplomacy Division. Sub-Series A. Chemistry and Biology Springer Science and Business Media B. Physics and Biophysics Springer Science and Business Media C. Environmental Security Springer Science and Business Media D. Information and Communication Security IOS Press E. Human and Societal Dynamics IOS Press http://www.nato.int/science http://www.springer.com http://www.iospress.nl Sub-Series E: Human and Societal Dynamics – Vol. 34 ISSN 1874-6276
    • Responses to Cyber Terrorism Edited by Centre of Excellence Defence Against Terrorism, Ankara, Turkey Amsterdam • Berlin • Oxford • Tokyo • Washington, DC Published in cooperation with NATO Public Diplomacy Division
    • Proceedings of the NATO Advanced Research Workshop on Responses to Cyber Terrorism Ankara, Turkey 4–5 October 2007 © 2008 IOS Press. All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without prior written permission from the publisher. ISBN 978-1-58603-836-6 Library of Congress Control Number: 2008920687 Publisher IOS Press Nieuwe Hemweg 6B 1013 BG Amsterdam Netherlands fax: +31 20 687 0019 e-mail: order@iospress.nl Distributor in the UK and Ireland Distributor in the USA and Canada Gazelle Books Services Ltd. IOS Press, Inc. White Cross Mills 4502 Rachael Manor Drive Hightown Fairfax, VA 22032 Lancaster LA1 4XS USA United Kingdom fax: +1 703 323 3668 fax: +44 1524 63232 e-mail: iosbooks@iospress.com e-mail: sales@gazellebooks.co.uk LEGAL NOTICE The publisher is not responsible for the use which might be made of the following information. PRINTED IN THE NETHERLANDS
    • This page intentionally left blank
    • Responses to Cyber Terrorism vii Centre of Excellence Defence Against Terrorism, Ankara, Turkey (Ed.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. Preface On 4–5 October 2007 the Centre of Excellence – Defence Against Terrorism (COE– DAT) organized an Advanced Research Workshop (ARW) on the topic “Responses to Cyber Terrorism”. The venue was the Merkez Ordu Evi (Central Officers’ Club) in Ankara. This was one of numerous workshops that have been organized each year by COE–DAT, after the Centre was opened in Ankara in 2005. It is the only Centre of Excellence dedicated to supporting NATO on defence issues related to terrorism. Turkey is the framework nation, although at present six other nations also contribute with staff and funds. Through courses, workshops, and academic publications, the aim is to bring western academic rigour and Turkish experience and expertise in terrorism to NATO members, Partnership for Peace (PfP), Mediterranean Dialogue countries, Non-Triple Nations, and others. One issue touched on repeatedly by the participants at the “Responses to Cyber Terrorism” ARW was the difficulty of arriving at a definition of this kind of terrorism. A NATO Office of Security document cautiously defines it as “a cyber attack using or exploiting computer or communication networks to cause sufficient destruction or disruption to generate fear or to intimidate a society into an ideological goal.” 1 But the cyber world is surely remote from what we recognize as terrorism: the bloody attacks and ethnic conflicts, or, more precisely, the politically-motivated “intention to cause death or serious bodily harm to civilians or non-combatants with the purpose of intimidating a population or compelling a government …” (UN report, Freedom from Fear, 2005). It is hard to think of one instance when computer code has physically harmed anyone. Yet a number of our speakers, in particular Prof. Goodman and Lt. Paul Everard, showed that we should be preparing for just such events, potentially on a huge scale. Here we are talking about attacks on critical infrastructure, in particular on SCADA (Supervisory Control and Data Acquisition) systems which control physical processes in places like chemical factories, dams, and power stations. Focus on Solutions At the planning stage of the ARW it was agreed that the workshop would bring together people from a range of disciplines, from information technology researchers and lawyers, to terrorism and security experts. The title “Responses to Cyber Terrorism” was chosen in order to put the onus on the discussion of practical solutions, and in some respects the meetings of the Working Groups were as important for achieving the goals of the ARW as were the plenary sessions (see the last chapter on the “Account of the Working Group Discussions”). Accordingly, the speakers all gave time in their presentations to the issue of ‘responding’ to terrorism in cyberspace. 1 Cited from Lt. Paul Everard’s chapter on “NATO and Cyber Terrorism”.
    • viii Overview of the Workshop Papers In the introductory, first chapter of the ARW (see the chapter on “The History of the Internet”), Clare Cridland notes that the Internet was originally developed in the U.S. for military purposes. With ARPANET, the Defense Advanced Research Projects Agency (DARPA) created a network for sending packets of information with no central hub, so that communications could be more resilient during a devastating war. The idea of security was, therefore, part of the original idea of the internet. However, an entirely different ethos took over after the US Department of Defense relinquished the project to the burgeoning computer and software companies in the 1990s. The architects of the worldwide network saw it, and wrote of it, in terms of the centuries-old struggle for freedom of thought and expression. Clare Cridland’s description of the internet also evokes this theme: “New media in the early 21st century is a participatory, user-driven information environment, far from the linear platform of the mass media that delivered information through a ‘gatekeeper’ to a passive mass audience. These outlets … were capital intensive and … somewhat privileged. In contrast, new media, driven by technological change in telecommunications, has undermined this sphere of knowledge ownership … However, we’ve been here before. ‘Counter-culture’ always used ‘grassroots media’ (folk songs, posters, leaflets, public meetings) rather than the more traditional mass media of radio and television to message audiences.” Contrast this triumph of the common people, then, with the altogether more pessimistic comments on the freedoms the internet offers by Prof. Seymour Goodman in the third paper of the ARW (see his chapter “Critical Information Infrastructure Protection”). Prof. Goodman is the chairperson of the Committee on Improving Cyber Security Research at the National Research Council, advising the U.S. Congress. Much of what the professor had to say, and this was reflected also in the Working Groups of the ARW, had to do with the vulnerabilities in the globalized net to abuse by terrorists, and the need for CIIP (Critical Information Infrastructure Protection). It is clear that the “current technology asymmetrically favours the attacker, and provides them with great non-linear leverage. The attackers can put their innovations into practice more quickly and effectively than the defenders.” However, when much of the network is outsourced, or owned by companies in a variety of countries, defence is left to the end user. As Seymour Goodman writes, “most of the 200-plus connected countries have little or no national cyber security capabilities.” The users are often unaware of the seriousness of the risk. Frequently networks controlling important infrastructure are not ‘air-gapped’, or separated, carefully enough from the worldwide internet. If one employee’s computer is not air-gapped, perhaps due to negligence, this is enough to create the route for a determined and skilled attacker to gain entry to the whole system. Professor Goodman’s chapter in this book also contains a wide range of recommendations for national and international action. He begins with general measures, which would be equally relevant to protection against accidents, disasters, crime, or different forms of conflict than terrorism. Emergency response systems, including ones with an international dimension, must be in place; SCADA systems must be made more secure, with security as “a factor to be considered over the entire life cycle of any system that is part of the CII”; and countries “must build cadres of capable defenders” including national-level CSIRTs (Computer Security Incident Response Teams).
    • ix On the issue of legal measures against cyber terrorism, Seymour Goodman mentions the need for international conventions, as well as effective national laws. The conventions would relate to three areas: crime and punishment, infrastructure protection, and arms control. In each case he gives examples already in place which could guide developments in combating cyber terrorism. Among these, the agreements on civil aviation are the best model for developing a similar legal and institutional framework for CIIP. However, it will be difficult to gain acceptance for a CIIP convention, especially as every country would have to sign up, otherwise measures protecting the network could simply be by-passed. Such a convention could be under the umbrella of the UN, and it would involve the creation of an organization to build and certify national capabilities. Phillip Brunst’s paper (see the chapter “Use of the Internet by Terrorists”) is a highly analytical overview of the subject. This kind of paper is highly valuable for those considering an appropriate legislative approach to combating terrorists’ use of cyberspace. The overview covers both of the distinct aspects which emerged at the ARW: cyber terrorism proper, and the issue of terrorist use of the internet for communication, propaganda, researching targets, etc.. After discussing the advantages of cyber attacks for the terrorist (anonymity, low cost, etc.), types of cyber attack are analyzed. In general, attacks on IT systems may take the following three forms: (1) Hacking attacks on individual systems, (2) Denial of Service (DoS) attacks, usually by bombarding a computer with messages so that it cannot process anything else, and (3) ‘hybrid attacks’ which combine one or both of the above with a conventional terrorist attack like a bombing. (1) Hacking can be further analyzed into three types. The hacker can shut down a computer, although here the administrator can usually recognize the problem and restore the system rapidly. There are also so-called ‘defacements’, which alter the information on the victim computer. Typically these are easily recognized, especially if a hacker places a notice saying “you have been hacked by …”. Potentially more disruptive are defacements which subtly change figures or other information. Thirdly, there is the possibility of introducing ‘Trojan horse’ programmes. These are silent operations, and aim to pass undetected by virus scanners. They gather data from the target computer (typically bank details in cyber crime) and relay it to the hacker. (2) Distributed Denial of Service (DDoS) attacks are an effective way of putting computers out of action for a period of time. DoS attacks bombard a computer with vast numbers of messages, occupying all its processing capability. ‘Distributed’ attacks make use of worldwide networks of computers (so-called ‘bot-nets’, from their use of ‘robot’ software) infected with a virus which allows them to be ‘zombies’ controlled by a ‘bot-master’. These viruses have become very common. Terrorists would not have to control such systems. The services of a bot-net, typically used for mass mailings, can be hired for prices ranging between 150–400 US dollars per day. (3) Hybrid attacks combine one or both of the above with a conventional terrorist attack. For example, a terrorist group might combine a bombing with a DoS attack to hamper the work of the emergency services. Terrorists might also target the physical hardware of IT communications, like the ‘bundles’ of cables, or the so-called ‘peering points’. All the above types of attack would harm IT data and lead to economic losses. A more fatal kind of cyber attack is now discussed in security circles, namely attacks on
    • x the newly-developed SCADA systems, which usually run on well-known operating systems like Windows. Many companies now use SCADA systems to monitor and control production or supply processes. It is clear that, if such a system is hacked, there is a considerable danger of the kind of loss of life associated with ‘conventional’ forms of terrorism. Phillip Brunst recommends measures to encourage companies to invest more in security. Secondly, referring to Article 35 of the CoE Convention on Cyber Crime, he sees a need for the establishment of designated communication paths within countries and between countries to fight digital attacks. On the issue of the terrorist presence on the internet, he sees efforts to block terrorist communications as bound to fail. These communications should be monitored for intelligence (compare the chapters by Prof. Gabriel Weimann and Yael Shahar). Lt. Paul Everard attended the workshop to represent the NATO Computer Incident Response Capability at the alliance’s European Headquarters in Belgium. His presentation (see the chapter “NATO and Cyber Terrorism”) is an introduction to cyber terrorism and the defensive measures NATO is taking. Lt. Everard begins by giving numerous illustrations of cyber attacks to show what directions cyber terrorism might take. There was the dramatic hacking of a SCADA system controlling sewage in Queensland, Australia: “Symantec research highlighted an Australian case where a disgruntled ex-employee, Vitek Boden, hacked into a computerized waste management system in Maroochy Shire and caused millions of litres of raw sewage to spill into local parks, rivers, and even the grounds of a Hyatt Regency hotel in March 2000.” If terrorists could replicate the destructive effects of the ‘Slammer Worm’ of January 2003, they would score a great success in their terms. This computer worm spread across the world in a matter of minutes, and the resultant disruption of banking, airline, infrastructure and emergency services had a high economic cost. Lt. Everard notes that “the safety monitoring system at a nuclear power plant was disabled for a combined period of eleven hours.” Paul Everard then focuses on the attacks that have been directed at NATO, including attacks from Chinese hackers after NATO bombed the Chinese embassy in Belgrade (1999), and a distributed attack on the NATO mail server on 09–10 August 2006, when “the attack was stopped by re-configuring the mail server to respond correctly to the attempted e-mail relay traffic.” The organization has therefore long been aware of its vulnerability to cyber attacks. It generally uses ‘off the shelf’ software, the vulnerabilities of which are well known to potential hackers. Also, “although NATO’s internal networks are supposedly separated from the internet, documents, messages and other data are being uploaded onto the internal network constantly.” With the approval of the North Atlantic Council, the NATO Computer Incident Response Capability was added to InfoSec after 9/11. At present there is an Intrusion Detection Systems project which will be at full operating capacity in 2008. The Prague Summit of 21 November 2002 was attended by the leaders of NATO countries, who signed a commitment to “strengthen our capabilities to defend against cyber attacks”. The paper concludes that providing security can be seen in terms of the following cycle: (1) Protect: this involves ‘system hardening measures’, and anti-malware support for NATO projects. (2) Prevent: this means assessing and notifying vulnerabilities, as well as conducting training and awareness-raising. (3) Detect: using intrusion detection systems twenty-four hours a day, and checking incoming mail. (4) Respond: the teams
    • xi must be ready to respond to incidents at any time of the day or night. (5) Recover: a recovery support service must be present, or available on-line, to ensure minimal disruption. Both this NATO presentation, but particularly that of Ms Reet Oorn of the Estonian Informatics Centre, Tallinn, referred to the massive DDoS attacks on the Estonian government and institutions in April – May 2007. Ms Oorn gives a fascinating eye-witness account of how the Estonian government fought back against the attacks, when they were able to considerably increase their band width of their computers (see the chapter, jointly written by Ms Reet Oorn and Ms Eneken Tikk, on “Legal and Policy Evaluation: International Coordination of Prosecution and Prevention of Cyber Terrorism”). The Estonians showed a united front, as government equipment was supplemented by that of private sector companies. Ms Oorn illustrates with detailed graphs and discusses the results of the assessment conducted by her Informatics Centre. These showed that the attack was in two phases: an initial phase of attacks was on a small scale, and seemed to be designed to test the limits of the target computers. These attacks were associated with the 09 May WWII victory anniversary important to pro-Russian Estonians, who were already protesting violently about the prime minister’s decision to remove a statue commemorating Russians heroes. The second phase was much more professionally organized, and hours of bombardments by bot-nets had clearly been purchased. In terms of the success of the attacks, it is generally agreed that Estonia, which has some of the highest figures of internet use in the world, survived well. Two of the biggest banks in Estonia came under heavy DDoS attacks, and on-line services were unavailable for several hours. Attacks were also performed against critical routers at the Internet Service Providers level, and this disrupted the government’s internet-based communication for a short time. Some government websites experienced temporary loss of service. Two speakers at the ARW addressed the issue of whether legal controls can be imposed on the internet. However, Ms Eneken Tikk (Faculty of Law, Tartu University, Estonia), unlike Seymour Goodman, does not expect much of the UN: “One could argue that the method of developing legal instruments that the United Nations has used fails because it is too focused on building a consensus about … existing methods used by terrorists. It cannot lead the fight against new methods (such as cyber terror). Thus, we might consider using the United Nations experience as an argument to avoid an overly reactive (rather than proactive) approach …” (see the chapter, jointly written by Ms Reet Oorn and Ms Eneken Tikk on “Legal and Policy Evaluation: International Coordination of Prosecution and Prevention of Cyber Terrorism”). The Estonians’ paper contains incisive comments on the main legal instruments concerning cyber attacks, relating these especially to terrorism. These address the Cyber Crime Convention (ETS No. 185), which, with the Convention on the Prevention of Terrorism (CETS No. 196), is “the most important international instrument for fighting cyber terrorism and other terrorist use of the Internet.” However, not enough states are party to this agreement, weakening it considerably. Also, “serious threats to commit terrorist acts are not adequately covered either by this Convention … this Convention should be evaluated with regard to its ability to cover technological advances, particularly in the area of forensic investigative techniques (such as online searches or the use of key logger software). In the fast-paced technological environment of cyber crime, such evaluations, which frequently lead to revisions and
    • xii updates, are an absolutely normal process, especially when dealing with high risks such as those posed by terrorism.” In general, as with the other lawyers at the Workshop, Ms Tikk warned that attempts at legal control of the Internet might lead to infringements upon civil liberties. However, perhaps with the attacks on Estonia in mind, which led to almost no prosecutions, she adds: “Should a decision to amend the Convention be taken, the possibility of excluding the political exception clause for some of the Convention’s offences might also be considered, especially in serious cases of data and system interference.” The paper also gives details of amendments to the Estonian Penal Code, designed to strengthen the hand of prosecutors if similar attacks come. Estonian politicians have an initiative at the EU level to amend the Framework Decision on Attacks against Information Systems 2005/222/JHA. One other discussion of international law is offered by Police Superintendent Dr. Süleyman Özeren. His paper (see the chapter “Cyberterrorism and International Co- operation: General Overview of the Available Mechanisms to Facilitate an Overwhelming Task”) discusses definitions and typologies of cyber terrorism. There is a consideration of which of the available international organizations might most effectively achieve “consensus-based, concrete, result-oriented co-operation”. The papers mentioned so far examine cyber terrorism in the proper sense of the term, and how to respond in terms of technology, awareness, and legal/political measures. However, there is also the related question of responding to the terrorist presence on the internet (so-called ‘terrorist contents’). Here the internet is not a weapon, but an important tool for terrorists’ communications (co-ordination, training, recruiting), and information gathering on the targets of planned attacks. The COE– DAT Workshop included four fascinating papers on terrorist contents. An undoubted expert on terrorist websites is Prof. of Communication Gabriel Weimann, who from an early stage has been archiving literally thousands of terrorist websites, from al-Qaida to FARC, and Hizbullah to the PKK (see the chapter “WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet”). This project, based at Haifa University, brings many different analytical approaches to bear on this material, including link analysis, participant observation, language analysis, and case studies. Prof. Weimann’s paper reports on his project, with colourful illustrations from the world of terrorist websites. The professor shows how, since 9/11, al Qaeda operatives sharpened their internet skills and increased their web presence. When the Americans drove al-Qaida from its camps in Afghanistan, the organization was dispersed and forced to retreat into cyberspace. As Gabriel Weimann shows, they now make extensive use of the internet, to the extent that they even rely upon it. Also giving the ARW an account of a terrorist organization’s use of the internet, Capt. Erdo an Çelebi has built up a wealth of knowledge, and uses a high-tech approach, in his research on the terrorist Kurdistan Workers’ Party (PKK) (see the chapter “A Case Study: the PKK and Cyberspace”). This is an exemplary study, showing the amount of information that can be gathered from the Internet concerning a single organization. It shows that the PKK has created, or is closely linked to, thirty- eight websites. In addition to data and analysis, the paper gives some indication of the style of the websites, and the way the PKK seeks to present itself to its various audiences.
    • xiii Of particular interest is that fact that Erdo an Çelebi uses Ucinet software to conduct various kinds of link analysis of the PKK-related sites. This technology provides a method for demonstrating which sites were used by PKK leaders in the field, and which are the main sites which propagate their message. This may have practical applications: “Taking out these hubs will make the rest of the network individual islands that have no connection to the others. The question in terms of counter terrorism agencies is how many of these hubs have to be taken down to crash the whole network.” Other papers based on the phenomenon of ‘terrorist contents’ sought to give, in my view, very contrasting practical responses. Yael Shahar, of the Institute for Counter Terrorism in Herzliya, Israel, spoke on “The Internet as a Tool for Intelligence and Counter-Terrorism”. Yael Shahar notes that “The jihadi online presence is literally the physical brain of the global jihad movement. The very openness and accessibility of this medium provides the intelligence community with a wealth of material for foundation intelligence and analysis.” Arguing that we should ‘tune in’ to, not try to shut down, these communications, she pointed out that much can be learned from analysis of websites and chat-rooms about the enemy’s situation, plans, and also weaknesses. Shahar is also interested in exploiting these weaknesses for counter-terrorism purposes, using the legally-shady method of ‘hacking back’, exploiting the same anonymity and access from which the terrorists benefit. She reveals an armoury of sowing dissent, countering propaganda, and secretly altering instructions on websites. By contrast, Dr. Katharina von Knop proposes an open source response. Instead of concentrating on breaking down the structures created by the enemy, here is a proposal to build a new counter-structure. Her discussion paper (see the chapter on the “Institutionalization of a Web-focused, Multinational Counter-terrorism Campaign – Building a Collective Open Source Intelligent System”) focuses on the organizational and management issues surrounding such a system. As she writes: “There is an intense need to work on new solutions to develop effective and efficient counterterrorism measures that follow the democratic process, values and freedoms. Knowledge discovery, data mining techniques and data fusion play a central role in improving the counter-terrorism capabilities of intelligence, security and law enforcement agencies. … Having all the challenges in mind, this article will focus on the most important and highly sensitive one, international cooperation. This contribution … highlights the most important factors towards the development and institutionalization of an international interagency collective open source intelligent system regarding the threat of Islamist terrorism.” Dr. von Knop points out that, if such a co-operative campaign is to succeed, it will need to be arranged in an innovative and flexible way: instead of a hierarchical organization, there would be a network, and knowledge would be pooled. There would be committee management, and a credit point system. Governments would be allowed to use the resource only to the extent that they contribute good quality information and analysis. The Collective Open Source idea is a well thought-out response to the challenge of organizing international cooperation regarding terrorist contents on the Internet. It is a cause for optimism that the speakers, coming from a variety of backgrounds, presented so many practical ways in which to respond to the problem of cyber terrorism. A vital next step is for the experts, with the support of governments and international organizations, to agree on priorities and methods and to implement a common strategy.
    • xiv Participants at the conference gained, perhaps, an impression of the form the discussions between experts might take from the Working Groups that met at the end of each day’s presentations. The answers that emerged from the Groups are compiled in the last chapter of this book (see the “Summary of Working Group Discussions”). Osman Aytaç, Col. ARW Director
    • xv Contents Preface vii Osman Aytaç The History of the Internet: The Interwoven Domain of Enabling Technologies and Cultural Interaction 1 Clare Cridland Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign – Building a Collective Open Source Intelligent System. A Discussion Paper 8 Katharina von Knop Critical Information Infrastructure Protection 24 Seymour E. Goodman Use of the Internet by Terrorists – A Threat Analysis – 34 Phillip W. Brunst WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet 61 Gabriel Weimann Cyberterrorism and International Cooperation: General Overview of the Available Mechanisms to Facilitate an Overwhelming Task 70 Süleyman Özeren Legal and Policy Evaluation: International Coordination of Prosecution and Prevention of Cyber Terrorism 89 Eneken Tikk and Reet Oorn The Internet as a Tool for Intelligence and Counter-Terrorism 104 Yael Shahar NATO and Cyber Terrorism 118 Paul Everard Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 127 Erdoğan Çelebi Summary of the Working Group Discussions 142 Osman Aytaç Author Index 145
    • This page intentionally left blank
    • Responses to Cyber Terrorism 1 Centre of Excellence Defence Against Terrorism, Ankara, Turkey (Ed.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. The History of the Internet: The Interwoven Domain of Enabling Technologies and Cultural Interaction1 Clare CRIDLAND Ministry of Defence, Whitehall, UK Abstract. The development of the internet is much more than a story of technological achievement: it is about social change. It is not only a history of the accessibility of interconnected computers and user-friendly software, but also of a technological revolution. The internet has enabled the democratisation of information sources away from the elites of the mass media and institutionalised politics into the hands of active, assessing audiences. This paper will address both the technological and social change that the internet has brought about. It will describe a brief history of technological development of what is now readily known as the internet, including some of the more popular software applications associated with it. I will then briefly look at the main issues of social interaction on internet platforms and how information sources have changed. Finally, I shall make some observations on what the future of the internet may be. Keywords. Internet, culture, information society, democratisation of information, mass media, telecommunications Technological Development The history of the internet is actually a component of the history of mass telecommunications. This started in 1837 with Samuel Morse’s invention of a telegraph transmitter and receiver. After five attempts at a trans-Atlantic communications cable, 2 in 1866 the foundations were set in place for near-instant communication between nation states, which would essentially compress their geographical distances. For computer hardware, it was over a hundred years after Morse’s invention that the first semi-programmable computer, known as ‘Colossus’ (which was the size of a small office), was built for code-breaking activities in the UK at Bletchley Park during the Second World War. 1 Note: The basis for this paper is a speech given by the author to the Information Operations Europe conference in London, June 2007, entitled ‘New Media and Technology Analysis for IO: Moving with the Times’. 2 The first cable which gave tangible results was in 1858. It was destroyed by an attempt at sending a message more quickly than was the norm and the higher voltage burned out the wire.
    • 2 C. Cridland / The History of the Internet What brought the two technologies together was a project run by the US Department of Defense’s Advanced Research Projects Agency (DARPA), which focused research into computer connections and mass communications technologies. In 1968 DARPA called for tenders for a project called ARPANET, a system to connect computers and transfer data ‘packets’ between them. Before this time, connections concerned circuit switching as opposed to data transferral. The concept of interconnected computers and some of the technologies supporting a network had been devised a few years earlier. In 1964, the RAND Corporation looked into a communications network that could link cities, states and military establishments. The core issue was that the network had no central hub of authority and so could be more resilient during a third ‘total war’, a war which, in the 1960s, was expected to include the use of nuclear weapons. After ARPANET’s first public demonstration in 1972, the service grew over the following 18 years to connect new institutions, run email, newsgroups and limited international communication. However, ARPANET was still very much an institutionalised communication network. Running in parallel, similar academic networks elsewhere in the world generally remained independent, constrained by the inhibitive cost of international data connections. Meanwhile, in the public domain, computers were generally only employed on routine work within companies or as game players in homes. It wasn’t until the 1990s that the internet in its current form evolved. Organisation of such a vast amount of data was becoming a key issue. Technical solutions, such as the Domain Name System (DNS), transformed hard to remember internet protocol numbers into easy to remember names. The Defense Data Network – Network Information Center handled all registration services, including the top-level domain addresses such as .mil, .org and .gov. Only in 1992, as non-defence and public access grew, did the US Department of Defense stand back from the internet and passed registration over to civilian contractors. In the 1990s, the use of and applications available on the internet grew at an astonishing rate, assisted by improving telecommunications infrastructure. With it came the requirement to regulate protocols and domains to manage the enormous increase in information. Bulletin Board Systems (BBS) were popular: a system where users’ computers that were attached to modems left messages for reply on servers. Hypertext, a concept dating from 1945, had been used in various networks as a method of organising information. But the real starting point for what became know as the World Wide Web (WWW) was in 1993 through the development of graphical browsing – a web browser. Over subsequent years, numerous web browsers were in place, and the directory system of information sources was generally replaced by search engines that browsed for the most relevant sites. Essentially, the internet was evolving into a popularity contest between sites rather than a library or directory. Innovation and market-led economics that drove a consumer appetite for new technology played important roles in the development of the internet. Devices became smaller in size and even portable, but also became larger in data storage and processing capability. Prices of equipment and telecommunications costs steadily fell, making devices more accessible to the public. Applications were being developed in two ways, both top down by large software development companies, but also bottom up from intensive personal users. It was this participatory culture of technological development of the World Wide Web that brought about the largest changes in how the world received its information.
    • C. Cridland / The History of the Internet 3 Democratisation in the ‘Information Society’ The revolution will not be televised – Gill Scott Heron3 Pre-dating the internet, newsgroups and e-mail gave users the ability to exchange information and pass it around without the need for a filter or mediator. As the internet grew, so did the sources of information available to users. This ‘source bombardment’ has had a number of consequences for the traditional mass media of print and broadcasters, as well as the actors who use it (such as politicians and advertisers). The vast number of information sources available to an internet-enabled society has seen a dilution of a single mass audience into multi-source, self-assessing segments. New media in the early 21st century is a participatory, user-driven information environment, far from the linear platform of the mass media that delivered information through a ‘gatekeeper’ to a passive mass audience. These outlets – radio, television stations and newspapers – were capital intensive and subject to varying levels of government or government-inspired intervention or regulation. Information ownership in the mass media was, therefore, somewhat privileged. In contrast, new media, driven by technological change in telecommunications, has undermined this sphere of knowledge ownership and the singular authority of mass media companies. As a result, content ownership is becoming more complex. Bloggers and websites present information in new forms from traditional, mass media sources that they can link back to other websites. Widely available (and easy to use) editing software means images and sounds can be edited into something completely different and re-published in their new form. Downloading music and movies from site to site is an ongoing challenge to copyright holders, just as copying (or ‘pirating’) music to audio cassette once was, but the scale of the global proliferation of copying is unprecedented. However, we’ve been here before. ‘Counter-culture’ always used ‘grassroots media’ (folk songs, posters, leaflets, public meetings) rather than the more traditional 4 mass media of radio and television to message audiences. The alternative sources now residing on the internet are merely offering new platforms to the old grassroots, and potentially giving them a global audience. Arguably, the growth in the popularity of alternative sources is also driven in part by the demise of the large audience once afforded to the mass media. In the UK, circulation figures for the national newspapers have been in a general decline since the 1950s, and television audiences are regularly no higher than eight million for the most popular programmes, a fall of nearly ten million in the past twenty years. Academics cite a number of reasons for this demise, from the availability of multi-platform satellite and digital television stations that fracture the audience into smaller viewing groups, to a perception that the content of the mass media is serving the interests of advertisers and financial backers as opposed to audiences. 3 Heron’s song lyric became the title of the memoirs of Joe Trippi, the campaign manager of 2004 US Presidential candidate Howard Dean. Trippi used a number of new media and grassroots platforms to promote and raise money for Dean’s campaign. 4 From Jenkins, 2006.
    • 4 C. Cridland / The History of the Internet On-line Strategic Communications – A Bowl of Noodle Soup The internet has enabled self-publishing, which means governments, companies, special interest groups and individual members of the public have – in theory at least – an equal voice. It is a place where narratives and counter-narratives compete for attention, and a place where conspiracies unwind without media filtration. Equally, the power of message interpretation is no longer with the mass media ‘gatekeepers’, but with personal members of an audience. Both have significant consequences for anyone engaged with public messaging. Messages are now available multi-platform, being sent as digital audio, text or instant messaging, to a number of static and portable devices. These can be sent simultaneously from a single source to different receivers, or as unconnected multiple sources. One no longer has physically to visit websites to gain information. Really Simple Syndication (RSS) feeds can lead users, once they have subscribed to the feed, not needing to visit a website at all. Memes (a term originally coined by a biologist and evolutionary theorist to describe how cultural information propagates between minds), are items that spread quickly across the internet via virtual word of mouth and self- publishing. Meme tracker sites, such as ‘techmeme’ and ‘tailrank’, track the most popular items on the internet. The information age is like a bowl of noodle soup – a mass of communication strands from sender to user floating in a soup of information. A user takes one strand at a time, maybe several, depending upon how big the user’s fork is. The vast array of sources means the audience, unable to digest them all at once, is now self-selecting within their own agendas. Separating and recognising fact from an author’s opinion is just one of the issues facing information consumers. Audiences are constructing individual hierarchies of sources. Some place their trust in the information received from mass media outlets over a blog or chatroom; for others, the hierarchy is different, putting information gained from virtual contact above that of the mass media. This is an evolving area of understanding, but it stems from what sources are perceived to be important on which subjects to which members of the audience. Local events in my street are important, but I wouldn’t find them reported on a national radio bulletin (unless the event was particularly serious). Similarly, timely news about my extended family elsewhere in the world would be achieved through telecommunications – hearing and seeing them via the internet, perhaps – not through the channels of the mass media. Arguably communications has always been thus, but the connected environment has changed perceptions of what events are now important to us. Time Space Compression The speed of information is wondrous to behold. It is also true that speed can multiply the distribution of what we know to be untrue. – Edward R. Murrow Advances in telecommunications means that multiple channels and democratic information is travelling faster across greater distances: geographical place is no longer relevant. As audience members pick and choose their credible sources, nation- statehood may not enter the equation as credible boundaries to information or
    • C. Cridland / The History of the Internet 5 communication control. The popularly of social networking is that friends in a physical space (such as a school or workplace) can keep in touch virtually when they are geographically separated. The mass media news agenda, too, ‘chases the sun’ across the globe, with global outlets setting the day’s agenda in Australasia and chasing the rising sun across the continents into the Americas. Indeed, searching the front page of Google News at 0900GMT is more likely to consist of stories from Asia than if one visited the site at 1800GMT when North American stories dominate. As Will King of CNN once said, ‘it’s always prime time somewhere’.5 This is compounded by devices that converge new media platforms, such as a mobile telephone with an embedded camera and an e-mail capability. Information can be supplied instantly in a number of formats (or ‘cross-platform’). For the mass media and those engaged in message campaigns, dominant narratives on traditional platforms are challenged by alternatives at the same speed – in many cases, faster. Uploading a message into the public sphere of the internet is now instant and it will be only a matter of time before the quality of pictures improves to mass-media broadcast standard.6 The opposite of speed is also true. Information now has greater longevity in the new media sphere through archiving and smart searching (the so-called ‘long tail’). In the media and public sphere, after an initial burst of activity a piece of information is replaced by new pieces of information and generally forgotten as the day progresses; accessing certain platforms on the internet means that the first piece of information can live on, and even re-emerge into the public sphere. Terrorist Use of the Internet What of terrorists, extremists and criminals and their use of the internet? I argue they use the technologies available to them in the same way as any other group on-line. Recruitment, fundraising, the promulgation of ideologies and ideas, through to planning, co-ordination and publications are equally valid for a charity organisation or a workplace as for a group engaged in criminal activities. Fear of what opportunities the internet could provide a criminal is a similar fear which was afforded to telephones, radio or television in their early inceptions (Furedi, 2006). For instance, the development of television during the late 1930s in the UK was put on hold until the end of the Second World War. What the internet and mass communications have changed is the ease of accessibility to broadcast messages to disparate audiences. The Future of the Internet Globalisation, as defined by rich people like us, is a very nice thing… you are talking about the internet, you are talking about cell phones, you are talking about computers. This doesn’t affect two-thirds of the people of the world. - Jimmy Carter 5 Cited in Campbell, 2004. 6 Arguably, some mass media outlets are willing to take a loss of picture quality over the immediacy or alternative narrative of a story. This is illustrated by the UK broadcast media’s almost regular use of mobile telephone pictures from witnesses and CCTV pictures.
    • 6 C. Cridland / The History of the Internet There are a number of scenarios that could affect the internet in the years to come, ranging from flourishing success to collapse. Technological change will continue to drive development, but so will government legislation and economics. There are parts of the world where the national infrastructure is undergoing change and development, from the availability of the one hundred-dollar laptop to digitisation and broadband. The world use of the internet is still in the minority, at only 17.8% in June 2007 (around 1.1 billion people), but that is an increase of some 225% since 2000.7 Regulation and censorship of the internet will shape its future architecture. The trans-national nature of global communications has proven difficult for nation states to govern, and even the supranational European Union’s collective legislation of television in the new multi-platform environment has been problematic. National constraints in one country do not necessarily hold true in another, which may lead to not one internet, but several running in parallel and operating with varying degrees of filtering and censorship. Economics is also a key influence. Disposable incomes in developed countries have generally driven the internet’s guises, and should financial buoyancy begin to slow or reverse, then the buying power of consumers may also slow down and the take- up of converged devices or higher speed telecommunications may reduce. The physical infrastructure of the internet could also be at risk. As users become ever more reliant on networked computers in everyday life, telecommunications, power supplies and hardware resilience become prime targets for hacking. An earthquake knocked out an underwater telecommunications cable – and, therefore, the internet – to parts of Japan for nearly a week earlier in 2007. Unreliable infrastructure has stifled the development of the internet in many parts of the world, particularly in rural regions, and such problems could be its undoing. Catastrophic failure of the internet could also come from within as a malicious code or virus may be so virulent as to close down servers or cause large scale communications damage. Conclusion After its beginnings as a tool to support the war fighter and assist civilian resilience, the commercial incarnation of the internet and its supporting technologies has been a significant driver of enormous technological change across the world. Many academics judge these changes to be the most extensive since the invention of the telegraph. There is now a generation of people who have not known a time without the internet as part of their information space. We live in a congested, self-selecting media environment. The public sphere has grown beyond recognition, giving individuals and groups greater opportunities to communicate directly to a target audience. But there is still a legitimate role for the multinational conglomerate mass media. Surveys in 2006 have shown ‘traditional’ media sources are considered to be more credible than new media sources, although some argue that this position is continually eroding. Additionally, such organisations are one step removed from the content that appears on-line, instead the businesses own the platform, the host site and the telecommunications providers. Traditional mass media is not in a twilight age, but we 7 Internet World Stats from June 2007, accessed from http://www.internetworldstats.com. The highest penetration of the internet into a population is in North America, Australasia and Europe. The largest number of users is in Asia, Europe and North America.
    • C. Cridland / The History of the Internet 7 live in a noisy message environment, and the internet is forcing all of us engaged in delivering and consuming messages to be somewhat more selective about the ones we wish to influence us. References Campbell, V (2004), Information Age Journalism, London, Arnold Freedman, D (2006), ‘Internet Transformations: ‘old’ media resilience in the ‘new media’ revolution’ in Curran, J. and Morley, D (eds), Media and Cultural Theory, London, Routledge, pp 275-290. Furedi, F (2006), Culture of Fear Revisited, London, Continuum Kember, S (2006), ‘Doing Technoscience as (‘new’) media’ in Curran, J. and Morley, D (eds), Media and Cultural Theory, London, Routledge, pp 235-249 Jenkins, H (2006), Convergence Culture, New York, New Yorkshire University Press Nacos, B (2007), Mass Mediated Terrorism: The Central Role of the Media in Terrorism and Counterterrorism, 2nd edition, Lanham, Rowman & Littlefield Ryan, J (2007), Countering Militant Islamist Radicalisation on the Internet: A User Driven Strategy to Recover the Web, Dublin, Institute of European Affairs Quotes from http://www.brainyquotes.com
    • 8 Responses to Cyber Terrorism Centre of Excellence Defence Against Terrorism, Ankara, Turkey (Ed.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. Institutionalization of a Web-focused, Multinational Counter-terrorism Campaign – Building a Collective Open Source Intelligent System A Discussion Paper Dr. Katharina von Knop George Marshall Center, Germany Abstract. When we turn our attention to the fast-growing Internet activities of various radial and terrorist entities, there is an intense need to work on new solutions to develop effective and efficient counterterrorism measures that follow the democratic process, values and freedoms. Knowledge discovery, data mining techniques and data fusion play a central role in improving the counterterrorism capabilities of intelligence, security and law enforcement agencies. The broad diversity of potential sources of web-based and web-focused attacks, our reliance on information systems that are inherently insecure, and the international dimension of both cyber attacks and governmental responses raise a host of complicated policy questions and cultural challenges for governmental security institutions. These include how best to improve the state of cyber security: what can be done to improve international interagency cooperation on stemming cyber crime and preventing and responding to cyber terrorism; and cyber warfare. Having all the challenges in mind, this article will focus on the most important and highly sensitive one, international cooperation. This contribution, written in the style of a discussion paper, highlights the most important factors towards the development and institutionalization of an international interagency collective open source intelligent system regarding the threat of Islamist terrorism. Keywords. Counter-terrorism, cyber terrorism, cyber security, international co- operation 1. Introduction Continental Western Countries are very concerned about the threat of terrorism, not least since several attacks have occurred on our continent since 11 Sept 2001, and many more have been prevented. But we are also very aware that one aim of terrorists is to undermine our democracy, the rule of law and our human rights. Many continental western countries have only recently acquired the democratic system and as such the democratic values and freedoms which have been achieved are highly vulnerable. On the other hand, the continental countries and their security institutions notice a growing
    • K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 9 Islamist radicalization in recent years.1 Intense investments have been made to prevent classical terrorist violence but the western countries remain highly vulnerable to cyber attacks against the computer networks that are critical to national and economic security. The growing complexity and interconnectedness of these infrastructure systems, and their reliance on computers, not only makes them more vulnerable to attack but also increases the potential scope of an attack’s effects. The fear which has prompted the governments to pump significant resources into protecting the critical national infrastructures (CNI) is that al-Qaeda is determined to use cyber terror to cause damage which leads to loss of life and economic catastrophe. One type of online operational activity is the use of hacking techniques to sabotage Internet sites – what the Islamists term “electronic jihad”. As part of this activity, Islamist hackers attack websites of those whom they consider their enemies with the aim of damaging morale, and they attempt to hack into strategic economic and military networks with the aim of inflicting substantial damage on infrastructures in the West. Many Islamist websites and forums have special sections devoted to the topic of electronic jihad, such as the electronic jihad section in the Abu Al-Buhari forum.2 These developments require effective and efficient counter- and antiterrorism measures. The dry textbook definition of cyber terrorism is terror which is directed at automated systems directly or that uses automated systems to disrupt other critical infrastructure systems that they support or control. Cyber attacks generally consist of directed intrusions into computer networks to steal or alter information or damage the system; malicious code, known as viruses or worms, that propagates from computer to computer and disrupts their functionality; or denial of service attacks that bombard networks with bogus communications so that they cannot function properly. It has to be noted that the motivations for an attack can vary widely: attackers range from hackers bent on proving their skills to others in the hacking community, to criminals stealing credit card numbers, to extortion rings, to foreign intelligence services stealing military or economic secrets, to terrorists or foreign armies wanting to cause widespread damage to the western countries.3 The arsenal of modern weapons that terrorists and other unfriendly entities might someday use to disrupt power grids, gas lines and other parts of the nation’s critical infrastructure includes conventional weapons as well as bits and bytes – in other words cyberterror attacks. The global nature of the Internet and telecommunications networks means that cyber attacks can be launched from anywhere in the world, at low cost, and with incredible speed. With current technology, it is nearly impossible to predict in advance when an attack may begin. There is no longer the luxury of the 20-minute window from launch to landing of a nuclear-tipped intercontinental ballistic missile as there was in the Cold War. Cyber attacks therefore require swift responses and effective cooperation with international counterparts to detect and respond to an attack once it is underway. 1 Ministerie van Binnenlandse Zaken en Koninkrijksrelaties, National Coordinator for Counterterrorism (NCTb), Jihadis and The Internet, 2006. 2 Memri, The Enemy Within: Where Are the Islamist/Jihadist Websites Hosted, and What Can Be Done about It? The Middle East Media Research Institute, Inquiry and Analysis Series, No. 374, July 19, 2007, p. 2. 3 Several nations like the US, Russia and China have already developed cyber warfare or “information warfare” doctrine, programs, and capabilities. Other often cited examples are France, Israel, India and Pakistan. The Defense Department’s Foreign Technology Assessment (FTA) for 2000 suggested that around 25 countries may now have the ability to carry out significant cyber attacks.
    • 10 K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign Potential adversaries like terrorist and organized crime organizations as well as state actors like China4 are looking for the weaknesses in the governmental information infrastructure of the continental countries and mapping out where and how they would mount a cyber attack or how they could “just” use the Internet for their businesses like propaganda, recruiting, data mining, funding etc. In 2002 US officials discovered an al- Qaeda safe house in Pakistan devoted solely to training people for computer hacking and cyber warfare. “Calling it a “cyber academy”, intelligence officials said al-Qaeda operatives gathered information and expertise on the automated systems that control U.S. infrastructure, such as dams and power grids.”5 In June 2006 a hacker penetrated an unclassified Pentagon email system, prompting authorities to take as many as 1,500 accounts offline, US defence officials said.6 “Confidential documents about supervisory control and data acquisition (SCADA) systems, for instance, have been found in al-Qaeda hiding places in Afghanistan, while the Irish Republican Army has said it plans cyber attacks on crucial supply systems.” 7 Scotland Yard has uncovered evidence that al-Qaeda has been plotting to bring down the Internet in Britain. In a series of raids, detectives recovered computer files revealing that terrorist suspects had targeted a high-security Internet “hub”, the headquarters of Telehouse Europe in London.8 For almost two years, intelligence services around the world tried to uncover the identity of an Internet hacker who had become a key conduit for al-Qaeda. The Internet and computer savvy individual, presumably a young webmaster, taunted his pursuers, calling himself Irhabi – Terrorist – 007. He hacked into American university computers, propagandized for the Iraqi insurgents led by Abu Musab al-Zarqawi and taught other online jihadists how to wield their computers for the cause. Suddenly in Fall 2005, Irhabi 007 disappeared from the message boards. The postings ended after Scotland Yard arrested a 22-year-old West Londoner, Younis Tsouli, suspected of participating in an alleged bomb plot. The terrorists who congregate in these cyber communities are rapidly becoming skilled in hacking, programming, executing online attacks and mastering digital and media design – and Irhabi was a master of all those arts. Even if terrorists have not yet demonstrated the capacity to carry out a large scale web-based terrorist attack, that does not mean they have not achieved the necessary level of expertise to do it. This situation is alarming when one considers that we have many thousands of airports, chemical plants, federal reservoirs and of course power plants, most of whose integral systems are operated and controlled by sophisticated computer systems or other automated controllers. The broad diversity of potential sources of attack, our reliance on information systems that are inherently insecure, and the international dimension of both cyber attacks and governmental responses raise a host of complicated policy questions and cultural challenges for governmental security institutions. These include how best to improve the state of cyber security: what can be done to improve international interagency cooperation on stemming cyber crime and preventing and responding to 4 Chinesische Trojaner auf PCs im Kanzerlamt, in: Spiegel Online, http://spiegel.de/netzwelt/tech/0,1518,501954,00.html, 25.08.2007. 5 Rick White and Stratton Sclavos, Targeting our Computers, in: Washington Post 15.08.2003, pg A. 27. 6 Correspondents in Washington, Pentagon Email hacked, in: Australian IT, 22.06.2007, http://www.australianit.news.com.au/story/0,24897,21948818-15306,00.html 7 Blau John, The Battle against Cyberterror, in: Network World, Vol. 21, Issue 48; pg. 49. 8 David Leppard, Al Qaeda plot to bring down UK Internet, The Sunday Times, 11.03.2007.
    • K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 11 cyber terrorism; and cyber warfare. Having all the challenges in mind this article will focus on the most important and highly sensitive one, international cooperation. 2. The M.U.D. Approach The different types of terrorist activities and different levels of web-based radicalization on the Internet require appropriately differentiated responses. One such response is based on what Prof. Gabriel Weimann termed, at the NATO ARW “Hypermedia Seduction for Terrorist Recruiting”, held in September 2006 in Eilat Israel, the “M.U.D.” approach (Monitoring, Using and Disrupting). First, terrorist websites need to be monitored to learn about their mindsets, motives, persuasive “buzzwords”, audiences, operational plans and potential targets for attack. This form of knowledge discovery refers to non-trival extraction of implicit, previously unknown and potentially useful knowledge from data. Monitoring forums, blogs and other frequently updated sites are increasingly a focus of attention. New methods to monitor the so called “hidden web” have to be improved. The hidden web is that part of the Internet which search engines cannot access. Some estimate that the hidden web is actually 95% of all Internet content. Second, counterterrorism organizations need to “use” the terrorist websites to identify and locate their propagandists, chat room discussion moderators, Internet service provider (ISP) hosts, operatives and participating members. The retrieved data needs to be archived to enhance the learning process and to identify social networks. A social network consists of a web of connections between people, between people and events, and between people and organizations. There are mathematical techniques which among other things can: identify clusters of people within a network, display a network in the best and clearest way, identify key persons within a network, and measure the robustness of a network. Integrated Early Warning Systems are an additional requirement. Third, terrorist websites need to be “disrupted” through negative and positive means. In a negative “influence” campaign, sites can be infected with viruses and worms to destroy them, or kept “alive” while flooding them with false technical information about weapons systems, circulating rumours to create doubt about the reputation and credibility of terrorist leaders, or inserting conflicting messages into discussion forums to confuse operatives and their supporters. In a more positive approach, alternative narratives can be inserted into these websites to demonstrate the negative results of terrorism or, aiming at potential suicide bombers, to suggest the benefits of the “value of life” versus the self-destructiveness of the “culture of death and martyrdom”. It has to be noted that “disruption” of relevant websites conflicts with “monitoring” and “using”. For instance Country X would like to monitor a specific chat room and country Y would prefer to disrupt this website by negative means. That could cause disagreements, and to avoid such conflicts, to save resources, and to carry out an effective and efficient web-focused counterterrorism campaign, an international interagency decision-making and harmonizing committee should lead that approach. However, an effective “M.U.D.” approach depends on several conditions. It must be interdisciplinary, involving experts in communications and rhetoric, psychologists
    • 12 K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign who understand the impact of influence campaigns on their targeted audiences’ cognitive and behavioral responses, graphic designers and Islam experts who understand the type of graphic interface and layout that would appeal to such potential audiences, and civil liberty attorneys to ensure that such influence campaigns do not infringe constitutional rights of free speech and expression. This is a dynamic arena of continuous feedback loops in which our actions must ceaselessly anticipate and respond to the reactions of the targeted terrorist websites. For instance, when a website is brought down, it usually re-emerges with a different configuration elsewhere. Moreover, we need to prioritize the audiences to be targeted by such influence campaigns. For example, devoted activists may be considered a lost cause, while potential recruits who have not yet been activated into terrorism represent new opportunities for influence operations. Such influence campaigns must be led by moderate political and religious leaders from Islamic communities who formulate alternative messages and narratives to the radical Islamist ideologies. Here, further differentiation is required because, for example, mainstream Islam in the Middle East will be different to its counterparts in Southeast Asia or Europe. Above all, such a response requires new counterterrorism “armies” possessing new strategies, capabilities, tactics and cyber weapons to counteract the Jihadi websites. Intense intergovernmental, interagency and international communication and harmonizing processes embedded in an institutional framework and clear defined rules of the game are required to make such a campaign effective and efficient.
    • K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 13 3. Responses of the European Union The EU has implemented the first steps towards institutionalizing such an approach. It has recognized the threat of how terrorists are using the Internet for their purposes. In its strategy and action plan for combating radicalization and recruitment to terrorism (doc 14781/1/05 and doc. 14782/ 05) the EU calls for measures to combat terrorist use of the Internet: “We need to spot such behaviour by, for example, community policing, and effective monitoring of the Internet and travel to conflict zones. (…) And we will examine ways to impede terrorist recruitment using the Internet.”9 The EU also emphasizes that the activities of the member states have to be accompanied by action at the EU level. In its conclusions of 15/16 June 2006 (doc. 10633/06 CONCL 2), the European Council expressly asks the Council and the Commission to develop measures to prevent the misuse of the Internet for terrorist purposes while at the same time observing fundamental rights and principles: “The European Council calls for the implementation of the action plans agreed under the EU Counter Terrorism Strategy, including the strategy against radicalization and recruitment, to be accelerated. Work must also be sped up on the protection of critical infrastructure. The European Council awaits the Commission’s first programme in this connection as well as concrete proposals on detection technologies. The Council and the Commission are also invited to develop measures to combat the misuse of the Internet for terrorist purposes while respecting fundamental rights and principles.” 10 The EU member states and Europol are already actively monitoring and evaluating terrorist websites. The Council supports the initiative “Check the Web”, which aims at strengthening cooperation and sharing the task of monitoring and evaluating open Internet sources on a voluntary basis “(…) there is also scope to strengthen cooperation on an EU basis, specifically with regards to monitoring and evaluating Islamist terrorist websites. Many Internet pages in various languages have to be monitored and evaluated, which requires enormous technical and human resources. Due to the huge quantity of Internet pages in use, problems arise on a national and international level concerning the quantity and quality of resources, especially with a view to the language skills needed. It is hardly possible for one individual member state to cover all suspicious terrorism related activities on the Internet. Monitoring and evaluating the Internet should therefore be intensified by sharing this task on a voluntary basis among the member states, taking advantage of the special language and professional competence of the relevant authorities of the individual member states. In addition to sharing information via Europol, member states may also choose to divide labour amongst themselves on a voluntary basis to achieve the most efficient use of resources. However, irrespective of potential distribution of priorities the responsibility of deciding whether to monitor, interrupt or shut down specific websites remains with the member states. In all of this work the activities of the various actors (member states, the Commission, Europol, SitCen, et al.) have to be coordinated in a targeted way.” 11 To reach this goal Europol is building the information portal as a technical platform for information exchange among member states. “It will contain the following 9 Council of the European Union doc. 14781/1/05, subject: The European Union Strategy for Combating Radicalisation and Recruitment to Terrorism, 24. 11. 2005, p. 3. 10 Council of the European Union, subject: Presidency Conclusions, doc. 10633/06, P.5. 11 Council of the European Union, subject: Council Conclusions on cooperation to combat terrorist use of the Internet 8457/2/07, p. 3.
    • 14 K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign modules, for which the member states provide their data and to which all member states have access: • Contact persons for strengthening the expert network; • Lists of links to monitored websites for mutual information; • Additional information (special language competence in the individual member states, technical expertise, possibilities of legal action against terrorist websites) that enables the sharing of resources; • List of announcements by terrorist organizations, to aid in combining resources; • Evaluation results to avoid duplication of work.”12 Europol will expeditiously extend the information portal on contact persons, link lists and lists of statements by terrorist organizations. The establishment of this information portal should facilitate a significantly increased quality of cooperation between the member states in monitoring and evaluating Islamist terrorist websites. It is planned to provide a platform where member states can make their information accessible to each other, thus compiling the knowledge available within the EU. Member states will have direct and fast access to information on the work performed by other member states and their results. In urgent cases direct contact can be established and cooperation can be coordinated through the list of national contact persons. In addition, initial steps were taken to strengthen cooperation, on a voluntary basis, under the principle of the division of labour amongst interested member states. The success of this information platform depends on the willingness of the EU member states to provide useful data and it might be a disadvantage that so far just EU countries participate at this project. 4. Towards a Collaborative Terrorism Data Fusion Centre The general wisdom and truth is that the terrorism threat forces governments to expand its legal and law enforcement powers and many of them are just implemented on a ad hoc basis and/or without conducting effectivity analysis. The terrorist organization and the individual are in a power position because they force the governments to act. But new laws are useless when they are being institutionalized without an expansion of good educated human capabilities. New powers in terms of intelligence, surveillance, data collection, etc., only make sense when at the same time data interpretation and analysis capabilities are to be expanded as well. The most valuable resource in addition to HUMINT is the good educated analyst. A good analyst has not only excellent knowledge of the topic and the target communities, he or she has high language abilities, knows how to think like the enemy to evaluate the data, has a tremendous knowledge of quantitative and qualitative analysis techniques and methods, and additionally the analyst knows how and in which context the data has been collected. Technical solutions have their value but also their abilities are limited. Having in mind that Islamist terrorism is a common threat for many countries, it would make sense, on the basis of a rational cost-benefit analysis, to cumulate/pool resources. It will be assumed that, for instance, the same radical Islamic website, forum or chat room will be observed by several intelligence agencies at the same time. That means a waste of 12 Ibid., p. 4-5.
    • K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 15 the high value human analysis resources. To make such a system work specific factors have to be taken into consideration. I assume that no international security threat has facilitated governmental cooperation on the levels of politics, intelligence and law enforcement to the extent terrorism has. I propose the notion of “synergy”, and that 2+2=5, implying that governmental institutions could attain a competitive advantage by joining forces. Bi- and multilateral agreements and strategic alliances were the first wave of networking in the name of internationalization and expansion of effective and efficient counterterrorism. The United Nations, the European Union and the OECD have proven to be successful platforms for harmonizing counterterrorism policies. Interpol, Europol, and shadowy organizations like the Club of Berne or the Security Alliance in Paris are examples which show that, in the face of the threat of terrorism, the institutionalization of functional cooperation and information-sharing on the level of law enforcement and intelligence is possible. This section discusses how such a virtual and physical network(ed) organization can be theoretically organized, and how geographically dispersed knowledge analysts can collaborate virtually for a project in the absence of classic central planning. Even if for many people these thoughts seem to have much in common with dreams, sooner or later governmental institutions cannot avoid the implementation of such a system if they are to have a serious chance of combating terrorism in the long term. Co- ordination, management and the role of knowledge arise as the central areas of focus. The planned study proceeds to the formulation of a framework that can be applied to a web-based counterterrorism method in the sense of virtual decentralized work and concludes that value creation is maximized when there is intense interaction and uninhibited sharing of information between the organizations and the surrounding community. Therefore, the potential success or failure of this organizational paradigm depends on the degree of dedication and involvement by the surrounding community. Recent technological achievements have enabled governmental organizations to become more centralized, or decentralized, according to their strategic and cultural orientation, and they have further enhanced the efficiency of managing organizational goals. However, centralization is still the prevailing mode of management. To date, the existing organizational and management theory that examines the “virtual network(ed) organization” is not clear. It does not provide more than a basic explanation of how one could boost technological capacity so that emerging governmental opportunities are seized by flexible organizations which together face a global threat, namely terrorism. Similarly, no in-depth analysis has been carried out regarding the management of such a governmental “virtual organization” and the key factors that play a decisive role in the viability and potential success or failure of this fluid organizational structure. One of the reasons behind the lack of extensive research and literature on “virtual organizations” is merely that this presents an emerging phenomenon or organizational structure. 5. Framework/System Analyses Before our M.U.D. approach can be embedded in an international institution a framework/system analysis should be conducted which will take all relevant paradigms
    • 16 K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign and factors into consideration. The framework analysis draws upon key features of major organizational paradigms (participation, levels of participations, continuous improvement, organizational learning, rules of the game, technological equipment, etc.) and how these are managed. The key factor may be the creation of an access for consuming and providing open source material and analyses that enables a common computing and communications infrastructure. The heart of this system might be a technological platform with analytical tools and databases of open source data. The challenging factors are trust and symmetry. Potential parties to a shared infrastructure can rationally trust it more if they can see how it works all the way down, and will prefer an infrastructure in which all parties have symmetrical rights to one in which a single party is in a privileged position to extract fees or exert control. For this reason the institution should be virtually and physically led by a committee consisting of representatives of the participating institutions. To avoid a situation where a participating country just consumes the data provided by other participants, a sort of credit point system should be established. This system should guarantee that the parties are allowed to consume as much data as they have provided. 6. From Hierarchies to Joint Governmental Networks There is an old saying in military planning: “Get the command and control relationships right, and everything else will take care of itself.” It is a common sense acknowledgement that people provide solutions only if they are well led in a functional organization. The concept of the hierarchy of governmental security institutions is built on three assumptions: the environment is stable, the processes are bureaucratic and the output is definable and more or less predictable. Obviously, these assumptions no longer apply to cyber terrorism. Governmental organizations are controlled by hierarchies, and the counterterrorism departments should be linked according to a paradigm that relies on open and adaptive systems that promote learning, co-operation and flexibility, and that takes the form of networks of governmental analysts, artificial intelligence labs and research institutions instead of individuals. The system should be based on open source analyses, should focus on tactical and strategic issues using participation and empowerment, team accountability, matrix arrangements (flexible positions and responsibilities based on the abilities of the participating institutions), information networking, and initiatives for improvements should emanate from all directions on a regular basis. While military and governmental institutions do not like committees, a committee structure might be most effective for command in a web-based counter-terrorism campaign. There should be an executive committee for every major technical subdivision. Each committee must include all key personnel involved in the counterterrorism: police, intelligence officers, economic developers (to include NGOs), public services ministers, and the military. The committees must be in charge and have full authority. Committee members must not be controlled or evaluated by their parent agencies at the next level up; otherwise, the committee will fail to achieve unity of effort.
    • K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 17 Table 1. Hierarchies and joint governmental networks. Hierarchy Networked organization Structure Hierarchal Networking and pooling Scope Internal, closed External, open Resource focus Classified Open source State Stable Dynamic Direction Commands, bureaucracy Committee-management Basis of action Control Empowerment to collect and to provide Basis of compensation Credit-point system: based on the amount and quality of the provided data, the governmental institutions are allowed to use the material provided by the others. 7. System Theory The underlying assumption that such a virtual and physical networked organization might work has its roots in the System Theory. System Theory is the trans-disciplinary study of the abstract organization of phenomena, independent of their substance, type, or spatial or temporal scale of existence. It investigates both the principles common to all complex entities, and the (usually mathematical) models which can be used to describe them. A system can be said to consist of four things. The first is objects – the parts, elements, or variables within the system. These may be physical or abstract, or both, depending on the nature of the system. Second, a system consists of attributes – the qualities or properties of the system and its objects. Third, a system had internal relationships between its objects. Fourth, systems exist in an environment. A system, then, is a set of things that affect one another within an environment and form a larger pattern that is different from any of the parts. The fundamental systems-interactive paradigm of organizational analysis features the continual stages of input, throughput (processing), and output, which manifest the concepts of openness/closedness. A closed system does not interact with its environment. It does not take in information and therefore is likely to atrophy, that is, to vanish. An open system receives the information which it uses to interact dynamically with its participating elements. Openness increases its likelihood of survival and prosperity. Several system characteristics are: wholeness13 and interdependence, correlations, perceiving of causes, chain of influence, self-regulation and control, goal-orientation, interchange with the environment, inputs/outputs, the need for balance/homeostasis, change and adaptability (morphogenesis) and equifinality (there are various ways to achieve goals). Communication from this perspective can be seen as an integrated process. 13 The whole is more than the sum of the parts.
    • 18 K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 8. Creating an Intelligent System Such open systems are called openflows. An openflow is a cluster of initiatives, people and computers who create platforms, projects and concepts for the development of Open Source Intelligence (OSINT). The technologies of the Internet allow us to develop new ways of collaboration, ways that are more open, more collaborative, less hierarchical and, also, more efficient. The Open Source Software movement has shown this. However, real change does not come easily, and in each context it raises different challenges. The openflow aims to help address these challenges, both in terms of its technological aspects and in terms of its organizational and conceptual dimensions. In addition to particular features, these communities display overall organization patterns similar to those seen in other organization types, including both natural and artificial systems. Self-organizing processes are processes known in different kinds of communities’ software developers, as well colonies and open-source communities. The most well-known open-source community might be Wikipedia. The strength of Wikipedia is not the technology, but the massively collaborative effort of thousands of decentralized brains that the technology enables. Take, for example, the Wikipedia entry for Moqtada al-Sadr. Mr. Sadr’s entry in this free encyclopaedia that anyone can edit has been modified approximately 500 times by about 50 people in the past three years. These motivated authors have expanded the entry and corrected hundreds of one another’s errors or omissions. Readers can “vote” the most accurate and relevant information to the top, giving them enough credibility to be taken seriously. These communities practice an ongoing collective learning process and collective intelligence. Based on the assumption that 80% of radical Islamist terrorism information is open source and available, a huge amount of this data could be collected in the Internet (websites, open communication platforms), and relevant analysis can be generated just using this data. Collaborative analysis in a networked multinational interagency system would save resources and would increase the output.14 The new tools of US Intelligence include a federated search engine called Oogle15 and Intellipedia, a controversial intelligence data-sharing tool based on Wiki social software technology. Intellipedia runs on JWICS, SIPRNet, and Intelink-U and the server can not be reached over the Internet. Intellipedia uses MediaWiki, the same software used by the Wikipedia free-content encyclopaedia project.16 It might be worth thinking and discussing how a similar and improved system could be developed on an international level. 9. Qualitative Research of Open Sources I estimate that 80% of the information regarding radical Islamist terrorism is provided via open sources and a large amount of this data is being communicated in the world- wide web. Open source research covers a much wider field than just news monitoring. 14 Dizard, Wilson P. Spy agencies adapt social software, federated search tools, in: GCN http://www.gcn.com/print/25_29/42090-1.html 15 Google also provided its hardware and software system, which includes proprietary algorithms that intelligence IT managers praise highly, to the Army, the Energy Department and other agencies in the intelligence world. 16 Wikipedia for Intel Officers Proves Useful, National Defense Magazine http://www.nationaldefensemagazine.org/issues/2006/November/SecurityBeat.htm#Wik
    • K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 19 Investigations often need to locate and retrieve thousands of potential documents, pictures, videos, etc., from the Internet. The relevant data of radical Islamists are not inherently quantitative, and can be bits and pieces of almost anything. They do not necessarily have to be expressed in numbers. Frequency distributions and probability tables can be useful but a lot of data can come in the form of words, images, impressions, gestures, or tones which represent real events or reality as it is seen symbolically or sociologically. To develop such a collaborative integrated system the first step would be to identify a joint definition of open sources and OSINT. OSINT is collected from information that is openly available to the public. An open source can be any person, group, or system that provides information without the expectation that the information, relationship, or both, are protected against public disclosure. Publicly available information includes data, facts, instructions, or other material published or broadcast for general public consumption available on request to a member of the general public; lawfully seen or heard by any casual observer; or made available at a meeting open to the general public.17 What is being understood under “openly available” might vary between governmental institutions in different countries. In general “OSINT operations support other intelligence, surveillance, and reconnaissance (ISR) efforts by providing information that enhances collection and production. As part of a multidiscipline intelligence effort, the use and integration of OSINT ensures decision-makers have the benefit of all available information.”18 Data collected from these different sources are often in diverse formats, ranging from structured database records to unstructured test, image, audio, and video files. As open source data volumes continue to grow, extracting valuable, credible intelligence and knowledge becomes increasingly problematic. Social science and other academic disciplines provide a tremendous amount of useful analytical methods. The first question which arises is how to define qualitative research. The simplest definition is to say it involves methods of data collection and analysis that are non-quantitative.19 Historical-comparative researchers would say it always involves the historical context, and sometimes a critique of the “front” being put on to get at the “deep structure” of social relations. Qualitative research most often is developed bottom up – not top down. Qualitative research uses unreconstructed logic to get at what is really real – the quality, meaning, context, or images of reality in what people actually do, not what they say they do. The challenge at this point is that institutions in charge of the analysis of open source materials use very different analysis methods. 17 Taylor, Michael C. Doctrine Corner: Open Source Intelligence Doctrine Military Intelligence Professional Bulletin. Ft. Huachuca: Oct-Dec 2005. Vol. 31, Iss. 4; p. 3. 18 Internet sites enable users to participate in a publicly accessible communications network that connects computers, computer networks, and organizational computer facilities around the world. The Internet is more than just a research tool. It is a reconnaissance and surveillance tool that enables intelligence personnel to locate and observe open sources of information. Through the Internet, trained collectors can detect and monitor Internet sites that may provide I&W of enemy intentions, capabilities, and activities. Collectors can monitor newspaper, radio, and television websites that support assessments of information operations. Collectors can conduct periodic searches of web pages and databases for content on military order of battle, personalities, and equipment. Collecting web page content and links can provide useful information about relationships between individuals and organizations. Properly focused, collecting and processing publicly available information from Internet sites can help analysts and decision makers understand the operational environment. Taylor, Michael C. Doctrine Corner: Open Source Intelligence Doctrine Military Intelligence Professional Bulletin. Ft. Huachuca: Oct-Dec 2005. Vol. 31, Iss. 4; p. 3. 19 Lofland, John und Lyn H. Lofland. 1984. Analyzing Social Settings: A Guide to Qualitative Observation and Analysis. Belmont, CA.
    • 20 K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign Qualitative research methods are for example: ethnography, ethno-methodology, imagery analysis, participant observation, dramaturgical interviewing, cognitive interviewing, narrative interviewing, text mining, spatial and temporal mining and visualization, hot spot analysis, sociometry, natural experiment, theoretical experiment like game theories,20 case studies, rational-choice, social network analysis, network learning, network topological analysis (e.g. random network, small world network, and scale-free network), language analysis, unobtrusive measures, content analysis, historiography, secondary analysis of data, etc. At this point it has to be noted that each qualitative research method has its advantages and disadvantages and often a combination of two, three or more qualitative research methods in addition to a quantitative research method will lead the research to evidence. For instance what are the advantages and disadvantages of a case study approach? Advantages of the method: Case studies allow in-depth understanding of the group or groups under study, and they yield descriptions of group events – processes often unsurpassed by any other research procedure. Also, and at a more pragmatic level, case studies can be relatively easy to carry out and they make for fascinating reading. But the real forte of the case study approach is its power to provide grist for the theoretician’s mill, enabling the investigator to formulate hypotheses that set the stage for other research methods.21 The most important disadvantage of a case study approach is that it is liable to be seduced into generalizations. Case studies, however, yield only limited information about groups in general. Researchers who use this method must constantly remind themselves that the group/cell studied may be unique and therefore non-representative of other groups. Also, because researchers cannot always use objective measures of group/cell processes when conducting case studies, their interpretations can be influenced by their own assumptions and biases. In all, case studies limit the researcher’s ability to draw conclusions, to quantify results, and to make objective interpretations. However, some topics such as groupthink, group decision-making and group work are almost impossible to study by any other method.22 To explain how important it is for a collaborative database not just to provide open source analysis for the participating governmental institutions, but also information about the method and when the data was collected, and how it was analyzed, we cite the following example of qualitative research. The qualitative research method of participant observation is a very critical one because the way it is conducted could have an impact on the research outcome. Participant observation is the process of immersing the researcher in the study of people the researcher is not too different from. It is almost always done covertly, with the researcher never revealing his or her true purpose or identity. If it is a group the researcher already knows a lot about, the researcher needs to step back and take the perspective of a “martian”, as if the researcher were from a different planet, and seeing things in a fresh light. If it is a group the researcher knows nothing about, the researcher needs to become a “convert” and really get committed and involved. The more secretive and amorphous the group, the more the researcher 20 Game theories are an appropriated tool for understanding the strategic interactions associated with terrorist and those shared with counterterrorism. Sandler and Arce (2007 provide an up-to-date survey of game theoretical papers on terrorism. There is currently a lot of interest in applying game theory to the study of terrorism with recent contributions by Arce and Sandler 2007, Bueno des Mesquity (2005), Heal and Kunreuther (2005), and Siqueira (2005) 21 Forsyth, D.R. (1990), Group Dynamics, Pacific Grove, CA: Brooks/Cole. 22 Libraries are full with books on qualitative research. In terms of collective efficacy; group processes; group decision making; vigilant problem solving; groupthink; group performance, Norman Schoefield´s Collective Decision-making might be a good book to start with.
    • K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 21 needs participation. The more localized and turf-conscious the group, the more the researcher need observation.23 The known open source literature describes four roles: • “Complete participation – the researcher participates in deviant or illegal activities and goes on to actively influence the direction of the group • Participant as observer – the researcher participates in deviant or illegal activities but does not try to influence the direction of the group • Observer as participant – the researcher participates in a one-time deviant or illegal activity but then takes a back seat to any further activities • Complete observation – the researcher is a member of the group but does not participate in any deviant or illegal activities” 24 The key point behind all of them is that the researcher must operate on two levels: becoming an insider while remaining an outsider. To reach this goal the researcher has to create an excellent virtual identity that fits in with the research goals, which is easy to handle and which provides a high level of credibility for the target audience. He or she must avoid becoming over socialized, or “going native”, as well as being personally revolted or repulsed by the group conduct. Going native is sometimes described as giving up research and joining the group for life, but in most criminological circles, it means losing your objectivity and glorifying criminals. Generally, it takes time to carry out participant observation, from several weeks or months to years.25 The key point is that the method used could have an impact on the outcome. For the participating governmental institution of our collaborative database and system it is essential for the evaluation process of the analyses provided to give all relevant methodological data regarding what has been used. To identify or develop “best practices”, new instruments, or improve automated collection and sorting systems for specific research goals, the exchange of analytical methods regarding open sources would be an additional asset. 10. The Technology Law enforcement agencies and counter-terrorism analysts need tools which enable them to mine the Internet and process thousands of documents to identify patterns and produce evidence. These tools: 1.) retrieve documents from the Internet according to user-specified criteria, and 2.) extract information and “facts” from resultant reserves of unstructured text. Information science and technology has drastically expanded the mechanisms by which data can be collected, and knowledge extracted and disseminated through automated means. Recent technological achievements provide knowledge discovery techniques and they promise an easy, convenient, and practical way of exploring very large collections of data for organizations and users. They can: identify terrorist groups and individuals; identify an initial set of websites created by these groups; make link analysis and collect content and context of the identified terrorist websites, forums and chat rooms. An automatic web crawler is applied to collect the contents of these sites. All types of contents from terrorist websites, including textual files (e.g. HTML files, plain 23 Qualitative Social Science Research Methodology, http://faculty.ncwc.edu/toconnor/308/308lect09.htm 24 Ibid. 25 Ibid.
    • 22 K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign text files), multimedia files (e.g. images, audio/video files), and archive files (e.g. ZIP files, RAR files) should be collected.26 There are two general approaches to collecting domain-specific web documents: • manual selection, and • automatic web crawling. The manual approach is often used when the relevance and quality of information from websites is of the utmost importance. However, this approach is labour intensive and time consuming, and often leads to inconclusive results. The automatic web crawling technique is an efficient way to collect large amounts of web pages. This can be done using retrieval systems such as Convera RetrievalWare. A new, publicly available online tool now allows for a better assessment of where the members of this virtual jihadi community are physically located. This tool – the traffic-tracking website www.alexa.com – extrapolates from a smaller sample a general approximation of the distribution of the visitors to a given website. Running this tool against the URLs of the primary websites of the Electronic Jihad provides a basic breakdown of their traffic. 27 Given the sheer volume of data, technological tools are essential for an effective and efficient intelligence agency. Intelligence agencies need to use analysis and decision-making support tools, foreign language tools, sample-analyses instruments and predictive modelling tools. Data collection needs to be done automatically, and whichever system is utilized, it should be able to analyze and sort the data, and raise the alarm if necessary. One major concern in using web crawlers is that off-topic documents are often introduced into the collection, due to the limitations of web crawling technologies. The web information we are interested in is often not in English. Cross-lingual information retrieval (CLIR) can help break language barriers by allowing users to retrieve documents in foreign languages, via queries in their native languages. Most reported CLIR approaches translate queries into the document languages and then perform monolingual retrievals.28 This method helps experts to explore global Dark Web information without first having to learn foreign languages, and reduces the need for human translators working in the domain of terrorism research. Technology is able to improve the speed, and in counterterrorism speed is important, but the focus must be more on accuracy. To date, network-centric concepts have focused on shortening the sensor-to-shooter step. Facing the threat of terrorism we must focus on improving the quality of the observe-orient segment. 11. Conclusion To cut it down to one sentence: One analyst is intelligent, a group of analysts produce collective intelligence, and machines are tools. Collective intelligence needs tools to become more efficient and effective, and tools require intelligence to be useful. 26 See: Yilu Zhou, Jialun Qin, Quanpi Lai Reid, Hsinchun Chen: Building Knowledge System for Researching Terrorist Groups on the Web, Proceedings of the 11. Americas Conference on Information Systems, Omaha, NE, USA, August 2005, p.4. 27 Rebecca Givner-Forbes and Clay Shwery , Mapping the Electronic Jihad, in: ISN Security Watch, http://www.isn.ethz.ch/news/sw/details.cfm?ID=17535, 25.04.2007. 28 L. Ballesteros and B. Croft: Dictionary Methods for Cross-Lingual Information Retrieval, in Proceedings of the 7. DEXA Conference on Database and Expert System Application, Zürich, Switzerland, 1996, pp. 791- 801.
    • K. von Knop / Institutionalization of a Web-Focused, Multinational Counter-Terrorism Campaign 23 In Collective Intelligence proper investigative and legal procedures need to be strictly followed. The key factor may be the creation of an access for consuming and providing open source material and analyses that enables a common computing and communications infrastructure. The heart of this system might be a technological platform with analytical tools and databases of open source data. The value creation is maximized when there is intense interaction and uninhibited sharing of information between the organizations and the surrounding community. Therefore, the potential success or failure of such a physical and virtual network organizational paradigm depends on the degree of dedication and involvement by the surrounding community. References Arce, Daniel G., and Todd Sandler. (2005) Counterterrorism: a Game-Theoretical Analysis. Journal of Conflict Resolution 49: 183-200 Bertalanffy, von, L. (1968). General systems theory. New York: Braziller. Bueno de Mesquita, Ethan. (2005) Conciliantion, Commitment and Counterterrorim: A Formal Model. International Organization 59: 145-176 Heal, Goeffrey and Howard Kunreuther. (2005) IDS Model of Airline Security. Journal of Conflict Security 49: 201-217. Infante, D.A., Rancer, A.S. & Womack, D.F. (1997). Building communication theory. Prospect Heights, Illinois: Waveland Press. Laarmans, R. (1999). Communicatie zonder Mensen. Amsterdam: Uitgeverij Boom. Littlejohn, S.W. (2001). Theories of Human Communication. Belmont, CA: Wadsworth/ Thomson Learning. Lofland, John und Lyn H. Lofland. 1984. Analyzing Social Settings: A Guide to Qualitative Observation and Analysis. Belmont, CA. Luhmann, N. (1984). Soziale Systeme. Grund einer allgemeinen Theorie. Frankfurt am Main: Suhrkamp. Midgley, G. (Ed.) (2003). Systems thinking. London: Sage. Sandler, Todd, and Daniel G. Arce (2007) Terrorism: A Game Theoretical Approach. In Handbook of Defense Economics Vol. 2, edited by T. Sandler and K. Hartley. Amsterdam. Siqueira, Kevin (2005) Political and Militant Wings within Dissident Movements and Organizations. Journal of Conflict Resolution 49: 218-236. Taylor, Michael C. Doctrine Corner: Open Source Intelligence Doctrine Military Intelligence Professional Bulletin. Ft. Huachuca: Oct-Dec 2005. Vol. 31, Iss. 4; pg. 12, 3 pgs
    • 24 Responses to Cyber Terrorism Centre of Excellence Defence Against Terrorism, Ankara, Turkey (Ed.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. Critical Information Infrastructure Protection1 Prof. Seymour E. Goodman International Affairs and Computing, Georgia Institute of Technology, Atlanta, USA Abstract. The benefits of the cyberspace are accompanied by the danger of cyber attacks. These vary in sophistication, and range in scale from attacks against individuals to attacks against countries, for example those on Estonia in April– May 2007. This paper will focus on the threat to what may be called primary Critical Information Infrastructure of Concern, and how to protect it. This topic will be set in the contexts of how cyberspace has spread globally, and Internet security. Secondly, we will consider the various threats to which cyberspace is exposed. It is the vehicle of, and the potential victim of, globalization. We will summarize the uses which terrorists have made of cyberspace. A range of measures are seen as essential for protecting critical infrastructure. Effective communication of R&D agendas will allow preventative steps to be taken, or attacks to be repelled as quickly as possible. Governments and the private sector should work to build cyber security capabilities, for example by forming CSIRTs. A legal framework for this new technology must be developed in terms of national legislation and, in view of the worldwide character of the networks, international conventions Keywords. Cyberspace, Internet, cyber security, Critical Information Infrastructure Protection 1. Introduction “Cyberspace” can be defined as “the union of all extensive information and communication technology networks”. In other words, it is the set of all computer- communications networks, of which the Internet is the largest and most relevant piece. There are some networks outside what is discussed here, and these too have security issues that have been addressed elsewhere.2 Cyberspace is a major technology-enabled medium providing the means of passage and the locus of objects of value. Many “critical information infrastructures” (CIIs) in the United States, Europe, and increasingly elsewhere in the world, depend on 1 The present paper derives from a transcription of the presentation Professor Goodman gave in Ankara. This was prepared for publication at COE–DAT. With the professor’s permission, the editors added some sentences, based on his previous articles, for the purpose of clarification. 2 For the PSN (Packet Switched Network) and NGN (Next Generation Network) see the work of the NSTAC (National Security and Telecommunications Advisory Committee).
    • S.E. Goodman / Critical Information Infrastructure Protection 25 computer-communications systems for direct control and other functions. You could say that “cyberspace” includes a significant amount of “control space”. The infrastructures in question include major forms of transportation, banking and finance, energy distribution, emergency preparedness and response, and public health. In this paper I will outline aspects of Critical Information Infrastructure Protection (CIIP), first setting it in the context of how cyberspace has spread globally, and of Internet security. Secondly, we will consider the various threats to which cyberspace is exposed. It is the vehicle of, and the potential victim of, globalization. We will summarize the uses which terrorists have made of cyberspace. A range of measures are seen as essential for protecting critical infrastructure. Effective communication of R&D agendas will allow preventative steps to be taken, or attacks to be repelled as quickly as possible. Governments and the private sector should work to build cyber security capabilities, especially by forming CSIRTs (Cyber Security Incident Response Teams). A legal framework for this new technology must be developed in terms of national legislation and, in view of the worldwide character of the networks, international conventions. 2. Cyberspace at a Glance For the most part, the Internet is built upon national and international telecommunications infrastructures, including the landlines of most public phone systems and wireless, and satellite communications. Beyond the Internet, these telecommunications infrastructures tend to be highly dependent on computing technology. Thus, by our definition, they are part of cyberspace. There are currently about 1.3 billion Internet users worldwide. The Internet now comes to ground in over 200 “countries” (Top-Level Domains, i.e. the letters which follow the dot after the domain name). This enormous growth has been achieved since the early 90s. The only thing growing faster than the Internet is cellular telephony, with about three billion phones in use, to which 1.6 million users are added every day. The fact that soon cellular telephones will be a platform for the Internet means that at least a billion new users will have access to this resource, and this expansion will mostly be in developing countries. 3. (In)Security (Internet Security) at a Glance The architecture, design, and practice of the Internet emphasize access (ease of use, low cost, universality). It has almost never considered security as a primary or important factor. It is an unfortunate result of the history of the way the Internet was developed that the protocols used by the Internet today are derived from those that were established in the early days of the ARPANet, where there were only a few well- respected researchers using the infrastructure, and they were trusted to do no harm. Consequently, security considerations were not built in to the Internet. All cybersecurity measures taken today to protect the Internet are add-on measures that do not remedy the underlying security deficiencies. The situation we have as a result is that current technology asymmetrically favors the attackers; it provides them great “nonlinear leverage”, and attackers get their innovations into practice more quickly and effectively than defenders. If we make a
    • 26 S.E. Goodman / Critical Information Infrastructure Protection comparison between cyber attacks and modern warfare, we would say that it is an asymmetrical conflict. While the state, because of its capacity, has a huge technological advantage over terrorists, the problem is that the kinds of nonlinearities associated with what terrorists do in cyberspace give leverage to those with relatively little technical capability. What has always been thought of as one of the great advantages of the networks can also threaten them: They give a small number of relatively weak people extensive access to a lot of information, each other, potential recruits and sympathizers, and prospective targets. There is also a negative aspect of tightening access against terrorists or other malicious users more generally because it would compromise access and privacy for many, many more “good” users. The functionality of the Internet ranges greatly. Of particular concern for those aware of the threat of terrorism is the fact that SCADA (Supervisory Control and Data Acquisition) systems now more commonly use the Internet to transmit data and control instructions, rather than the dedicated networks that had been used before. Additionally, very few of the “cyber” parts of the critical infrastructures were designed or implemented with security as much of a consideration, if it was considered at all. Most are riddled with vulnerabilities, which are defined as weaknesses that can be exploited through either hostile attacks or accidents. It would be almost impossible to create “patches” to protect programs from malicious people who seek to find and exploit these vulnerabilities. Another problem to recognize is that Internet defense pushes the burden outward to the end user organizations; most of these find it difficult, and often increasingly difficult, to defend themselves. In particular, most of the over two hundred connected countries have little or no national cybersecurity capabilities. 4. International Threats Arising from Globalization One area of concern that extends broadly across all of the stages of defense is that globalization creates new populations of “insiders”—people who have authorized access with the potential for abuse that can cause great harm. Insiders still probably account for a majority of successful penetrations for criminal purposes. The problem is complicated by changes in organizational relations and technical architectures that make “inside” and “outside” more difficult even to define. The possibility that a terrorist or a terrorist sympathizer might gain employment that would enable him or her to conduct a devastating attack or to provide critical information or access to others cannot be discounted or ignored. The two most general ways of dealing with infiltration are through deep pre- employment investigations, something that most non-government entities are neither capable of doing nor permitted to do in many countries, and through stronger forms of containment and compartmentalization of access within an organization. Globalization has meant that the Internet is now less secure, with vulnerabilities resulting from new systems “intimacies”. Transfer of information now takes place in unprecedented transnational contexts. A particular problem for those who want to control or police the Internet is the spread and ownership of, and access to, transnational transportation infrastructures. Much of the day to day running is outsourced, and offshoring (outsourcing to foreign
    • S.E. Goodman / Critical Information Infrastructure Protection 27 entities) means that any attempts to control the Internet require international co- operation. 5. Terrorists in Cyberspace What do we know or anticipate that terrorists want to do in cyberspace? I believe the answers to this question fall into three categories: 1. Terrorists want to support their activities and infrastructure, but not directly through an attack, using the Internet. 2. They may want explicitly to attack parts of the cyber infrastructure. 3. They may use cyberspace as a means of attacking other targets. These might include compromising transportation or other supervisory control systems to cause disasters resulting in extensive consternation and costing many lives. It is certain that terrorists and their supporters have been engaging in extensive activities under category 1, and that they will continue to do so. This would cover communications, including encrypted communications with each other; recruiting and “advertising” (for example, via Web sites); and financial transactions such as money transfers and laundering. Training manuals for terrorists, including information about bomb-making and avoiding detection, are freely available. Terrorists are also likely to be scouring cyberspace for information on potential targets and on weapons of mass destruction. As far as we can tell, terrorists have not been responsible for any of the major attacks or accidents that have occurred in recent years under categories 2 or 3. So much has been written about such possibilities—and they have had some prominence in the media—that it is inconceivable that terrorists are not aware of them. So far, for reasons we can only speculate about, they do not seem to have chosen to pursue these possibilities with vigor and effect, or perhaps they have tried and failed. 6. Systems and Networks at Risk Should an attack be launched against systems and networks, the following would be at risk: 1. The Internet. 2. Embedded/real-time computing (e.g. avionics systems for air traffic control, SCADA systems used by the amenities, routing for shipping containers, and process control for toxic chemical production, switching of telecommunications, bank teller machines, floodgates). 3. Dedicated computing devices (e.g. desktop computers). Each has a different role, and may be the subject of different kinds of attack. Terrorists might attack the Internet physically or “through the wires”, the latter being potentially more destructive. One type of attack that we see is directed against Internet operations. Such attacks are often based on self-replicating programs (worms and viruses) that are transmitted from system to system, consuming prodigious amounts of router processing time and network channel bandwidth. In recent years, some of these worms and viruses have been transmitted without explicitly destructive payloads and yet have been able to disrupt key Internet backbone subnetworks for several days.
    • 28 S.E. Goodman / Critical Information Infrastructure Protection Another kind of attack on Internet operations seeks to corrupt the routing tables that determine how a packet should travel through the Internet. In both cases, the intent of the attack is to reduce the normally expected functionality of the Internet for some significant portion of its users—that is, a denial-of-service attack in intent, although not one necessarily based on flooding traffic. An attacker might also target the Internet’s Domain Name System (DNS), which translates domain names (e.g. “example.com”) to specific Internet Protocol (IP) addresses (e.g. 123.231.0.67) denoting specific Internet nodes. A relatively small number of “root name servers” underpins the DNS. Although the DNS is designed to provide redundancy in case of accidental failure, it has some vulnerability to an attack that might target all name servers simultaneously. Although Internet operations would not halt instantly, an increasing number of sites would, over a period of time measured in hours to days, become inaccessible without root name servers to provide authoritative translation information. Physical replacement of damaged servers would be achievable in a matter of days, but changing the IP addresses of the root name servers would be more complicated. 7. Recommendations: Focus on Terrorists It is only a matter of time before cyber terror attacks, at present largely a threat, become a reality. Both government and private sector need to focus on preparations. There are a number of measures that must be taken. 7.1. Build Much Stronger Defenses, More Integrated Emergency Preparedness and Response Systems, and Improve the Processes for Their Use. The first order of business is to provide indications and warnings that an attack is taking place. This is a difficult area, and intrusion detection has become a particularly active area in research and development. Not surprisingly, detection and notification are more difficult and prone to false positives during the early stages of an attack, before significant damage has been done. To prevent penetration of the system at risk from the outside, we try to erect barriers and otherwise harden it. Both cyber and physical approaches are necessary. Passwords are the oldest, and still most widely used, cybertechnique. More recent and somewhat widely used techniques are firewalls and proxy servers. Like all forms of cyberdefense, these can be defeated, although it is possible to make them real barriers against many attempted attacks. Physical protection needs to consider several forms of penetration or attempts to isolate the system. These include attacks on electronics using electromagnetic pulses, and attempts to cut cable endings. A wide variety of forms of physical protection are possible, ranging from fences to biometrics. In the event of an attack there needs to be a system for incident management, mitigating an attack, and damage limitation. A next line of defense is internal compartmentalization and containment. In this instance, the goals are to limit penetration and damage, protect surviving assets, and protect and gather information to help with recovery and response after the attack. Approaches include creating internal physical barriers and cyberbarriers through compartmentalization and need-to-know access controls, intrusion tolerance schemes, setting up decoys, maintaining protected
    • S.E. Goodman / Critical Information Infrastructure Protection 29 redundancies, and hiding assets. All have both static (pre-positioned and unchanging during the attack) and dynamic variants. Another approach is automatic or partial shutdown and reallocation. A system that senses it is under attack would start erecting internal barriers that would not be tolerable during normal operations, in an attempt to isolate those parts of the system that had been compromised. It would also involve load-shedding strategies to reallocate surviving capabilities to the most important functions required by the organization. All of this amounts to various forms of real-time reassignment and reconfiguration under rapid degradation. Particular attention needs to be given to preserving and collecting information during an attack. This is done most easily if the attack has a clear and precise starting time and backups are made regularly, or if the organization maintains a redundant “shadow” system. More insidious attacks that build up slowly present a much more difficult problem in identifying a state where the system is free from inserted malicious code. It is also important to have strong audit functions to identify when an attack starts and to collect information that might assist in the identification and apprehension of the attacker and help the organization better defend itself against similar attacks in the future. Organizations should establish security policies and plans for defending against attacks. Special attention should be given to preventing and dealing with insider attacks. Staff should know who to call for help. It might be a good idea to test the plan through the use of exercises. However, most organizations avoid live “fire drills” because they can be expensive, disruptive, and risky in their own right. Many information systems are delicate and their owners are afraid something will go wrong, resulting in the self- inflicted equivalent of a serious attack. 7.2. Improve the security of systems that control physical processes (e.g., SCADA). From the standpoint of counter terrorism, we would imagine that attacking physical targets via control and management systems would result in the kind of mass casualties, damage, fear, and loss of confidence that terrorists favor. Many of these systems are vulnerable to tampering with control signals, especially by insiders. Increasing the security for DC/SCADA systems poses particularly difficult problems. These systems are often small and self-contained, and have constrained power needs (including backup). Security may not readily fit with the space, real-time, or power requirements. Security measures could also reduce performance or be problematic in the synchronization of other more extensive processes. Additionally, most of these systems are in the private or mixed sectors (for example, airports). Their owners and operators may not have sufficient resources to secure them more effectively. National governments that are in positions to do so should give priority to protecting the small percentage of cyberspace users who are private owners and operators of digital control and management systems. This would include providing them with various forms of assistance and technology. Particular attention should be given to transportation systems because for decades they have been highly favored by terrorists both as targets and as the means of delivering an attack. This kind of defensive work is essentially “target hardening”. This can be defined as the use of various technologies and products and procedures (for example, those governing outside dial-in or reconstitution and recovery) to protect the information technology (IT) assets owned or operated by an individual or organization.
    • 30 S.E. Goodman / Critical Information Infrastructure Protection It is important to notice that many of these recommendations would have more general value than just vs. terrorists (e.g., they would help against accidents, natural disasters, serious crime, and non-terrorist forms of conflict). However, as defense does not involve serious risk or impose a penalty on the attacker, there is also the need to develop deterrents. For this we need laws: 7.3. Design and Implement a Stronger “System of Justice”, Especially Its International Dimensions International cooperation should concentrate on effective intelligence operations. This is an area where a considerable amount of success could be expected, which would create the atmosphere for a long-term international legal framework. The problems of jurisdiction are greatly compounded by the easy transnational access provided by many components of cyberspace, most notably the Internet. What may be perceived as serious in one country whose cyberinfrastructure may be used as part of a terrorist action may not even make the legal radar screen of others that are part of an attack that crosses multiple sovereign physical jurisdictions. Most countries have given little or no thought to making serious crimes of the various forms of cyberattack, and “without law there is no sin”. Seeking widely adopted national laws at least criminalizing attacks against or using the networks is an important objective. Legislating against the support functions to which terrorists put the Internet would be a more distant prospect. The enforcement and prosecution of these laws are also critical elements of cybersecurity. Given the many technical and evidentiary problems of identifying cybercriminals and prosecuting them, nobody has any delusion that such laws would end criminal or terrorist activities in cyberspace. Nonetheless, they might reduce the enormous amount of malicious “noise” in cyberspace, and this would help make it easier to more readily identify more serious activities. They would also provide a necessary basis for encouraging people to report malicious cyberactivities, and for international cooperation in dealing with several kinds of problem. 8. Recommendations: CIIP at Every Stage Security must become a criterion for any system used for CII from the design stage onwards. The priorities in design have been access and throughput. Added security is not just costly; it may also result in reduced efficiency and functionality. Furthermore, so far there does not seem to be much incentive for people to design or redesign systems to be much more secure. There has been much speculation that the design or redesign of systems will occur only in the aftermath of a “digital Pearl Harbor” or in response to the forces of legal liability or insurance necessities and standards. Even better, security should be a factor to be considered over the entire life cycle of such systems. Organizations should build cadres of capable defenders, and contingency plans (including internationally) for crisis and emergency conditions need to be in place. There could be national-level CERTs or CSIRTs (Cybersecurity Incident Response Teams). A postdesign and implementation variant is to try to prevent attacks by finding and fixing vulnerabilities before an attacker can try to exploit them. Red teams, test beds, or simulations may be used to do this. Another approach, at least to the often-serious
    • S.E. Goodman / Critical Information Infrastructure Protection 31 threat of possible insider attacks, is to more thoroughly screen employees with potentially sensitive access. It is clear that for a number of these measures operational contingencies among owners and operators and their governments need to be established. 9. Recommendations: Help Build National and Regional Cybersecurity Capabilities Harmonization of national laws (as provided for in the 2001 Council of Europe Convention on Cybercrime) is a good first step toward ensuring the availability of legal recourse. This would provide the basis for tracking, identifying, and prosecuting cybercriminals across national boundaries. Considerable efforts are underway today at the regional intergovernmental and international governmental level. 3 One goal for which international action would be useful is the more effective coordination and sharing of information and R&D. 9.1. Types of Relevant International Conventions There is no reason why an international legislative system should not be built up around the new technologies we see today. If we make a comparison with aviation, that was also one hundred years ago a new technology for which no laws existed, yet there is now a very effective worldwide legislative framework for air traffic. Comparisons with other areas of international cooperation help us to see what kind of work can be done in this area for cybersecurity. There are three types of relevant international convention with multilateral operational dimensions: 9.1.1. Crime and Punishment Define undesirable behavior as criminal. Concern with sub-state actors. The prime example of such a convention is the Council of Europe Convention on Cybercrime (2001). 9.1.2. Infrastructure Protection Define undesirable behavior. Concern with sub-state actors. Establish standards/best practices. Concern with state actors. Here the prime examples are the Civil Aviation Conventions (1919, 1944, 1963, …). 9.1.3. Arms Control Control/limit behavior and possessions. Concern with state actors. The prime example: Biological and Toxin Weapons Convention (1972). 3 See the report: The International Landscape of Cyber Security.
    • 32 S.E. Goodman / Critical Information Infrastructure Protection 10. An International CIIP Convention? For international conventions covering Critical Infrastructure those concerning Civil Aviation may be the most relevant model to follow. The following characteristics are notable: They range from issues of aircraft safety to strong laws prohibiting acts against aircraft. The laws covering acts against aviation infrastructure are also effective. There is an International Civil Aviation Organization (ICAO). Since 1944 these conventions have gained near universal acceptance, with 189 countries signing up to them, and the coverage is growing. They are supported by other UN agencies and NGOs. If a CIIP Convention is to become a reality, there needs to be significant and sufficient international concern (the WSIS C5 Action Item could be an indicator here). It is essential that the convention strive for universal sign-up, and this probably necessitates a UN umbrella, perhaps the ITU. A CIIP Convention must be supported by an operational organization that can help build and certify national capabilities. Selected References Reports for the US Government National Research Council, Information Technology for Counterterrorism, Report of the Committee on the Role of Information Technology in Responding to Terrorism (J. L. Hennessy, D.A. Patterson, co-chairs, H. S. Lin, study director), Washington, DC, 2003. National Research Council, Toward a Safer and More Secure Cyberspace, Report of the Committee on Improving Cybersecurity Research in the United States (S. E. Goodman, chair, H. S. Lin, study director), Washington, DC, 2007. National Science and Technology Council, Federal Plan for Cyber Security and Information Assurance Research and Development, Report by the Interagency Working Group on Cyber Security and Information Assurance, Washington, DC, 2006. National Security Telecommunications Advisory Committee (NSTAC), Research and Development Issues to Ensure Trustworthiness in the Telecommunications and Information Systems that Directly or Indirectly Impact National Security and Emergency Preparedness, Atlanta, GA, March 13-14, 2003. National Security Telecommunications Advisory Committee (NSTAC), Report to the President on International Communications, Washington, DC, Draft, July 16, 2007. Other Selected References A. D. Sofaer and S. E. Goodman, (eds.), The Transnational Dimensions of Cyber Crime and Terrorism, Hoover Institute, Stanford University, 2001. Seymour E. Goodman, “Toward a Treaty-based International Regime on Cyber Crime and Terrorism,” in Cyber Security: Turning National Solutions into International Cooperation, Center for Strategic and International Studies, CSIS Press, 2003,. pp. 65-78 Stephen J. Lukasik, Seymour E. Goodman, and David W. Longhurst, Protecting Critical Infrastructures Against Cyber-Attack, Adelphi Paper 359, International Institute for Strategic Studies, London, 2003. (98 pages) Seymour E. Goodman, Charles House, et al., “Risks and Exposures,” Chapter 6 in William Aspray, Frank Mayadas, and Moshe Vardi, eds., Globalization and the Offshoring of Software. New York: ACM, May 2006.
    • S.E. Goodman / Critical Information Infrastructure Protection 33 Gabriel Weimann, Terror on the Internet, U.S. Institute for Peace, Washington, DC, 2006. S. E. Goodman, “Cyberterrorism and Security Measures,” Chapter 5 in Science and Technology to Counter Terrorism: Proceedings of an Indo-U.S. Workshop, (see also commentary in Chapters 6 and 18), The National Academies (US) and the National Institute of Advanced Science (India), National Academies Press, Washington DC, May 2007, http://books.nap.edu/catalog.php?record_id=11848.
    • 34 Responses to Cyber Terrorism Centre of Excellence Defence Against Terrorism, Ankara, Turkey (Ed.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. Use of the Internet by Terrorists – A Threat Analysis – Phillip W. BRUNST1 Senior Researcher, Max Planck Institute for Foreign and International Criminal Law, Freiburg i. B., Germany Abstract. The separation between a physical, “real” world and a digital, “virtual” world is vanishing. Computer systems control physical infrastructure and, con- trariwise, the often adjured cyber world relies on physical cables, switches, and other hardware. This level of interdependency accounts for a great vulnerability to terrorists who want to generate fear, destroy property and human lives, or harm the economy. However, apart from attacks that are committed via the Internet, it is also used to disseminate terrorist content. Ultimately, conventional uses, e.g. worldwide individual communication or access to formerly unavailable or hard-to- obtain information are an advantage for terrorists. This chapter analyzes these pos- sible forms of use of the Internet by terrorists and gives examples of cases and threats that have either already occurred in the past or are likely to occur in the fu- ture. Keywords. Cyberterrorism, Internet, Terrorism, Communication, Propaganda. Introduction This chapter is designed to analyze the threat posed by terrorists using the Internet for cyberterrorism and other – more general – terrorist purposes.2 This danger is subject to an ongoing and controversial discussion. Whereas some authors claim that – up to to- day – not a single instance of cyberterrorism has been recorded, others argue that ter- rorists already routinely make use of the Internet. One reason for these differences in opinion is that the underlying terms of “terrorism” and “cyberterrorism” are not well defined [2], [3], [4], [5], [6], [7]. In fact, more than 100 different definitions of terror- ism with more than 20 definitional elements were identified in a study carried out in 1988 [2]. The definitions for “cyberterrorism”, in particular, range from very narrow (i.e. using the Internet to attack other systems in the Internet, resulting in violence against persons or property) to very broad (i.e. also including any other form of Internet 1 At the Max Planck Institute for Foreign and International Criminal Law (http://www.mpicc.de), Phillip Brunst heads the “information law” section. The author can be contacted at p.brunst@mpicc.de. 2 Parts of this chapter are based on research conducted for the Council of Europe by Prof. Dr. Dr. h.c. Ulrich Sieber and the author [1]. Thanks are due to Indira Tie for translation and editing assistance.
    • P.W. Brunst / Use of the Internet by Terrorists 35 usage by terrorists or even conventional attacks that are aimed at IT infrastructures [8]). This chapter will not analyze the different definitions of terrorism and cyberterrorism. Instead, it will give an overview of the use that terrorists can make of the Internet and the advantages that they can gain from this usage. For this reason, in the following text, the term “terrorism” is understood in a broad sense in order to enable a comprehensive examination of possible uses. For an analysis of definitions of terrorism, see [9]. To analyze the possibilities that terrorists have by using the Internet, it is not suffi- cient merely to look at confirmed cases of terrorist involvement. Instead, it is necessary to identify possible targets, risks, and other forms of terrorist Internet use. Therefore, this analysis is based on cybercrime- and cyberterrorism literature as well as on special- ized security reports and everyday news reports. This broad approach allows an ex- panded view not only of real occurrences of cyberterrorism and other uses of the Inter- net, but also of possible future (or undetected current) forms of utilization. Three different areas of terrorist uses of the Internet are mainly under discussion. With a view to news coverage, terrorist attacks that are carried out via the Internet are especially considered to be “cyberterrorism”. These attacks are either aimed at other IT structures, such as individual computers, central servers, and routers or at objects in the “physical world”, such as buildings, planes, trains, or even human life (Part 1.). How- ever, these intensely observed and frightening possibilities might not be the most inter- esting ones for terrorists. Since Internet access is available in many countries, terrorist organizations use the Internet not only to attack, but also to inform, threaten, and attract attention (Part 2.). Finally, the Internet offers to all of its users many interesting possi- bilities and information that can also be used by terrorists. These possibilities include the exchange of encrypted information between people in countries where censorship and mass surveillance are exercised as well as the obtainment of information about possible targets (Part 3.). 1. Attacks via the Internet Attacks via the Internet have, for a long time, been the domain of cyber criminals who abuse systems for their own benefit, especially to gain monetary income. However, these acts can also be committed with a terrorist intent. To analyze further the possibili- ties of digital attacks for terrorist organizations, one has to look at the reasons and mo- tives behind engagement in this fairly new field (Part 1.1.). The attacks themselves are often highly flexible and can be combined in several different ways. This makes it hard to distinguish, for example, a hacking attack that is being committed with the intent to “test” the security of a certain computer system from another hacking attack that is being carried out to shut down the system and create further damage. With respect to terrorist ambitions, however, the attacks can roughly be divided into actions carried out with the intent to attack other IT systems (and perhaps the physical infrastructure that is connected to these systems) and attacks that are carried out with the goal of endanger- ing human life (Parts 1.2. and 1.3.). 1.1. Reasons and Motives for Terrorist Attacks Since many attacks carried out via the Internet give no explanation for the reasons be- hind them, it is often not possible to determine whether they are the result of an arbi- trary experiment carried out by a user who tried out a program discovered while brows-
    • 36 P.W. Brunst / Use of the Internet by Terrorists ing the Internet or the result of the purposeful aggression of an organized group. Ac- cordingly, in many cases of cyber aggressions, the originator is not known. For this reason, some authors have claimed that – up to now – not a single instance of cyberter- rorism has been recorded [10]. Even if it is true that – according to informal sources – many cyberterrorist attacks have already taken place, many (if not most) cases are kept confidential due to the security threat to important infrastructures. However, even if evidence is scarce, the threat of terrorists using (or considering use of) the Internet for their purposes is not unrealistic. This in turn can also be used by terrorists as a form of psychological warfare: cyber-fear is generated by the fact that what a computer attack could do is too often associated with what actually will happen [7]. 1.1.1. Motivation for Attacks via the Internet The existence of many different reasons and motives show why the Internet, in general, is interesting not only for the “ordinary” criminal, but also for terrorist purposes: − Attacks that are conducted via the Internet can be launched from anywhere in the world. It is not necessary to be “on site” as it is for a classic bomb attack. Internet connections that are needed for the initialization of the attack are widely available or can be started from most up-to-date mobile phones; − When the attack is set up, it can be launched quickly with hardly any need for fur- ther preparation. This makes it possible to react spontaneously to current events (“cyber-revenge”); − The speed of many forms of attack is not dependent on the connection speed of the attacker, e.g. in cases of Distributed Denial-of-Service attacks (DDoS attacks). Instead, the connection speed of captured victim computers can be fully exploited. Thus, worms and viruses can spread at the fastest possible rate without the need for any further involvement on the part of the attacker; − Actions committed via the Internet can be kept anonymous and untraceable. Technically, anonymizing services and similar camouflaging techniques, as well as the forwarding of traffic via other hacked systems, can make tracing an attack difficult if not impossible. Furthermore, if traces are being led through different countries, legal problems and differing technical standards in these countries add to the list of problems. Finally, digital evidence can be deliberately forged, thus raising suspicion against uninvolved and innocent parties; − The cost-benefit-ratio is extremely positive: use of the Internet itself is cheap. For many attacks, only a small bandwidth connection is needed, which is affordable in most countries. Damage caused via the Internet, however, can be rather costly. IT experts must continue to be involved in fixing newfound security flaws; fur- thermore, additional costs arise if damages have occurred and require fixing (e.g. reconstructing IT equipment or repairing physical damage that resulted from a computer breakdown); − Often, attacks are easy to carry out because many targets are poorly protected. Therefore, attackers can choose from a wide variety of interesting targets. If the favored target is not vulnerable to the “weapon of choice”, many other targets are still available.
    • P.W. Brunst / Use of the Internet by Terrorists 37 1.1.2. Terrorist Motivation The short list above already shows that attacks via the Internet are generally attractive for any criminal organization. However, differences between ordinary criminals and terrorist organizations can be observed when the underlying motivation for such attacks is analyzed [7]. Cybercriminals often conduct attacks simply to gain monetary income or to demonstrate their “virtual power”. This can be achieved, for example, by the fol- lowing: − Circumventing security measures. Attackers can thereby corrupt the integrity and confidentiality of computer systems and data; − Rendering systems useless. This can be followed up by further drastic effects if mission-critical IT systems are affected; − Creating physical harm. This can be the case if critical infrastructures, such as transportation, power, or water facilities that are connected to an IT system, can be manipulated by a perpetrator who has gained access to such a control system. Terrorist organizations, however, typically follow a more long-term perspective. Their general aim is to achieve a (primarily political) goal with their actions. Therefore, the following actions are of high importance to the organization: − the generation of fear, − the creation of economic confusion, or − the discrimination of the political opponent. Other reasons, however, can also be an underlying agenda for a terrorist act that is be- ing committed via the Internet, for example: − the generation of monetary income or − the gathering of information on a target (either for a conventional or an electronic attack). Depending on individual motivation, terrorist aggressions can be performed in dif- ferent ways. As an example, a hacking attack with the intent to shut down an important system at an airport could be made publicly known in order to arouse fear in the popu- lation. However, a hacking attack that is committed in the hopes of gaining information on the automobile route of an important person might be kept secret so as not to endan- ger future plans for a bomb assassination on that person. In general, it is possible to imagine that all of the general aims mentioned above could also be accomplished with the help of attacks that are committed over the Internet. 1.2. Attacks on IT Systems Attacks on IT systems can roughly be divided into three different groups. (1) With the help of hacking techniques, access to individual systems can be gained. The system can be subsequently used to shut itself down, gather, alter, or delete information from it, or to conquer further systems that are attached. The latter is especially important with regard to attacks on an infrastructure that is controlled by a computer system. (2) The second approach is not designed to gain access to a computer, but to render it useless.
    • 38 P.W. Brunst / Use of the Internet by Terrorists These so-called “Denial-of-Service attacks” (DoS attacks) are often committed with the help of hundreds or thousands of computers that send (mostly useless) instructions to the victim computer. (3) Finally, a third type of attacks combines one or both of the above-mentioned attacks with a conventional bomb attack. 1.2.1. Individual Hacking Attacks 1.2.1.1. Accessing Systems The first type of attacks is aimed at enabling access to protected data and computer systems. This can be achieved if the victim computer is vulnerable to a security weak- ness that can be exploited by the attacker. Software and techniques for this purpose can be acquired through different channels: many specialized security forums discuss the known weaknesses of different operating systems and other software. If the designated victim computer is not immune against all current (and known) software flaws (so- called “patching”), this information can be used to gain access to it. However, even if all known patches have been applied to a computer system, this does not mean that the system is protected against all possible attacks. So-called “Zero-Day-Exploits”, i.e. software flaws that have not yet been disclosed to the manufacturer (and therefore not yet been patched), can be acquired via the black market. Such software enables access to a system even though the system administrators have followed all publicly known security measures. Once an attacker has gained access to a computer system, several possibilities lie ahead. First, the system can simply be shut down, thereby making it unavailable to le- gitimate users. However, the system can be restarted by administrators immediately, giving the attackers only a very short moment of success. Nevertheless, even a very short interruption can be hazardous for some systems, such as control systems for power plants or in medical environments. Furthermore, an outage can be combined with a conventional attack, e.g. to handicap rescue workers after a bomb attack. 3 Fur- thermore, the information on a system can be altered, thereby giving it a new meaning, e.g. to mislead people relying on that information, or destroyed. Finally, some attacks can be conducted without anybody noticing, making countermeasures extremely diffi- cult. 1.2.1.2. Altering Information The second possibility is to change information that is being stored on the computer system. This can lead to so-called “defacements” that often take place after a web server has been compromised [11], [12]. In the case of a defacement, a web page (usu- ally an entry page) is replaced with another page that informs the visiting user that this particular web server has been hacked (and most likely also provides information about who has done it). In doing so, the attackers can easily demonstrate their capabilities and the weakness of the victim. In addition, the impression is created that the attacker will be able repeat his action at any given point in time and even with other, even more highly protected systems. Therefore, defacements of web servers that belong to security agencies, the military, or other important services are popular targets for attackers. The group “Pentaguard”,4 for example, demonstrated its capabilities in 2001 when it simul- taneously defaced a multitude of government and military websites in the U.K, Austra- 3 For these so-called “hybrid” attacks see below. 4 For an excerpt of websites defaced by the “Pentaguard” group, see http://www.attrition.org/mirror/attrition/pentaguard.html [last visited: July 2007].
    • P.W. Brunst / Use of the Internet by Terrorists 39 lia, and the United States. This attack was later evaluated as one of “the largest, most systematic defacements of worldwide government servers on the Web” [13]. Terrorist organizations had also already used this technique in the past. Al-Qaeda, for example, hacked the website of Silicon Valley Landsurveying Inc. in order to deposit a video file showing the hijacked (and later beheaded) Paul Marshal Johnson [14]. By publishing the link to the stored video, the organization could simultaneously demonstrate its technical as well as conventional dangerousness. In another case, pro-Palestinian hack- ers used a coordinated attack to break into 80 Israel-related sites and deface them [5], [12]. Instead of defacing a web server, all other information stored on a computer sys- tem can also be affected, i.e. deleted or altered. If, for example, vital data, such as the U.S. Social Security database, financial institutions’ records, or secret military docu- ments, were able to be irreversibly damaged, grave social disorder and a long-lasting lack of trust in all government institutions could be the consequence [15]. Studies, such as the exercise “Eligible Receiver”,5 and recent attacks have shown that even top-secret military computers and sensitive nuclear research centers are not immune against all attacks [8], [12]. 1.2.1.3. Silent Operations The shutting down of a computer or the defacement of a web page each have the ad- vantage that the success of the attack becomes immediately known to both operators and users of the affected system. However, if an attacker does not aim at a demonstra- tion of his powers, but rather tries to gather information, secrecy is of essence. Therefore, the third possibility for an attacker to proceed after gaining access to a computer is simply to search for useful information and try to leave few or no traces at all. This form of action also has another advantage: whereas a security flaw that has been detected can be fixed after an intruder has been detected, an unknown security weakness allows the attacker to use it not only once but for a longer period of time. Hence, apart from the above-mentioned “Zero-Day-Exploits”, other forms of custom- made software are of also interest. A mode of operation that could also be put to use by a terrorist organization can be observed in a case that a security company has tested [16]. The company prepared USB sticks with a custom-designed, newly developed Trojan horse program that could not be detected by virus scanners. Twenty of these sticks were “lost” on the premises of a credit union. Of these, 15 sticks were found by employees – and promptly connected to the company network where the Trojan started to collect passwords and other valuable information and e-mailed this data back to the offenders. Such an attack would be a powerful way for a terrorist organization to initiate counterespionage. Another way to introduce such software could be through legal channels. This was observed in the year 2000, when Japan’s Metropolitan Police Department used a soft- ware system to track 150 police vehicles, including unmarked cars. It turned out that this software had been developed by the Aum Shinrikyo cult – the same group that gassed the Tokyo subway in 1995. It turned out that members of the cult had developed 5 In 1997, the NSA launched an exercise under the codename „Eligible Receiver.” A group of hackers was in essence challenged to use publicly available tools to try to break into the U.S. Pacific Com- mand in Hawaii, which is responsible for all military contingencies and operations conducted in the Pacific. To the surprise of the military, the group gained access to the user account management and were able to reformat server hard drives, scramble data, and shut systems down. Even the disruption of telephone services and interception of emails did not pose a large challenge [17].
    • 40 P.W. Brunst / Use of the Internet by Terrorists software for at least eighty firms and ten government agencies [17]. The cult had been able to work largely undetected because the software developers were engaged as sub- contractors, thus enabling personnel clearance to be easily circumvented. 1.2.2. Large-Scale Attacks If the information inside a computer is not of essence, but the aim is simply to make its services unavailable, the use of large-scale attacks might be preferred over a hacking attack. Large-scale attacks are often committed with the help of hundreds or thousands of other computers (so-called Distributed-Denial-of-Service-Attacks or DDoS-Attacks) [8], [11]. In these cases, viruses and Trojan horses are used to control other computers. These computers are turned into so-called “zombies” that are forced to report to a bot- net on a regular basis. These zombies are, in turn, controlled by a bot-master that in- structs them, for instance, to forward thousands of requests to a particular site in order to make it inaccessible to its users. In 2006, more than 60,000 active bot-infected com- puters were observed per day. Furthermore, over 6 million distinct bot-infected com- puters were detected in 6 months. These “zombies” were controlled by less than 5,000 command-and-control-servers [18]. It can therefore be safely assumed that the persons in control of these bot-nets are not hobby hackers, but well experienced and organized groups. For terrorist groups, however, it is not necessary to acquire these skills or to organ- ize bot-nets by themselves as bot-nets can also be rented. Prices for attacks range from about 150 to 400 US-dollars, depending on the target and the duration of the attack. Some bot-net-operators even offer discounts for multiple orders [19]. Also – as a non- technical alternative – the same effect as that achieved with a bot-net attack can be ob- tained if enough human supporters are available who can take over the part of will-less “zombies” in bot-net attacks. This can be observed in an online demonstration that was launched against the German airline “Lufthansa” in 2001. In order to call attention to the involvement of the company in the deportation of illegal alien residents, supporters were asked to open the web page of the company at the same date and time. Over 13,000 people followed the call. The Lufthansa server was unable to reply to the sud- den peak of requests so that the web page became unavailable to customers during this time frame [20]. This technique is also known as “swarming”, “virtual blockade”, or “virtual sit-in” and it shows that even technically non-adept organizations can use the power of distributed attacks against targets in the Internet [21], [22]. However, for a terrorist organization, the operation of a bot-net could also be an interesting option, since it can be used in a variety of ways. Two main options seem to be realistic: the use of bot-nets for email campaigns and for aggressive attacks on other Internet sites. In the first option, the “zombie” computers can be used to send out mass- mailings with terrorist content (e.g. propaganda). These mails are difficult to trace back since they do not originate from the computer of the terrorist organization, but from thousands of computers linked to the bot-net. Furthermore, this service can also be rented out to other companies wishing to cover their tracks in order to forward spam- emails and willing to pay for this service. Therefore, by using this first option, the bot- net can also be used as a source of income for the organization. When using a bot-net for the second option, i.e. utilization for attacks on other targets in the Internet, a terror- ist organization can benefit from the large diversification of attackers in a bot-net. Such aggressions can hardly be traced back and, in addition, the defense against such attacks is often not possible.
    • P.W. Brunst / Use of the Internet by Terrorists 41 Manifold examples of the use of bot-nets to bring down other services in the Inter- net can be found. Among them are actions that can be classified as terrorist or part of a cyber war. For example, six different Hizbollah sites, the Hamas site, and other Pales- tinian information sites were brought down by a so-called “FloodNet” attack of pro- Israeli hackers. The service virtually “flooded” the respective servers with pings result- ing in the unavailability of the servers for all other requests. Even after a relaunch with a slightly different spelling, the sites were still unreachable as the hackers immediately adjusted the attack to the new name [5], [21]. The targets of such attacks can be chosen freely, i.e. any system that is reachable over the Internet can be the victim of a (distrib- uted or simple) denial-of-service-attack. Therefore, the internal and external communi- cation systems of NATO troops were the victim of an attack during the allied air strikes on Kosovo and Serbia [4] as well as the thirteen root servers for the Internet domain name systems (DNS) [22], [23].6 1.2.3. Hybrid Attacks Many of the attacks described above can result in violence against persons or property and they can generate fear within a population. However, this depends largely on the chosen target and the actual effect that the attack was able to accomplish. Therefore, some authors claim that a conventional bomb attack is – in many ways – easier to plan and conduct and that the results can be better foreseen. However, even in cases of con- ventional bomb attacks, the losses can be increased if hybrid attacks are launched, i.e. an attack that is aimed at a physical target is combined with one or both of the above- mentioned electronic forms of attack. The bomb attack can be aimed at any given target. For example, it is often chosen to bring forth a high number of casualties. In this case, a supplementary digital attack could be launched that is aimed at the communication devices of police or ambulances in order to hinder an effective coordination of rescue teams [8], [12]. Another possibil- ity would be for attackers to choose to launch an assault on the economic stability of a country. In this case, a hybrid attack against national financial networks (such as Fed- wire or Fednet) or against transfer networks (such as SWIFT) could be launched. It is estimated that such an attack could wreak havoc on the entire global economy [8]. Another possibility would be to directly attack the infrastructure that forms the ba- sis of the Internet. To achieve this, offenders could assault any system whose operation is of the essence for the functioning of the Internet. One example would be the domain name service (DNS). The DNS is responsible for the translation of domain names (such as www.mpicc.de) into IP-numbers (such as 194.94.219.193). This task is necessary for many transactions, e.g. the opening of a web page or the sending of an email. If an at- tacker was able to disturb this service, large parts of Internet-based services would be inaccessible. Therefore, a DDoS attack on the thirteen root servers of the DNS in Octo- ber 2002 was described as an attack against the “heart of the Internet network.” How- ever, due to built-in safeguards, no slowdowns or even outages were caused [22]. The same is true for a recent attack which took place in February 2007: even though the aggression lasted for almost twelve hours, the influence was hardly noticeable [23], [24]. Such attacks against the infrastructure are possible not only by digital, but also by conventional means. For example, many transcontinental data connections rely on 6 For further details on the attack on the DNS root servers see also below.
    • 42 P.W. Brunst / Use of the Internet by Terrorists transatlantic cable connections between Europe and the United States. Whereas Euro- pean cable ends are widely spread between many different countries, they are often bundled on the American side (e.g. in New Jersey and Rhode Island). An attack on one or two of these connections could have a serious impact on Internet connections in general. In the past, this was observed when cables were damaged accidentally [25], [26]. For example, after an underground cable between China and the USA was se- verely damaged, according to a survey, 97% of Chinese users reported problems of accessing foreign web pages and 57% claimed that their life and work was being af- fected by the damage [26]. Another focus of a conventional attack against IT infrastruc- tures could be to target one or more of the central so-called peeringpoints that intercon- nect different networks in the Internet. The German peeringpoint DE-CIX in Frankfurt, for example, is said to handle 80% of German and 35% of European Internet traffic. The London Internet Exchange LINX is the world’s largest Internet peeringpoint. In 2006, it was at the center of a planned assault. However, Scotland Yard arrested sus- pects beforehand. An MI5-website is reported to have said that “without these services, the UK could suffer serious consequences, including severe economic damage, grave social disruption, or even large-scale loss of life” [27]. Since this report is focused on the use of the Internet by terrorists, there will be no further analysis of possible targets for conventional attacks. The examples above show, however, that terrorists can se- verely damage targets in the Internet even without any technical knowledge. 1.3. Attacks on Human Life Often, attacks on computer systems are considered less dangerous than conventional attacks with bombs because damages to computers are said to “only” lead to economic losses. However, these days, computers are no longer exclusively used to “crunch numbers” and store huge amounts of data. Instead, a new type of service has quietly evolved: SCADA 7 systems are used to measure and control other systems and can therefore lead to effects not only in the “virtual”, but also in the “real” world. Often, these systems are also connected to the Internet – in one way or another: according to informal sources, 17% of SCADA malfunctions are caused by a direct Internet access to the SCADA system [1]. Other possibilities include VPN-, modem- or trusted con- nections, e.g. remote access to allow maintenance work. Even though such possibilities for remote access are not advisable for security reasons, the need to cut costs and the ability to remotely control several SCADA systems centrally, instead of having one person control one system on-site, led many companies to establish such structures. Furthermore, many of the control systems are based on standard Windows- and UNIX operating systems [28]. Therefore, some hackers claim that it would take them only about a week to get into most of the existing control systems [29]. The effect of a com- bination of SCADA systems that are connected to the Internet and security weaknesses could be observed in 2003 when 21 power plants were brought down and other criti- cally important institutions in the United States, including Edwards Air Force Base, the test center for B-2 and B-1 bombers, also affected. As far as is publicly known, these breakdowns were the result of the W32.Lovsan worm that was using the same port to exploit a weakness on individual personal computers being used by the plants to com- municate with each other [28]. The collision resulted in a large power-down in the United States and Eastern Canada. 7 SCADA is an acronym for “Supervisory Control and Data Acquisition”.
    • P.W. Brunst / Use of the Internet by Terrorists 43 However, even though 60 million households are said to have been without elec- tricity, no panic erupted; there were only a few injuries, and hospitals and emergency services continued to function properly [30]. Therefore, some authors question whether cyber attacks are really of the same class as conventional attacks carried out with bombs [31]. From a terrorist’s point of view, it generally should not matter which weapon is used to commit an attack – as long as the attack is efficient, causes fear in the public, and is repeatable (at least in general) at any given point in time. Therefore, attacks that endanger human life often receive larger media coverage than those that only affect computer systems. Some of these attacks only have a nexus to electronics, e.g. bomb attacks that are triggered by RFID8 chips contained in newer passports [32], [33], [34]. Other forms of computer attacks that endanger human life have – for the most part – only been discussed and not yet taken place (or this has not become known to the public) [4]. Two different options are mainly being discussed: attacks on SCADA systems connected to potentially dangerous machinery with an immediate outcome and those that lead to a long-term effect. 1.3.1. Attacks with an Immediate Outcome Most scenarios that are under discussion and that could directly result in lost lives have not yet taken place or they have not become known to the public. The following are especially considered to be potential target scenarios for terrorist attacks with an imme- diate danger to human lives: launching attacks on hydroelectric dams, tampering with control systems for railways or air traffic, and gaining control over systems supervising power plants. Probably the most discussed scenario of cyberterrorism with an immediate danger for human lives is an attack on a hydroelectric dam. The consequences of (accidentally) damaged dams have been observed in the past, e.g. when, in 1975, the Banqiao and Shimantan dams on tributaries of the Huang He (Yellow) River in China failed, dozens of lower dams were damaged, and at least 85,000 people died [35]. If terrorists were able, for example, by way of hacking into a SCADA system controlling a dam, to cre- ate a similar effect by deliberately opening the floodgates, again hundreds or even thousands of people would be at risk. The vulnerability of such systems could also be observed in 1996, when an individual used simple explosive devices to destroy the master terminal of a hydroelectric dam in Oregon. Although the structure of the dam was not affected by the attack, the power-generating turbines were completely disabled and had to be switched to manual control [36]. However, attacks via digital channels have also been on the rise. In 1998, for example, a 12-year-old was able to break into a computer system that runs Arizona’s Roosevelt Dam. Federal authorities afterwards reported that he had complete command of the SCADA system controlling the dam’s massive floodgates [37].9 A similar incidence – albeit without a threat to human life – took place in the year 2000, when the police arrested a man who used a stolen computer and radio transmitter to control the sewage treatment in Queensland, Australia. The culprit had manipulated 8 RFID is the abbreviation for Radio Frequency Identification. An RFID tag is an object that can be incorporated in products for the purpose of identification using radiowaves. 9 The details of the attack are disputed: whereas the Washington Post reports that a 12-year-old hacker broke into the system in 1998, other sources claim that he was 27 and the incident occurred in 1994 [38]. Also, the level of access is debatable. However, the simple fact that the control system of a hydroelec- tric dam with the dimensions of the Roosevelt dam was compromised at all is sufficient to show the danger of a terrorist attack.
    • 44 P.W. Brunst / Use of the Internet by Terrorists the system over a period of two months, letting hundreds of thousands of gallons of putrid sludge ooze into parks and rivers. According to an employee of the Australian Environmental Protection Agency “marine life died, the creek water turned black and the stench was unbearable for residents.” However, the perpetrator’s motive was not to generate fear in the public, but to bargain for a consulting contract in order to fix the problems he had caused [30], [37]. Nevertheless, the case shows that physical damage can be caused by manipulating SCADA systems. It is easy to imagine what could happen if a terrorist were to gain control over a system that is set up to prevent the collision of airplanes. In 1997, a juvenile was able to access the communication systems of Worcester, Mass. Airport. The action dis- rupted the telephone service to the Federal Aviation Administration Tower at the Air- port, the Airport Fire Department, and other related services such as airport security, the weather service, and various private airfreight companies. Furthermore, the main radio transmitter and the circuit which enables aircrafts to send an electronic signal to activate the runway lights on approach were disabled [36]. Fortunately, no accidents were caused by the attack [15]. However, the incident clearly shows the potential dan- ger and the vulnerability of systems that are responsible for protecting human lives. In a worst case scenario, colliding trains or airplanes could possibly cost hundreds of lives [17], [30]. Finally, other scenarios with the possibility for mass mortality have also had an impact on the discussion about possible targets for cyberterrorists. In particular, the chance of terrorists controlling nuclear power plants or military missile control centers has been a subject discussed by many authors [4]. The above-mentioned power-down of 2003 has shown that digital attacks can indeed have an impact on such systems. However, many of these situations rely on the failure of all other security measures at the same time. Air traffic controllers and pilots are especially trained as regards “situational awareness” and use computers only as an aid. So, for a successful attack, it would be necessary to manipulate pilots and/or controllers as well as intrude into the computer system [39]. Furthermore, military facilities that are able to launch missiles are often not connected to the Internet, but “air-gapped” 10 instead, making a remote launch simply impossible [4], [40]. There are, however, no grounds for a complete all-clear. One reason is that it is not reasonable or sufficient to distinguish exclusively between “computer only” and “hu- man only” scenarios. If organizations have (or can buy) the aid of an insider – either in the form of active participation or in the form of gathering otherwise protected infor- mation – many security measures can be dangerously compromised. The second reason is that the military also makes use of increased connectivity and remote controlling in order to save the lives of soldiers. New weapons are being developed that rely on re- mote control. For example, semi-autonomous military robots often provide a commu- nication channel for human controllers – sometimes even over the Internet. This, for example, is the case with “RoboGuard”, a guard robot that can be equipped with infra- red-sensors and weaponry [42], [43]. Finally, many software products also used by military services rely on civilian technology and established operating systems, thereby opening additional loopholes for security risks. 10 Typically, a system is called “air-gapped” if it is completely physically, electrically, and electro- magnetically isolated. In the context above, especially the fact that the system can be considered closed and that it is not accessible from the outside, e.g. the Internet, is important.
    • P.W. Brunst / Use of the Internet by Terrorists 45 1.3.2. Attacks with a Long-Term-Effect The situations mentioned above can result in a one-time catastrophe. In order to create long-lasting panic and fear within the population, however, long-term effects and un- certainty may be even more suitable for terrorist organizations. Scenarios that are being discussed in this field include the manipulation of machinery, for example, in the pro- duction of food or medication [17], [39]. However, it is doubtful whether such scenar- ios are realistic. If, for example, the production chain of a food company were altered to create poisonous food, it seems likely that quality control would detect changes in the composition at an early stage. In addition, a sudden increase in the use of different ingredients would likely draw attention. Finally, the taste of the altered product would likely change. Other possible targets include the weapons-production process, where manipula- tion could lead to useless ammunition. This would be effective especially, because test- ing is hardly possible and defects would be noticed only after it is too late. However, since these production areas are usually high-risk areas, security measures are high, and production computers are seldom linked to public networks the risk of a digital effect in this area can be considered very low. 2. Terrorist-Related Contents From the beginning, one great strength of the Internet has always been its use for communication. However, widespread success began with the establishment of the WWW and the possibility for everyone to disseminate information. Today, terrorists have also begun to use the Internet not only to launch attacks, but also to exploit it for new possibilities in a “war of ideas” [30]. The use of the Internet is especially of inter- est for the presentation of terrorist viewpoints, the propagation of threats and propa- ganda, and the possibility to it for fundraising. 2.1. Presentation of Terrorist Views In general, terrorists and terrorist organizations have to work undercover which makes the communication of their views, aims, and ambitions extremely difficult. “Conven- tional” ways to spread ideas are leaflets and “mouth-to-mouth” propaganda. However, both alternatives are time-consuming and risky and they do not reach a large group of people. Additionally, terrorists are faced with the problem of how to communicate with (and possibly influence) the media or other people and organizations who might not actively be looking for such information but who would be interested in it once intro- duced to it. With the help of the Internet, the situation has changed. Almost every organization of importance now has its own website [7], [44] and the number of terrorist websites is steadily rising: Whereas in 1999, two of 30 deemed foreign terrorist organizations had their own websites (according to the United States Department of State), in 2005 more than 4,500 terrorist-related websites were known to exist [5], [45]. Many websites contain detailed information on leaders, the history of the organiza- tion, aims, or recent successes. The information is put together in such a way that the different “target groups”, e.g. supporters, enemies, or mass media, can easily find rele- vant information [7], [44], [46]. Some websites even offer cartoon-style design and
    • 46 P.W. Brunst / Use of the Internet by Terrorists children stories in order to reach already the youngest [7]. Also, information is pro- vided in different languages so that even foreigners can compare their media news with the views of the respective organization. The website of the Revolutionary Armed Forces of Colombia (FARC – http://www.farcep.org [last visited: September 2007]), for example, offers information in English, Italian, Portuguese, Russian, and German. For an overview of terrorist websites and their languages of operation, see [5]. As regards content, terrorists are not restricted to presenting information on their organization alone. Everything is virtually possible, from a mere presentation of view- points to a general glorification of terrorism or justification of recent acts of violence (or threats to perform new acts) even up to and including the incitement of further ter- rorist acts by the reading audience and recruits. The honoring of “martyrs” and com- munication with families of terrorists has even already taken place. The website al- neda.com, for example, has published the names and home phone numbers of 84 al- Qaeda fighters who have been captured. Presumably, the aim of this action was to al- low sympathizers to contact their families and let them know whether they were alive [47]. Other websites contain obituaries of suicide bombers, effectively glorifying them and encouraging others to follow this path [48]. The Internet has therefore become the most important means by which terrorist organizations communicate with their sup- porters and other interested parties [49] The most popular terrorist sites attract tens of thousands of visitors each month [5]. Of course, governments try to shut down such websites and prevent the spreading of information. However, the “censorship resistance” of the Internet is often used. For example, when Jordanian officials removed an article from 40 print copies of The Economist on sale in Jordan, an online copy was printed, photocopied, and faxed to 1,000 Jordanians, thereby circumventing local censors [21]. Furthermore, websites are often stored on servers that are physically located in different countries than the one the organization is acting from. For example, several websites of al Qaeda are physically stored in the USA and Canada [50]. 2.2. Threats and Propaganda As mentioned above, terrorist websites are not restricted to a presentation of views alone. Instead, terrorists can also use the Internet to send threats to enemies and spread propaganda. The possibility to use multimedia technology especially enables an or- ganization to burn images into the memories of the viewing audience in an impressive way. The assassination of Daniel Perl for example, showed the impact of psychologi- cal warfare as conducted by these new means. Also, other more recent, messages are no longer sent as mere text messages. Instead, professional-looking videos are being pro- duced, e.g. in the case of threats against German and Austrian involvement in Afghani- stan. These videos were subtitled in German and sent to a website called “Global Is- lamic Mediafront (GIMF) [51]. A high-ranking member of the German Office for the Protection of the Constitution is quoted as having said that this video is seen as a form of “psychological warfare” because it does not make direct threats, but instead creates an atmosphere of unease [51]. Other messages are directly forwarded to TV stations which incorporate the material and broadcast it in their programs [51], [52]. Therefore, some attacks are staged and filmed from several angles at the same time so that the material can be better used for the distribution to the media, websites, and the produc- tion of DVDs [53].
    • P.W. Brunst / Use of the Internet by Terrorists 47 The use of terrorist websites, however, also has two big disadvantages. First, most websites are only visited by people who are actively seeking such information. There- fore, organizations have to find new ways to also reach other people, e.g. mass media. Secondly, websites serve as a “single point of failure”: If the website is closed down, all information contained there must be moved to another site and the new name spread among those who wish to visit the site and get information from it. Terrorists have started to fight both problems and added more decentralized ap- proaches to their arsenal. This makes it harder for the government to control content on the one hand. On the other hand, it also makes propaganda available for those capable of being influenced by it or who are open to the views of the organization but not ac- tively seeking it. It is probably for this reason that many propaganda videos have shown up on video-sharing platforms such as YouTube. They depict terrorism in a glo- rious light and show assault scenes, bombings (often accompanied by modern music), or speeches by agitators. In addition to videos, Internet radio shows are also being launched [5]. Both, video and radio shows allow organizations to spread their body of thought among young viewers who are vulnerable to such influences and may stumble over such material while looking for a new pop song. Material and information that is spread via the Internet can also be used to influ- ence public opinion. Whereas, in the past, only a few well-established organizations were able to produce newspapers, magazines, or TV shows, the Internet makes it pos- sible for virtually anyone to launch their own periodicals or otherwise use the power of the media. The cost advantage over traditional mass media greatly helps to promote such journals. Al-Qaeda, for example, has launched a weekly bilingual news show con- taining world news from a terrorist point of view [49], [54]. Viewers of such online journals often cannot identify the source and evaluate whether the news being broad- cast is true or false. This, however, has proven to be a double-edged sword in the past. On the one hand, organizations were able to express their own views under the guise of a seemingly neutral authority, leading to a seemingly prevailing opinion between many “independent” journals. On the other hand, due also to the quick proliferation of fake communiqués, it was not easy to distinguish real terrorist messages from the statements of non-existent groups for some time [56]. Nevertheless, the risk remains that traditional mass media – thanks to increasing use of the Internet as a source of stories and illustrated footage – can fall for news sites that are set up especially for this purpose. By attractively presenting viewpoints and opinions, terrorist organizations can at least increase their chances of introducing these opinions into mass media products. In this context, semantic attacks are also being dis- cussed. A semantic attack involves subtly changing the content of the web page of a traditional news site, thus disseminating false information [11], [12]. However, it is doubtful whether these attacks would remain unnoticed. 2.3. Fundraising and Financing Some organizations have started to use their websites not only to disseminate informa- tion, but also to use it as a source of income for financing (fundraising). This can be done, for example, by selling CDs, DVDs, T-Shirts, badges, flags or books [5], [44]. Other websites give instructions on how to donate money to the organization, for ex- ample directly by means of credit card or by providing bank account details [44]. By doing so, organizations can establish a link to supporters and candidates for possible recruitment. The same can be achieved, if terrorists gather user demographics, e.g.
    • 48 P.W. Brunst / Use of the Internet by Terrorists from personal information entered on online questionnaires and order forms. Users that are identified as potential sympathizers can then be e-mailed and asked to make dona- tions [7]. Since the websites of the organizations themselves are often at the center of sur- veillance by security agencies, hundreds of support websites commonly appear and disappear. To allow visitors to find further websites, they are often link by web rings. Yahoo for example has pulled dozens of sites in the Jihad Web Ring, a coalition of 55 Jihad-related sites [5]. 3. Use of the Internet for Other Purposes The third sector that is of interest to terrorists, apart from attacks carried out over the Internet and the dissemination of information, is the use of the Internet for seemingly harmless tasks such as sending e-mails or visiting web sites. However, the following section will show that even these simple tasks can be beneficial to a terrorist organiza- tion if they are carried out via the Internet. This is especially true for the individual communication between terrorists and terrorist groups and the use of the Internet as a planning and supporting instrument. 3.1. Individual Communication The general benefits of the Internet, such as speed, low cost-level, and wide accessibil- ity, apply especially if it is used for communication purposes. The use of the Internet to communicate goes back to the roots of the Internet itself. Therefore, many tools and programs are in existence and their functionality has already been widely tested. In general, communication can be divided into text-based tools on the one hand, that can either be used in realtime (“chatting”) or in delayed mode (e.g. email), and voice-based systems on the other hand. Text-based systems, such as email, have the advantage that they are widely avail- able and that many companies usually offer these services free of charge. Additionally, they do not require a lot of bandwidth, making it possible to send and retrieve informa- tion even over older mobile phones or in areas where Internet-connections are limited. Since email services are offered free of charge by many different companies, terrorist organizations can rely on them and refrain from building up their own service. For ex- ample, the organizers of the 9/11 attacks had opened multiple accounts on largely anonymous e-mail services such as “Hotmail” [5]. Text-based, real-time systems, such as IRC, allow for a fast (and largely unsuper- vised) conversation of two or more persons who are online at the same time. If, how- ever, this is not the case, delayed applications that use a process-and-store mechanism (as with email) have a great advantage: messages can be stored and retrieved at any given point in time; terrorists neither have to be online all the time, nor do they have to entrust third parties with the task of accepting personal messages for them. Finally, many encryption tools have been developed and are freely available for this service. Voice-based systems, however, allow for even faster communication than text- based real-time systems.11 Voice-over-IP systems (VoIP) have enjoyed great success 11 In general, the bandwidth that is used by voice-based systems exceeds that of a text-based system by and large. Therefore, technically, text-based systems will often be faster than voice-based systems. How-
    • P.W. Brunst / Use of the Internet by Terrorists 49 since the free-of-charge software “Skype” was introduced. Lately, many manufacturers of messaging systems (such as AIM or Microsoft Messenger) have also included a voice function into their products. Therefore, it is of no surprise that VoIP software has been found in connection with al-Qaeda cells [8], [44]. 3.2. Encryption and Anonymity Information that is exchanged over the Internet is – by nature – digital. This allows for easy encryption and also for opportunities to remain anonymous. With regard to the latter, anonymity services and open proxies can be used. However, in many cases, ter- rorists must anticipate that their message will be intercepted. Therefore, they must ei- ther disguise the message itself or use conventional encryption techniques. To hide a message, two techniques are especially being discussed. The first is to hide the message with the help of steganography. In this case, a message is hidden in- side a picture, sound file, or any other file [44], [57]. This file can then be put on any public website, e.g. a photo could be put on a classic photo site such as webshots.com. Afterwards, other members of the organization could download the picture and decrypt the message. The entire process is concealed because no one (except for the terrorists) knows that the file contains more information than initially appears. Furthermore, the course of action is completely inconspicuous because it is an everyday event to up- or download a picture from a photo site and does not draw any attention to itself. Some authors claim that the use of steganography is only a myth [5]. However, even if this technique is not proven, there is a possibility that it could be used by terrorists as well as anybody else. Furthermore, also other techniques could be used to secretly pass messages that cannot be noticed or deciphered by observers. If, for example, code words or certain signals are being agreed upon between different terrorists, it would be sufficient to use this code word in an inconspicuous context. Therefore, experts currently argue whether the color of the beard of Osama Bin Laden in his latest video is a secret message for his followers [58]. Similar techniques were already used by the group of terrorists conduct- ing the attack on 9/11. The message from Mohammed Atta to the other attackers stated that “19 confirmations for studies in the faculty of law, the faculty of urban planning, the faculty of fine arts, and the faculty of engineering” were obtained [47]. This mes- sage could be sent without attracting any attention, even if it was intercepted. For the well-informed, however, the references to the various faculties revealed the different targets for the assassins. Another method of preventing the content of a message from being revealed is the use of a free mailer e-mail account. To begin with, the use of a free mailer account it- self offers a great degree of anonymity and protection in itself, especially if more than one service is used (either alternatively or simultaneously). However, to protect the content of an e-mail, the account is used in an unconventional way: instead of logging in, writing, and sending an e-mail, the password is not known to just one person but to two – sender and recipient. The sender logs onto the account and writes, but does not send, the message. Instead, the message is saved as a draft. Later, the recipient logs onto the same account and reads the message in the draft folder. By means of this tech- nique, the message never leaves the system, so that no traces of an e-mail remain on ever, from a user point of view “simply talking” is often felt as being more direct and quicker than pressing keys on a keyboard.
    • 50 P.W. Brunst / Use of the Internet by Terrorists any system. Thereby, governmental filtering systems were successfully circumvented for a long time [59]. In the meantime, however, this technique is known to secret ser- vices around the globe. Therefore, if conventional messages (i.e. unencrypted or not in other ways protected) are being exchanged in this way, terrorist conversations can still be tapped [60]. More difficulties arise, however, if this technique is not used with e- mail accounts, but with online repositories. These storage places accept all kinds of different files, e.g. plain text file, encrypted files, or the above-mentioned seemingly harmless files that contain further information hidden inside. But even if terrorists decide to send messages as proper e-mails (e.g. because there was no safe channel to exchange the password for the e-mail account), they can do so confidently because any message can be encrypted. Apparently, terrorists are already using all the possibilities that computers and networks offer, “starting from encryption techniques to password-protected repositories somewhere in the virtual world” [61]. This statement by the President of the German Federal Police (Bundeskriminalamt) Jörg Ziercke was confirmed when thousands of encrypted messages were found by federal officials on the computers of arrested Al-Qaeda terrorists Abu Zubaydah and Ramzi Yousef; the latter of which was tried for the previous bombing of the World Trade Center [8], [44]. Good encryption programs are available to the public as open- source software. Thus, terrorists can be sure that no hidden “backdoor” is contained in the program. Furthermore, if the right encryption parameters are used, even up-to-date technology is not able to decrypt the message without the proper key. Yet, apparently not all terrorists use encrypted messages. For example, the organ- izers of the 9/11 attacks indeed used e-mail, but did not see the need to encrypt their messages [5]. In some cases, this might not be careless, but the intended purpose. If, for example, terrorists want the content of their communication to become known, they send it in unencrypted form in the hopes that the message will be intercepted by the appropriate authorities. Since it is common knowledge that the surveillance of tele- communication is on the rise, such information could be purposefully disseminated in order to conceal other – real – attack plans that concentrate on other targets [47]. 3.3. Planning and Supporting According to a terrorist training manual, public sources can provide up to 80% of all required information on an opponent [44]. Officials agree and state that the combina- tion of all unclassified information available in the Internet “adds up to something that ought to be classified”. Terrorists can therefore heavily rely on publicly available in- formation in the Internet for the planning of attacks and for the support of their mission. Examples of this field of application are especially the use of publicly available infor- mation and the collection of specialized information for training purposes. 3.3.1. Publicly Available Information An often cited example of publicly available information which is useful for terrorists is the satellite maps that are provided, for example, by Google, Microsoft, or NASA.12 In former times, these images were only available to experts. Now, they are a common good and accessible for anybody, including terrorists [62], [63]. In the eyes of govern- 12 See, for example, Google Earth (http://earth.google.com), Google Maps (http://maps.google.com), Microsoft Virtual Earth (http://www.microsoft.com/ virtualearth), or NASA WorldWind (http://worldwind.arc.nasa.gov)
    • P.W. Brunst / Use of the Internet by Terrorists 51 ments around the world, at least part of such information poses a threat to national se- curity because it allows the examination of otherwise protected areas from a bird’s eye view. Therefore, it is reasonable that officials have begun to ask providers of digital maps to disclose certain – security-relevant – information, e.g. defensive fortifications or military development and production areas [64], [65]. But even maps of publicly accessible areas can be of interest because they can easily be combined with other data, such as street names. As a result, for example, escape routes can be planned with great precision, even before a territory is inspected in person. In many cases, the information that is contained on the website of possible targets (e.g. companies or government institutions) is also of interest to terrorists. In one case, for example, maps, time schedules for shuttle busses, and a copy of the official tele- phone directory of a military base were available via the official website. This informa- tion could be gathered by terrorists and used for the preparation of a conventional at- tack. The same is true for much other information that can be accessed via the Internet. For example, reports of security weaknesses in airports or transport companies could draw the attention of terrorists to possible targets [47]. In summary, the amount of sen- sitive data that can be discovered at the various corporate websites can be constituted as “a gold mine for potential attackers” [7]. According to some authors, terrorist organiza- tions have even started to use databases to gather, sort, and evaluate the details of po- tential targets in the United States [44]. Actual findings on terrorists’ computers have shown that publicly available information of all kinds are indeed being downloaded and used for planning purposes [44], [63], [66]. 3.3.2. Training Since so much information that can be abused is available over the Internet, some au- thors claim that the Web has become “an open university for jihad” [45]. Some infor- mation that is of great interest – especially for new terrorists – has even been pre- compiled, e.g. information on bombs, poisons, or many other dangerous goods. The “Mujahadeen Poisons Handbook”, for example, contains various “recipes” for home- made poisons and poisonous gases for use in terrorist attacks [7], [44]. Comparable information can also be found in other collections, such as the “Terrorist’s Handbook”, the “Anarchist Cookbook”, the “Encyclopedia of Jihad”, the “Sabotage Handbook”, and the famous “How to make Bombs”, all of which are freely available. Modern ter- rorists amend these handbooks by adding extra information, e.g. on hostage taking, guerrilla tactics, and special bombs [67]. Some excerpts, e.g. from the virtual training manual of al-Qaida Al Battar, have been published by the U.S. Department of Justice [7]. The danger that appears to originate from many of these compilation should, how- ever, not be overestimated. Even though the documents are clearly labeled, many of them contain the same information that can be found in most standard chemistry books for university students. Then again the Internet offers some advantages over traditional libraries. For example, contents can be gathered without causing any suspicion and without attracting a librarian’s attention. Furthermore, new information can be added at any time and collections can be mirrored between different locations. This (and the possibility to use anonymity services for retrieving the information) enables terrorists to circumvent censorship and deletion.
    • 52 P.W. Brunst / Use of the Internet by Terrorists 3.3.3. Support As explained above, the Internet can serve as a huge library for terrorists. Combined with the possibilities to interact fast and anonymously with each other new opportuni- ties for a support between terrorists and terrorist groups arise. This can happen in three different ways: (1) supporters find instructions on what contributions are currently needed by an organization; (2) organizations offer help to individuals; and (3) organiza- tions help each other. The first possibility is that individuals support a terrorist organization. This can happen in many of the ways that are being described above, e.g. through financing. But also support of electronic attacks has already taken place. Recently, for example, soft- ware called “the electronic jihad program” has been discovered on jihadi web sites. The program can be downloaded by interested followers. It is designed as to allow indi- viduals to easily participate in attacks on different web sites over a windows-like inter- face. In order to encourage other users, usernames of participants and the hours spent for attacking websites are being collected and put on public “high score”-lists. The publishers of this software obviously hope that with a spreading use of the Internet con- tinually more users engage in such a form of “electronic jihad” [68], [69]. The second form of support goes into the opposite direction, i.e. terrorist organiza- tions support individuals in their efforts. This form of support can especially take place in the above mentioned way of compiling information for special purposes like instruc- tions on hostage taking or on building bombs. This form of support is seemingly on the rise. Al-Qaeda, for example, is said to run a “massive and dynamic online library of training materials” which is supported by experts who can answer questions either on message boards or in chat rooms. Topics that are covered in this database are said to range from weapons and poisons to navigation instruments and even to camouflaging and masquerading [45]. Such a “terrorist’s helpdesk” could enable small groups of ter- rorists all over the globe to act fast and competent. Information on the third form of support – support between different organizations – is hardly available. However, at least the technical infrastructure is available that al- lows loosely interconnected groups to maintain contact with one another. Even terrorist groups that fight for different political goals and that are located in different geographi- cal areas could communicate with each other and exchange information, such as on weapons or tactics [70]. 4. Conclusion and Recommendations The assessments in the literature on the danger of terrorists using the Internet range from “imminent threat” to an “exaggerated cyber angst”. This, however, is mostly due to the fact that no common definition of cyberterrorism exists. Most authors would probably agree that terrorists have begun using the Internet at least for communication purposes. Only a few, however, would describe this as a form of cyberterrorism. Based on the broad approach that is being followed in this chapter, for a realistic assessment of a terrorist use of the Internet one has to look at the skills terrorists have shown up to today, the protection of the possible targets and services described above, and the re- sults that are possible if terrorists choose to actually use the Internet.
    • P.W. Brunst / Use of the Internet by Terrorists 53 4.1. Skills Often, those who claim that cyberterrorism is not a real threat state also that terrorists lack the necessary skills for an electronic attack. This is true insofar as attacks in secu- rity-relevant areas indeed require highly developed computer skills that exceed com- mon user know-how by far. Therefore, some experts assume that it would take from two to four years of preparation for a structured cyber attack against multiple systems and networks. For a “complex coordinated cyberattack, causing mass disruption against integrated, heterogeneous systems” even six to ten years would be needed [8]. The current generation of young terrorists, however, has – as least partly – been growing up in a digital world. Seized computers of al-Qaeda, for example, show that they are becoming increasingly familiar with hacker tools that are freely available over the Internet [8]. Also the above-mentioned use of encryption and communication tools as well as the design and setup of web sites confirm this observation. But even if the terrorists themselves were not yet ready for an attack, this is no rea- son for an all-clear. With the above-mentioned interconnection and the fact that much information on security issues is available on the Internet terrorists can gain this ex- perience in only a short time [30]. Furthermore, skill and information can also be ac- quired on the free market. The Islamic fundamentalist group “Harkat-ul-Ansar”, for example, has attempted to buy cyber attack software from hackers in late 1998 [8]. Also the above-mentioned “Zero-Day exploits” are available for anybody who is will- ing and able to spend between $ 1,000 and $ 5,000. The same is true for computers that can be used in a DDoS attack. In this case, prices range only from $ 150 to $ 400, de- pending on the target and duration of the attack [19]. However, some authors doubt if organizations have enough money for large strikes. After evaluating the results of a governmental test for a “Digital Pearl Harbor”, for ex- ample, officials stated that terrorists would have to spend about $ 200 million for ap- propriate resources [40]. But in this calculation it has to be considered that several ter- rorist-sponsoring nations might want to become involved. They can either invest money in terrorist organizations, provide know-how and resources, or aid external ef- forts by contributing their own personnel. The U.S. Department of State, for example, lists several designated state sponsors of terrorism [8]. Other countries are known for the training of hackers for national defense purposes or keeping specialized depart- ments within their intelligence services [8], [71], [72], [73], [74]. Summarizing it can be stated that different terrorists and terrorist organizations have demonstrated their newly gained experiences with technology. This is especially true for the presentation of terrorist contents and the use of the Internet for other pur- poses. A large cyber attack that was verifiably committed by terrorists has – up till now – not yet taken place. However, it has to be assumed that terrorists can either use their own skills or cooperate with different parties in order to launch digital strikes. 4.2. Possible Results When looking at the results that are possible one has to differentiate between the use of the Internet for the distribution of contents or similar forms of utilization and the use for a digital attack.
    • 54 P.W. Brunst / Use of the Internet by Terrorists 4.2.1. Common Use of the Internet The use of the Internet for buying airline tickets or gathering information on a certain building is in essence a legitimate use of the Internet regardless of the underlying moti- vation and intention [4]. Therefore, the direct result of terrorists using the Internet for the above mentioned purposes is hardly noticeable. However, the indirect conse- quences are not marginal. Especially the possibility to stay in contact from almost any place in the world and the chance to do so without being noticed by intelligence services is a great benefit for terrorists and terrorist organizations. Furthermore, the tracing of suspects is being seri- ously hindered if anonymity services and encryption techniques are being used. 4.2.2. Use for Digital Attacks The attacks that can possibly be launched over the Internet have been illustrated above. Especially the latest attacks on the country of Estonia in 2007 have shown that a well planned attack can bring down major commercial banks, telecommunication services, name servers, and even ATMs all at the same time. In essence, according to Estonian Defense minister Jaak Aaviksoo, the national security of an entire nation was threat- ened by this particular attack [73]. However, terrorists will carefully assess how much time, personnel, and money is needed for a certain attack and what the outcome will be. A scenario that results “only” in the unavailability of (computer or other) services is likely to be put aside since the outcome is a common phenomenon even without computer attacks. Other scenarios that are able to create public fear and extensive media coverage on the other hand will be considered by terrorists in greater depth. But then again, terrorists will consider the efforts that it takes to carry out such at- tacks. Often, a conventional attack can be carried out with greater ease – and it can be easily repeated (whereas a computer-based attack is a one-time threat if the security hole can be fixed afterwards). For example, a cyber attack on a transportation system is possible – but the same (or even greater) result can be created with the use of explo- sives. The same thought applies also to many other scenarios [75]. From this point of view a sole large digital attack executed by a terrorist organiza- tion seems rather unlikely, because the effort would exceed the possible outcome. It does seem likely, however, that followers are incited to start attacks by themselves. This, for example, seems to have happened in the case of the attack against Estonia: Hackers and “script kiddies” alike were instigated in chat rooms to initiate DoS attacks against Estonian services at the same time [75]. The second possibility that seems likely are the above-mentioned hybrid attacks. These can be used in conjunction with a conventional attack in order to increase the number of casualties. In these cases the preparation is often easy or can be bought, e.g. if DDoS attacks are used. 4.3. Level of Protection Most experts agree that some of the worst and scariest results of digital attacks are only possible, because many targets are only poorly protected. In a recent study, for example, U.S. authorities were audited on the implementation of the Federal Information Secu- rity Management Act of 2002 (FISMA) that defines IT-security measures such as se- cure password management or access control. The overall rating for all government
    • P.W. Brunst / Use of the Internet by Terrorists 55 agencies was a school grade of “D+”.13 Interestingly enough, the Department of Home- land Security, which is also responsible for the coordination of state cyber security, received an “F”. Indeed, it failed the test three times in a row [76]. But also other gov- ernments around the world were found to be vulnerable to cyber attacks. Computers at the Chancellery and three ministries in Germany, for example, have been infected with spy programs that allegedly were installed over the Internet by Chinese army hackers [74]. However, it is not the public sector alone that is to be blamed. More than 80 per- cent of critical infrastructure systems are privately owned [75]. Many of these systems are also easy targets and not adequately protected. A survey conducted in 1997, for example, found that then 40 percent of water facilities allowed their operators direct access to the Internet, and 60 percent of the SCADA systems could be connected by modem. Additionally, even in power plants configurations were detected where all con- trol systems were set to the same password [75]. Furthermore, even actual attacks on the systems were often not detected. In the above-mentioned case of 2000 when a con- sultant broke into the control system of sewage treatment in Queensland, Australia, it took over 40 attempts to actually unleash the raw sewage. Not one of the unsuccessful attempts, however, was noticed by the people managing the infrastructure [15]. 4.4. Recommendations From the analysis carried out above, mainly three different recommendations can be derived. They regard the awareness towards security issues, the communication paths between countries and different institutions, and the dealing with terrorist contents. 4.4.1. Security Awareness Especially the results of the last section show that a severe problem lies in the level of protection at the different sites. Unprotected systems – especially if they are responsi- ble for valuable infrastructure, services, or data – pose a just too tempting target for cybercriminals as well as for terrorists. Therefore, a strong initiative should be started to incite the public and the private sector to invest more time, money, and care into security measures. In the public sector, several instruments have been introduced that were targeted to either test security level of public institutions or to raise their awareness towards secu- rity issues. The well known test called “Eligible Receiver” that was conducted in 1997, for example, was able to point out several serious vulnerabilities in the military’s com- puter network. Other tests have led to similar results. With a view to a raised awareness towards security issues, the U.S. FISMA is a good example. Through this act public institutions are forced to inspect and adjust their measures at regular intervals. Similar initiatives could lead to better results also in the private sector. Currently, many companies might not be aware of their importance for the economy as a whole – or at least they do not act according to this role. According to Richard Clarke a typical company devotes only one quarter of one percent of its information technology budget to cyber security or – as he puts it – “slightly less than they spend on coffee” [40]. To- day, these figures have changed slightly, but still more than half of the companies that 13 In U.S. school grades an “A” stands for “excellent”, “B” for “above average”, “C” for “average” and “D” for “below average, but passing”. Grades of “F” (or “E”) mean failure.
    • 56 P.W. Brunst / Use of the Internet by Terrorists answered to the CSI survey of 2007 stated that they spent 5% or less [77].14 A possible initiative could – as a first step – classify companies according to their endangerment. If – according to this classification – high- and medium-risk businesses would also be audited (comparable to FISMA), this again could have two positive effects: First, it would be known, which companies are responsible for certain critical infrastructures. In the U.S. alone, for example, some 5,700 companies are deemed to be essential to national security [78]. Secondly, it would become known which dependencies between these companies currently exist. Thirdly, due to the auditing, also companies in the private sector would have to increase their security level constantly. 4.4.2. Communication Paths The second recommendation against digital attacks concerns the communication between different institutions in the case of an attack. Most cybercrime cases involve not only resources in one, but in many different countries or institutions at the same time. Therefore, fast and efficient communication is of the essence to fight digital at- tacks. Several initiatives have been made so far to strengthen this sharing of informa- tion in the event of a digital attack. Article 35 of the Convention on Cyber Crime by the Council of Europe, for exam- ple, asks the member countries to introduce contact points that are available on a 24 hour, 7 day per week basis in order to ensure immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data. This 24/7 network is an important step towards fast communication paths between different countries. Similar activities, however, are needed not only between countries, but also be- tween the different institutions within each country. In the U.S., for example, the Na- tional Infrastructure Protection Center (NIPC) was created in 1998. Its mission is to provide “a national focal point for gathering information on threats to the infrastruc- tures, and providing the principal means of facilitating and coordinating the federal government’s response to an incident, mitigating attacks, investigating threats, and monitoring reconstitution efforts.” [79]. To accomplish this mission, the NIPC believes that it is necessary to build a “coalition of trust amongst all government agencies, be- tween the government and the private sector, amongst the different business interests within the private sector itself, and in concert with the greater international commu- nity” [79]. In essence, fixed communication paths have to be established between (1) different countries (e.g. through the 24/7 network of the Council of Europe), (2) between the different institutions and services in the public sector, and (3) between important com- panies in the private sector and institutions in the public sector. As a guide on what companies have to be considered “important” in this context, the infrastructure defini- tion of the NIPC can be taken into account. It defines infrastructure as “those physical and cyber-based systems essential to the minimum operations of the economy and gov- ernment, including telecommunications, energy, banking and finance, transportation, water systems, emergency systems, both governmental and private” [79]. 14 12% of the companies asked in the 2007 survey answered that they spend less than 1% of the IT budget on security (2006: 21%), 23% (2006: 26%) stated that they spend one to two percent and 26% (2006: only 6%) invested from 3 to 5%. These figures are based on 484 Respondents. See [77].
    • P.W. Brunst / Use of the Internet by Terrorists 57 4.4.3. Terrorist Contents The final recommendation regards the interaction with terrorist contents, e.g. websites and training materials. It might sound provocatively, but the (young) history of the Internet shows that all efforts to censor and control media and communication are doomed to fail. Technically, it is almost impossible to effectively hinder websites or to block communication between terrorists [47] – especially if encryption technology or other methods to obscure their communications are being used. Additionally, all of these efforts threaten civil liberties and the freedom of law-abiding citizens. Finally, it is still unclear how the valuation of crimes and ethics in different countries can safely be combined. Therefore, countries should refrain from enacting ineffective control methods of a purely symbolic nature that seriously infringes the freedom of information rights and that can lead to the development of uncontrolled surveillance [1]. Instead, advantage should be taken of the situation that terrorists communicate over open channels [60]. This can be used, for instance, to register activities, assess the size and possibly future actions of terrorist groups. References [1] U. Sieber/P. Brunst, in: Council of Europe (Ed.), Analytical Report: Cyberterrorism and Other Use of the Internet for Terrorist Purposes, Strasbourg 2007 (forthcoming). [2] J. Record, Bounding the global war on terrorism. Strategic Studies Institute of the U.S. Army War College, http://www.strategicstudiesinstitute.army.mil/pdffiles/PUB207.pdf [last visited: September 2007], December 2003. [3] B. Golder/G. Williams, What is ‘terrorism’? Problems of legal definition, University of New South Wales Law Journal 2004, Vol. 27, p. 270-295. [4] B. Foltz, Cyberterrorism, computer crime, and reality, In: Information Management & Computer Secu- rity, 15.03.2004, Vol. 12, No. 2, p. 154-166. [5] M. Conway, Reality Bytes: Cyberterrorism and Terrorist ‘Use’ of the Internet, In: First Monday, 04.11.2002, Vol. 7, No. 11, http://firstmonday.org/issues/issue7_11/conway/ [last visited: September 2007]. [6] M. Gercke, „Cyberterrorismus“ – Aktivitäten terroristischer Organisationen im Internet, CR 2007, p. 62-68. [7] G. Weimann, Terror on the Internet, Washington D.C. 2006. [8] C. Wilson, Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress, Con- gressional Research Service Report for Congress (RL32114), Updated April 1, 2005. [9] Tomuschat, C., Council of Europe Committee of Experts on Terrorism (CODEXTER), Strasbourg, On the possible “added value” of a comprehensive Convention on Terrorism, 26 Human Rights Law Jour- nal 2005, p. 287-306. [10] U. Sieber, The Threat of Cybercrime, in: Council of Europe (ed.), Organized Crime in Europe, stras- bourg 2005, p. 81-218. [11] L. Janczewski/A. Colarik, Managerial Guide for Handling Cyber-Terrorism and Information Warfare, Hershey, London 2005. [12] M. Vatis, Cyber attacks during the war on terrorism: a predictive analysis, 22.09.2001, http://www.ists.dartmouth.edu/analysis/cyber_a1.pdf [last visited: September 2007]. [13] J. Leyden, Mass hack takes out govt sites, The Register, 22.01.2001, http://www.theregister.co.uk/ 2001/01/22/mass_hack_takes_out_govt/ [last visited: September 2007]. [14] Y. Musharbash, US-Firmen-Website für Qaida-Botschaft gehackt, Spiegel Online, 17.06.2004, http://service.spiegel.de/digas/find?DID=31237523 [last visited: September 2007]. [15] S. Berinato, The Truth About Cyberterrorism, CIO Magazine, 15.03.2002, http://www.cio.com/archive/ 031502/truth.html [last visited: September 2007]. [16] S. Stasiukonis, Social Engineering, the USB Way, http://www.darkreading.com/document.asp? doc_id=95556&WT.svl=column1_1 [last visited: September 2007].
    • 58 P.W. Brunst / Use of the Internet by Terrorists [17] G. Weiman, Cyberterrorism: The Sum of All Fears? Studies in Conflict & Terrorism, 28 (2005), p. 129- 149. [18] Symantec Corp, Internet Security Threat Report XI (March 2007). [19] B. Bidder, Angriff der Cyber-Söldner, Der Spiegel 31/2007, pp. 74-76. [20] OLG Frankfurt a.M., MMR 2006, pp. 547-552. [21] D. Denning, Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy, http://www.totse.com/en/technology/cyberspace_the_new_frontier/cyberspc.html [last visited: September 2007]. [22] G. Weiman, Cyberterrorism. How real is the threat? United States Institute of Peace Special Report 119, December 2004, http://www.usip.org/pubs/specialreports/sr119.pdf [last visited: September 2007]. [23] C. Stöcker, Delle im Datenstrom: Hacker attackieren Internet-Rootserver, http://www.spiegel.de/ netzwelt/tech/0,1518,464926,00.html [last visited: September 2007]. [24] ICANN, Factsheet on root server attacks on 6 February 2007, as of: 01 March 2007, http://icann.org/announcements/factsehhet-dns-attack-08mar07.pdf [last visited: September 2007]. [25] A. Wilkens, Kabelbruch im Atlantik koppelt Island vom Internet ab, Heise Online 18.12.2006, http://www.heise.de/newsticker/meldung/82700 [last visited: September 2007]. [26] C. Persson, „Rückfall ins Telefonzeitalter“ nach Erdbeben, Heise Online, 28.12.2006, http://www.heise.de/newsticker/meldung/83007 [last visited: September 2007]. [27] D. Leppard, Al-Qaeda plot to bring down UK internet,Times Online, 11.03.2007, http://www.timesonline.co.uk/tol/news/uk/crime/article1496831.ece [last visited: September 2007]. [28] D. Bachfeld, War der Wurm drin? IT-Sicherheit in der US-Stromversorgung, http://www.heise.de/ ct/03/18/034/default.shtml [last visited: September 2007]. [29] R. Lenzner/N. Vardi, The Next Threat, www.forbes.com/forbes/ 2004/0920/070_print.html [last vis- ited: September 2007]. [30] G. Giacomello, Bangs for the Buck: A Cost-Benefit Analysis of Cyberterrorism, In: Studies in Conflict & Terrorism, Vol. 27 (2004), p. 387-408. [31] F. Cohen, Cyber-Risks and Critical Infrastructures, In: Alan O’Day (Ed.), Cyberterrorism, p. 1-10. [32] G. Ou, RFID passports with improper shielding triggers bomb in simulation, ZDNet 09.08.2006, http://blogs.zdnet.com/Ou/?p=289 [last visited: September 2007]. [33] H. Cheung, Blackhat 2006: Explosive risks in RFID-enabled passports? TG Daily 03.08.2006, http://www.tgdaily.com/content/view/27899/113/ [last visited: September 2007]. [34] S. Koesch/F. Magdanz/R. Funkchip-Reisepass zündet Bombe, Spiegel Online, 21.08.2006, http://www.spiegel.de/netzwelt/mobil/0,1518,432654,00.html [last visited: September 2007]. [35] P.H. Gleick, Water and terrorism, Water Policy 8 (2006), p. 481-503. [36] Testimony of FBI Deputy Assistant Director Keith Lourdeau at the Hearing before the subcommittee on terrorism, technology and homeland security of the committee on the judiciary United States Senate on “Virtual Threat, Real Terror: Cyberterrorism in the 21st Century”, Feburary 24, 2004, Serial No. J-108- 58. [37] B. Gellman, Cyber-Attacks by Al Qaeda Feared, The Washington Post, June 27, 2002, page A01. [38] P.H. Gleick, Water Conflict Chronology (as of: October 12, 2006), http://worldwater.org/ conflictchronology.pdf [last visited: August 2007]. [39] M. Pollitt, Cyberterrorism – Fact or Fancy? http://www.cs.georgetown.edu/~denning/infosec/ pollitt.html [last visited: September 2007]. [40] J. Green, The Myth of Cyberterrorism. There are many ways terrorists can kill you – computers aren’t one of them. Washington monthly, November 2002. http://www.washingtonmonthly.com/features/ 2001/0211.green.html [last visited: September 2007]. [41] U.S. Army Training and Doctrine Command, Cyber Operations and Cyber Terrorism, DCSINT Hand- book No. 1.02, http://www.fas.org/irp/threat/terrorism/sup2.pdf [last visited: September 2007]. [42] F. Rötzer, Vorsicht, schießender Roboter, Telepolis 19.08.2000, http://www.heise.de/tp/r4/artikel/6/ 6973/1.html [last visited: September 2007]. [43] W. Stieler, Schießender Roboter beunruhigt Experten, Heise News 31.08.2000, http://www.heise.de/ newsticker/meldung/11621/ [last visited: September 2007]. [44] G. Weimann, www.terror.net. How Modern Terrorism Uses the Internet. United States Institute of Peace Special Report 116, March 2004, http://www.usip.org/ pubs/specialreports/sr116.pdf [last visited: September 2007]. [45] S. Coll/S. Glassner, Terrorists turn to the web as base of operations, The Washington Post, 7 August 2005, Section A01. [46] Y. Tsfati/G. Weimann, www.terrorism.com: Terror on the Internet, In: Studies in Conflict & Terrorism 2002 (25), p.317-332. [47] T. Thomas, Al Qaeda and the Internet: the danger of “cyberplanning”, In: Parameters, Spring 2003.
    • P.W. Brunst / Use of the Internet by Terrorists 59 [48] Y. Musharbash, The Cyber-Cemetery of the Mujahedeen, Spiegel Online, 28.10.2005, http://www.spiegel.de/international/0,1518,382097,00.html [last visited: September 2007]. [49] Bundesministerium des Inneren (Ed.), Verfassungsschutzbericht 2005, Berlin 2006. [50] S. Lawrence, Terrorism and the Internet, Technology Review, February 2005, p. 50-51. [51] A. Ramelsberger, Krieger im Internet, Süddeutsche Zeitung, 15 March 2007, p. 5. [52] Süddeutsche Zeitung, „Diesen Krieg könnt ihr Euch nicht leisten“, Süddeutsche Zeitung vom 11.03.2007, http://www.sueddeutsche.de/deutschland/artikel/189/105084/ [last visited: September 2007]. [53] N. D. Kristof, Terrorists in Cyberspace, The New York Times, 20 December 2005, Section A, Coumn 5, Editorial Desk, Pg. 31. [54] Y. Musharbash, Al-Qaida launches a weekly news show, Spiegel Online, 07.10.2005, http://www.spiegel.de/international/0,1518,378633,00.html [last visited: September 2007]. [55] E. Kohlmann on ZDNet Government 19 April 2006, http://government.zdnet.com/?p=2216 [last vis- ited: September 2007]. [56] J. Tolson, Cracking al Qaeda’s code, U.S. News & World Report; 5/17/2004, Vol. 136 Issue 17, pp. 72- 73. [57] S. Krempl, Terroristen verstecken Botschaften angeblich in IP-Headern, Heise News from 09.03.2003, http://www.heise.de/newsticker/meldung/35137 [last visited: September 2007]. [58] Y. Musharbash, Beim Barte des Bin Laden! Spiegel Online 13 September 2007, http://www.spiegel.de/politik/ausland/0,1518,505319,00.html [last visited: September 2007]. [59] B. Wagner, Experts Downplay Imminent Threat of Cyberterrorism, National Defense Magazine, Issue July 2007, http://www.nationaldefensemagazine.org/issues/2007/July/ExpertsDownplay.htm [last vis- ited: September 2007]. [60] S. Kaiser/M. Rosenbach/H. Stark, „Operation Alberich“, Der Spiegel 37/2007, p. 20-26. [61] President of the German Federal Police (Bundeskriminalamt) Jörg Ziercke, in Der Spiegel, 9/2007, p.36. [62] J. Radü, Terroristen suchen Ziele mit Google Earth, Spiegel Online, 13.01.2007, http://www.spiegel.de/netzwelt/web/0,1518,459542,00.html [last visited: September 2007]. [63] T. Harding, Terrorists ‘use Google maps to hit UK troops’, Telegraph 13 January 2007, http://www.telegraph.co.uk/news/main.jhtml? xml=/news/2007/01/13/wgoogle13.xml [last visited: Sep- tember 2007]. [64] F. Patalong, Das zensierte Weltauge, http://www.spiegel.de/netzwelt/web/0,1518,464186,00.html [last visited: September 2007]. [65] A. Seith, Google Earth verschleiert indische Verteidigungsanlagen, ttp://www.spiegel.de/netzwelt/web/ 0,1518,464178,00.html [last visited: September 2007]. [66] J. Kuri, BKA-Forensiker entlöschen Bombenbaupläne, Heise News from 08.03.2007, http://www.heise.de/newsticker/meldung/86388 [last visited: September 2007]. [67] Y. Musharbash, Qaidas Leitfaden für Entführungen, Spiegel Online, 30.11.2005, http://www.spiegel.de/politik/ausland/0,1518,387691,00.html [last visited: September 2007]. [68] L. Greenemeier, “Electronic Jihad” app offers cyberterrorism for the masses, ITNews 3 July 2007, www.itnews.com.au/Tools/Print.aspx?CIID=85204 [last visited: September 2007]. [69] L. Greenemeier, Cyberterrorism: By Whatever Name, It’s On The Increase, InformationWeek 7 July 2007, http://www.informationweek.com/story/showArticle.jhtml?articleID=200900812 [last visited: September 2007]. [70] G. Weimann, Terrorists and Their Tools – Part II. Using the Internet to recruit, raise funds, and plan attacks, YaleGlobal, 26.04.2004, http://yaleglobal.yale.edu/article.print?id=3768 [last visited: Septem- ber 2007]. [71] T. Espiner, Foreign powers are main cyberthreat, U.K. says, ZDNet 11/22/05, http://news.zdnet.com/2102-1009_22-5967532.html [last visited: September 2007]. [72] C. Wagner, Countering Cyber Attacks, The Futurist, Issue May/June 2007, p. 16. [73] J. Davis, Hackers Take Down the Most Wired Country in Europe, Wired Magazine, Issue 15.09, http://www.wired.com/print/politics/security/magazine/15-09/ff_estonia [last visited: September 2007]. [74] A. Chang, China Denies Hacking Pentagon Computers, Wired News 4 September 2007, http://news.wired.com/dynamic/stories/C/CHINA_US_HACKERS?SITE=WIRE [last visited: Septem- ber 2007]. [75] R. Lemos, E-terrorism. Safety: Assessing the infrastructure risk, CNET News, 26 August 2002, http://news.com.com/2009-1001_3-54780.html [last visited: September 2007]. [76] P.-M. Ziegler, US-Behörden fallen bei IT-Sicherheit durch. Heise Security from 16.03.2006, http://www.heise.de/security/news/meldung/70946 [last visited: September 2007]. [77] Richardson, Robert, CSI Computer Crime and Security Survey 2007. Available at http://www.gocsi.com [last visited: September 2007].
    • 60 P.W. Brunst / Use of the Internet by Terrorists [78] B. Gellman, U.S. Fears Al Qaeda Cyber Attacks, Post-Newsweek Business Information Newsbytes, 26 June 2002. [79] Testimony of Ronald L. Dick, Director of the National Infrastructure Protection Center before the Hou- se Committee on Governmental Reform, Government Efficiency, Financial Management and Intergov- ernmental Relations Subcommittee on “Cyber Terrorism and Critical Infrastructure Protection” on 24 July 2002, http://www.fbi.gov/congress/congress02/nipc072402.htm [last visited: September 2007].
    • Responses to Cyber Terrorism 61 Centre of Excellence Defence Against Terrorism, Ankara, Turkey (Ed.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet1 Prof. Gabriel WEIMANN 2 Department of Communication, Haifa University, Israel Abstract. As this report illustrates, al Qaeda represents the worst that globalization and advanced community technologies have to offer. It is a virtual “network of networks”, a Jihadist franchise marketing its messages of death, as well as coordinating and recruiting on the Internet. Since 9/11, al Qaeda operatives have only sharpened their Internet skills and increased their web presence. The findings reported here come from a more general research project hosted and funded by United States Institute of Peace that summarized nine years of monitoring terrorist presence on the Net in the period between January 1998 and September 2007. Keywords. Internet, terrorism, al-Qaeda websites, al-Qaeda presence on the net “We were underestimating the amount of attention [al Qaeda] was paying to the Internet.” Roger Cressey, chief of staff of President Bush’s Critical Infrastructure Protection Board 3 Jihadism according to al Qaeda (as opposed to the classical reified conception of Jihad) is a thoroughly modern phenomenon. The Internet, that most contemporary of media, has become the leading platform of al Qaeda’s communication, propaganda, recruitment and networking. Al Qaeda is using hundreds of Jihadist websites, forums, chat rooms, electronic boards and blogs. One can certainly reach the conclusion that without the Internet, al Qaeda would not be able to function and survive. As Ayman al- Zawahiri, al Qaeda’s spiritual and religious leader, argued: “We must get our message across to the masses of the nation and break the media siege imposed on the jihad movement. This is an independent battle that we must launch side by side with the military battle.” The findings reported here come from a more general research project hosted and funded by United States Institute of Peace that summarized nine years of monitoring terrorist presence on the Net. The population for this study was defined as the Internet sites of terrorist movements as they appeared in the period between January 1998 and 1 Citing this report requires the author’s permission. Contact: Weimann@soc.haifa.ac.il 2 Dr. Gabriel Weimann is a Professor of Communication at Haifa University, Israel, and a former Senior Fellow at the United States Institute of Peace (USIP), Washington, DC. He has written widely on modern terrorism, political campaigns, and the mass media. His recent book, Terror on the Internet: The New Arena, the New Challenges, was published in April 2006. 3 Cited by Barton Gellman, “Cyber-Attacks by Al-Qaeda Feared,” Washington Post, June 27, 2002, A01.
    • 62 G. Weimann / WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet September 2007. We applied a systematic content analysis to the accumulating archive of terrorist sites. Throughout the years of monitoring the terrorist presence in the Net, we learned how to locate their new sites, how to search in chat rooms and forums of supporters and sympathizers for the new “addresses” and how to use links in other organizations’ websites to update our lists. This was often a Sisyphean effort, especially since in certain instances (e.g., al Qaeda’s websites) the location and the contents changed almost daily. The present report, one of numerous publications on the project of monitoring and analysis of the terrorist presence on the Internet, focuses on the terrorist entity that leads, in terms of amount as well a sophistication, terrorist abuse of the Net, namely al Qaeda. Al Qaeda Goes Virtual Al Qaeda (Arabic for “The Base”) traces its roots to the Afghan resistance to the Soviet invasion of Afghanistan in 1979. In 1982 Osama bin Laden joined the anti-Soviet resistance. He went to Afghanistan, where he joined the mujahedeen and established his own military camps. In 1988, bin Laden established al Qaeda, at first not as a terrorist organization but as a network of foreign soldiers who had come to Afghanistan, so that the soldiers’ relatives could track them. In 1989, when the Russians withdrew from Afghanistan, bin Laden returned to Saudi Arabia; however, the Saudi government placed him under house arrest and then forced him to move to Sudan. While in Sudan, bin Laden formed his alliances with militant groups from Egypt, Pakistan, Algeria, and Tunisia, as well as sending fighters to Chechnya and Tajikistan. In 1996, under American pressure, Sudan forced bin Laden and other members of al Qaeda to leave, and they moved to Afghanistan, where they stayed until the U.S. attacks on the Taliban in 2001. Given the transnational makeup and illicit nature of al Qaeda’s operations, the Internet has complemented the organization’s “fuzzy” structure and served its needs handily. The Net is becoming a major weapon in al Qaeda’s bid to win supporters to its cause, keep its decentralized structure, galvanize its members to action, and raise funds. As Middle East expert Paul Eedle argues, “The Web site is central to al Qaeda’s strategy to ensure that its war with the U.S. will continue even if many of its cells across the world are broken up and its current leaders are killed or captured. The site’s function is to deepen and broaden worldwide Muslim support, allowing al Qaeda or successor organizations to fish for recruits, money and political backing. The whole thrust of the site, from videos glorifying September 11 to Islamic legal arguments justifying the killing of civilians, and even poetry, is to convince radical Muslims that, for decades, the U.S. has been waging a war to destroy Islam, and that they must fight back.” 4 A widespread network of Web sites is used to feed directions and information from those at the top of al Qaeda to supporters and sympathizers around the world. Lectures, taped announcements, videos of terrorist attacks, guidebooks, and manuals are being spread by al Qaeda’s Web sites, forums, chat rooms, and online bulletin boards. 5 With 4 Eedle, Paul, “Terrorism.com”, The Guardian, July 17, 2002, http://www.guardian.co.uk/print/0,3858,4462872-103680,00.html 5 Mark Ward, “Websites Spread al-Qaeda Message,” BBC News Online, December 12, 2002,
    • G. Weimann / WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet 63 Net access spreading swiftly across the Middle East, the audience for the online campaign is steadily growing. According to Eedle, “The Internet is an ideal tool for a network like al-Qaeda. It is not a matter of a few radical-sounding messages posted on the odd bulletin board; it’s a very wide array of Internet sites and message boards … Al Qaeda has much wider ambitions than just setting off explosives. It is trying to mobilize the whole Muslim world against the West.” 6 Many of the sites associated with al Qaeda gain credibility by demonstrating in various ways their close links with the organization. Certain “fingerprints” in graphics and text clearly indicate whether the sites indeed have ties with al Qaeda. Evidence of direct links between al Qaeda and some of the Web sites is sometimes subtle to detect, but in many cases there is little doubt that this group is the source of the material. However, al Qaeda openly acknowledges the importance of the Internet as a propaganda tool, as it did on one of its numerous websites: “Due to the advances of modern technology, it is easy to spread news, information, articles and other information over the Internet. We strongly urge Muslim Internet professionals to spread and disseminate news and information about the Jihad through e-mail lists, discussion groups, and their own Web sites. If you fail to do this, and our site closes down before you have done this, we may hold you to account before Allah on the Day of Judgment … We expect our Web site to be opened and closed continuously. Therefore, we urgently recommend any Muslims that are interested in our material to copy all the articles from our site and disseminate them through their own Web sites, discussion boards and e-mail lists. This is something that any Muslim can participate in, easily, including sisters. This way, even if our sites are closed down, the material will live on with the Grace of Allah.” 7 The online propaganda strategy of al Qaeda, like its approach to online planning and coordination, takes advantage of the speed, anonymity and interactivity of the Internet. Al Qaeda’s sites are maintained by group members and supporters who are in direct contact with the members. Many sites are registered or hosted in Europe, Asia, or even the United States (according to a July 2004 survey, 76 percent of Islamic terrorist Web sites are hosted by American companies). 8 Many of these Web sites are anti- American and anti-West: “The Muslims know that America only wants to fight Islam and to liquidate everyone who acts according to the Islamic Shariah, because America knows that the biggest danger to it and for the Jews is Islam and its believers,” states the Azzam Publications site that features more than four dozen celebratory biographies of “Foreign Mujahideen Killed in Jihad.” The Azzam Publications site promotes the book edited by the convicted mastermind of the 1993 World Trade Center attack, Sheikh Omar Abdel Rahman, and another written by bin Laden’s mentor, Abdullah Azzam. The Al-Maqdese site markets the book called Strengthening the Legitimacy of the Ruin in America, which uses Islamic juridical arguments to justify the September 11 attacks. http://news.bbc.co.uk/2/hi/technology/2566527.stm 6 Ibid. 7 From the (al Qaeda) Web site Azzam, cited in Jihad Online: Islamic Terrorists and the Internet, published by the Anti-Defamation League (ADL), 2000, at: http://www.adl.org/internet/jihad_online.pdf 8 See “Islamist Websites and Their Hosts Part I: Islamist Terror Organizations” (online report, MEMRI, July 2004), http://www.memri.org/bin/articles.cgi?Area=jihad&ID=SR3104
    • 64 G. Weimann / WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet Al Qaeda’s Dynamic Presence on the Net One weapon against terrorists’ use of the Internet is direct assaults on their Web sites; however, all efforts to prevent or minimize al Qaeda’s use of the Internet have proved unsuccessful. In the late 1990s, when this project began, al Qaeda had one Web site (www.alneda.com). Today, though the original site was hacked, al Qaeda is present in hundreds of Web sites. If an al Qaeda site is taken offline by a counterterrorism agency, by the Internet Service Provider hosting it, or by hackers, it will reemerge on the server of another service provider. U.S. officials were searching the Internet for the reappearance of alneda.com, the original Web site used as a mouthpiece by al Qaeda terrorists. It was registered in Singapore and appeared on Web servers in Malaysia and Texas before it was taken off at the request of U.S. officials. Then it changed its name and URL every few days, forced to move from server to server by citizens who complained to the ISPs hosting the sites. Then, in late 2002, al Qaeda lost the Internet domain: it expired and was acquired by a private citizen. The Alneda site operators tried to reappear by using various server accounts that had no associated domain name. When that failed, they started posting the Alneda site as a “parasite.” Sheikh Yousef Al-Ayyeri, who operated this site, exploited a known “bug” in a program called cPanel, found on many Web servers. This flaw allowed him to install his site as a “parasite” on an existing and legitimate site. Thus, the Alneda site was posted on the hijacked Web site until someone noticed and got the ISP to remove the illegal site. When it was removed, the process started again. This pattern of Alneda’s presence on the Net began in the end of September 2002 and continued until April 2003. In April 2003 al Qaeda’s Web site reemerged, this time named “Faroq,” flying the banner of Alneda. Although the new site and other al Qaeda sites moved regularly, various informal means were used to pass on details of the site’s new locations, including via e-mails, chat rooms, and announcements or links on other groups’ Web sites. The new Web site, faroq.com, began as an al Qaeda site focusing primarily on fighting the United States in Iraq but then transformed itself into a more general site, including reposting content from the original Alneda site. Today, being on the run, al Qaeda’s organization is even more virtual, which often means more dependent on the Internet to spread propaganda and plot operations. This reliance on the free access and use of the Net is also one of the main reasons why, despite the many blows that it received since 9/11, the organization’s operational capabilities have not truly diminished. The Advantages of the Net for al Qaeda Al Qaeda’s marginalized status vis-à-vis the Western media is partly a consequence of what Phillip Hammond refers to as ‘the media war on terrorism’. 9 Bemoaning this ‘media siege’, al Qaeda as well as other terrorist groups have turned to the Internet as their principal ideological and practical channel of communication. Thus, proliferation of terrorist websites demonstrated an exponential growth from 12 websites in 1998 to 9 Phillip Hammond, ‘The Media War on Terrorism’, Journal for Crime, Conflict and the Media (Vol. 1, No. 1, 2003), pp. 23–36.
    • G. Weimann / WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet 65 over 5,500 in 2007. 10 By its very nature, the Internet is in many ways an ideal arena for activity by terrorist organizations. Most notably, it offers: easy access; little or no regulation, censorship, or other forms of government control; potentially huge audiences spread throughout the world; anonymity of communication; fast flow of information; interactive communication; inexpensive development and maintenance of a web presence; and a multimedia environment (the ability to combine text, graphics, audio, and video and to allow users to download films, songs, books, posters, and so forth). 11 Al Qaeda is using the Internet for various purposes, targeting various audiences. Our studies have identified at least eight different uses that can be grouped into two categories: communicative and operational uses. Let us explain and illustrate some of these al Qaeda uses of the Net. The Communicative Uses From the communicative perspective, terrorism has often been conceptualized as a form of psychological warfare, and certainly al Qaeda has sought to wage such a campaign through the Internet. For instance, al Qaeda uses the Internet to spread disinformation, to deliver threats intended to instill fear and helplessness, and to disseminate horrific images of recent actions. The Internet—an uncensored medium that carries stories, pictures, threats, or messages regardless of their validity or potential impact—is peculiarly well suited to allowing even a small group to amplify its message and exaggerate its importance and the threat it poses. Since September 11, 2001, al Qaeda has festooned its websites with a string of announcements of an impending “large attack” on U.S. targets. These warnings have received considerable media coverage, which has helped to generate a widespread sense of dread and insecurity among audiences throughout the world and especially within the United States. Interestingly, al Qaeda has consistently claimed on its websites that the destruction of the World Trade Center has inflicted psychological damage, as well as concrete damage, on the U.S. economy. Another popular communicative use of the Net is for publicity and propaganda. Until the advent of the Internet, terrorists’ hopes of winning publicity for their causes and activities depended on attracting the attention of television, radio, or the print media. The fact that terrorists themselves have direct control over the content of their websites offers further opportunities to shape how they are perceived by different target audiences and to manipulate their image and the image of their enemies. Thus, the most visible part of al Qaeda’s online presence involves the spread of propaganda. For its online propaganda al Qaeda is using its media production branch, called As-Sahab 10 Tsfati, Yariv and Gabriel Weimann. 2002. “WWW.Terrorism.com: Terror on the Internet”, Studies in Conflict and Terrorism 25(5), pp. 317-332; Weimann, Gabriel, 2006. Terror on the Internet: The New Arena, The New Challenges. Washington, DC: United States Institute of Peace Press; Weimann, Gabriel. 2007. “Online Terrorism: Modern Terrorism and the Internet”. In Glaab, Sonja (Ed.): Medien und Terrorismus. Berlin: Berliner Wissenschaftsverlag (forthcoming). 11 Weimann, Gabriel, 2004. WWW.Terror.Net: How Modern Terrorism Uses the Internet. Special Research Report, Washington DC: United States Institute of Peace.
    • 66 G. Weimann / WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet Foundation for Islamic Media Publication (As-Sahab means “The Cloud” in Arabic). This organization uses modern technology to produce its video statements to the world, using semi-professional hardware. In addition to being released in Arabic, some published videos come with English or other language subtitles, while more recent productions include videos in English and German. Al Qaeda is also operating online radio and television broadcasting and an additional online production facility—the Global Islamic Media Group (GIMF), an al Qaeda mouthpiece group. Many terrorist groups, among them Hamas and al Qaeda, have undergone a transformation from strictly hierarchical organizations with designated leaders to affiliations of semi-independent cells that have no single commanding hierarchy. Through the use of the Internet, these loosely interconnected groups are able to maintain contact with one another—and with members of other terrorist groups. The Internet connects not only members of the same terrorist organizations but also members of different groups. For instance, dozens of sites exist that express support for terrorism conducted in the name of jihad. These sites and related forums permit terrorists in places such as Chechnya, Palestine, Indonesia, Afghanistan, Turkey, Iraq, Malaysia, the Philippines, and Lebanon to exchange not only ideas and suggestions but also practical information about how to build bombs, establish terror cells, and carry out attacks. Thus, al Qaeda has became an online “terrorist Internet Service Provider” linking together various elements of the worldwide Jihadist communities. To pursue this objective, bin Laden and his deputy Ayman al Zawahiri set up a unique structure whose essence was to provide a global virtual network linking together thousands of disparate human, financial, military, intellectual and technical resources. Thus al Qaeda became “the Jihad’s Franchise”, using the Net to link terrorist groups that range from Algeria’s “Groupe Islamique Armé” (later becoming GSPC) to Pakistan’s “Jaish Muhammad”, the Chechen rebels, the Iraqi insurgents or the al Qaeda cells in Lebanon or Indonesia. Al Qaeda’s Cyber-Propaganda Al Qaeda’s propaganda is reacting to every major event, attempting to benefit from disasters or scandals. Even the blackout in the Northeast and Midwest of the United States in the summer of 2003 was used by al Qaeda’s communications: Al Qaeda’s Abu Hafs Brigades posted online their announcement claiming responsibility for “Operation Quick Lightning in the Land of the Tyrant of this Generation,” referring to the blackout. 12 This was the third communiqué by this group: In previous postings they accepted responsibility for the downing of an airplane in Kenya and for the bombing of the Jakarta Marriott Hotel on August 5, 2003. The new communiqué assured readers that the operation “was carried out on the orders of Osama bin Laden to hit the pillars of the U.S. economy” as “a realization of bin Laden’s promise to offer the Iraqi people a present.” 13 The included text warned, “Let the criminal Bush and his gang know that the punishment is the result of the action, the soldiers of God cut the power on these cities, they darkened the lives of the Americans as these criminals blackened the lives of the Muslim people in Iraq, Afghanistan and Palestine. The Americans lived a black day they will never forget. They lived a day of terror and fear ... a state of chaos and 12 http://groups.yahoo.com/group/abubanan2/message/330. 13 See “Al-Qa’ida Claims Responsibility for Last Week’s Blackout” (online report, MEMRI, August 2003), http://www.memri.org/bin/articles.cgi?Area=jihad&ID=SP55303.
    • G. Weimann / WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet 67 confusion where looting and pillaging rampaged the cities, just like the capital of the caliphate Baghdad, and Afghanistan and Palestine were. Let the American people take a sip from the same glass.” 14 Another online channel used to promote the ideological legitimacy of global jihad is the Web site of al Qaeda’s Center for Islamic Studies and Research. This Web site has published the bimonthly virtual magazine Sawt al-Jihad, or The Voice of Jihad. 15 The new magazine focuses on the use of violence as jihad’s only way.16 The “editorial” by Sheikh Naser al-Najdi entitled “Belief First: They are the Heretics, the Blood of Each of Them Is the Blood of a Dog,” calls for the killing of every American: “My fighting brother, kill the heretic; kill whoever’s blood is the blood of a dog; kill those that Almighty Allah has ordered you to kill … Bush son of Bush … a dog son of a dog … his blood is that of a dog … Shut your mouth and speak with your other mouth—the mouth of the defender against his attacker. Rhetoric might cause retreat.” 17 Al Qaeda is also targeting women on the Net and attempts to recruit women for terrorist attacks. One of the articles posted on al Qaeda’s website, entitled “Umm Hamza, an Example for the Woman Holy Warrior,” tells the story of a female martyr, the late Umm Hamza, as told by her husband: “Umm Hamza and Martyrdom: Umm Hamza was very happy whenever she heard about a martyrdom operation carried out by a woman, whether it was in Palestine or Chechnya. She used to cry because she wanted a martyrdom operation against the Christians in the Arabian Peninsula.”18 The article also carries a copy of a letter handwritten by Umm Hamza shortly before her death. On August 26, 2004, al Qaeda launched its online women’s magazine called Al- Khansa, named after an early Islamic poetess who wrote eulogies for Muslims who died while fighting the “infidels”. The Web site also gives advice on raising children to carry on the Jihad, how to provide first aid for a family member injured in combat and descriptions of physical training women need to prepare themselves for fighting. The main goal of the magazine seems to be teaching women married to Islamists how to support their husbands in their violent war against the non-Muslim world. One of its first articles reads: “The blood of our husbands and the body parts of our children are our sacrificial offering.” 19 The Operational Uses Beyond communications, al Qaeda is increasingly using the Internet for operational purposes. Following the loss of Afghanistan as a sanctuary and training ground, al Qaeda moved to cyberspace, posting thousands of pages of its training manuals online. From the making of an IED or deadly chemical weapons to the staging of an ambush, the Internet has now become al Qaeda’s “virtual training camp”. The Net is used by terrorist organizations for data mining: they can learn from the Internet about the 14 Ibid. 15 Appeared first at http://www.cybcity.com/image900/index.htm and then changed sites. 16 For analysis of this magazine, see Reuvan Paz, “Sawt al-Jihad: New Indoctrination of Qa’idat al- Jihad” (Occasional Paper 1, no. 8, published by the Project for the Study of Islamist Movements [PRISM], 2003), http://www.e-prism.org/images/PRISM_no_8.doc. 17 Ibid. 18 Ibid. 19 “Women’s War Daily—Al Khansa Magazine and Azzam Publications Offers Handy Hints for Martyr Moms and Newlywed Jihadis,” Militant Islam Monitor, August 24, 2004, http://www.militantislammonitor.org/article/id/258.
    • 68 G. Weimann / WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet schedules and locations of targets such as transportation facilities, nuclear power plants, public buildings, airports and ports, and even counterterrorism measures. According to Secretary of Defense Donald Rumsfeld, speaking on January 15, 2003, an al Qaeda training manual recovered in Afghanistan tells its readers, “Using public sources openly and without resorting to illegal means, it is possible to gather at least 80 per cent of all information required about the enemy”. Specific targets that al Qaeda-related websites have discussed include the Centers for Disease Control and Prevention in Atlanta; FedWire, the money-movement clearing system maintained by the Federal Reserve Board; and facilities controlling the flow of information over the Internet. Al Qaeda websites use maps, diagrams and photos of potential targets downloaded from popular web sites such as Google Earth. One captured al Qaeda computer contained engineering and structural architecture features of a dam, which had been downloaded from the Internet and which would enable al Qaeda engineers and planners to simulate catastrophic failures. In other captured computers, U.S. investigators found evidence that al Qaeda operators spent time on sites that offer software and programming instructions for the digital switches that run power, water, transportation, and communications grids. Like many other political organizations, terrorist groups use the Internet to raise funds. Al Qaeda, for instance, has always depended heavily on donations, and its global fund-raising network is built upon a foundation of charities, non-governmental organizations, and other financial institutions that use websites and Internet-based chat rooms and forums. The Internet can be used not only to solicit donations from sympathizers but also to recruit and mobilize supporters to play a more active role in support of terrorist activities or causes. Recruiters may also use more interactive Internet technology to roam online chat rooms and cyber cafes, looking for receptive members of the public, particularly young people. Electronic bulletin boards and user nets (issue-specific chat rooms and bulletins) can also serve as vehicles for reaching out to potential recruits. The SITE Institute, a Washington, D.C.-based terrorism research group that monitors al Qaeda’s Internet communications, has provided chilling details of a high-tech online campaign launched to recruit fighters to travel to Iraq and attack U.S. and coalition forces there. Conclusion Al Qaeda represents the worst that globalization and advanced community technologies have to offer. Al Qaeda is a virtual “network of networks”, a Jihadist franchise marketing its messages of death and destruction on the Internet. Even if we witness the demise of al Qaeda, we are not likely to witness the demise of its spirit and appeal. In a briefing given in late September 2001, Ronald Dick, assistant director of the FBI and head of the United States National Infrastructure Protection Center (NIPC), told reporters that the hijackers of 9/11 had used the Internet, and “used it well.” Since 9/11, al Qaeda operatives have only sharpened their Internet skills and increased their web presence. How should democratic societies respond to the challenge of online al Qaeda? At least two principles seem clear. First, we must become better informed about the use of the Net by al Qaeda as well as other terrorists, and better able to monitor their activities. Those uses are numerous and, from the terrorists’ perspective, invaluable. Hence, it is imperative that security agencies continue to improve their ability to study and monitor terrorist activities on the Internet and explore measures to
    • G. Weimann / WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet 69 limit the usability of this medium by modern terrorists. The growing familiarity with terrorist online discourse may guide us to use the same Internet to challenge the culture of doom and death with an alternative discourse, with the voice of hope and humanism. Second, while we must thus better defend our societies against terrorism, we must not in the process erode the very qualities and values that make our societies worth defending. The Internet is in many ways an almost perfect embodiment of the democratic ideals of free speech and open communication; it is a marketplace of ideas unlike any that has existed before. Unfortunately, as this report has shown, the freedom offered by the Internet is vulnerable to abuse from groups that, paradoxically, are themselves often hostile to uncensored thought and expression. The use of advanced techniques to monitor, search, track, and analyze communications carries inherent dangers. Although such technologies might prove very helpful in the fight against cyber terrorism and Internet-savvy terrorists, they would also hand participating governments, especially authoritarian governments and agencies with little public accountability, tools with which to violate civil liberties domestically and abroad. It does not take much imagination to recognize that the long-term implications could be profound and damaging for democracies and their values, adding a heavy price in terms of diminished civil liberties to the high toll exacted by terrorism itself.
    • 70 Responses to Cyber Terrorism Centre of Excellence Defence Against Terrorism, Ankara, Turkey (Ed.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. Cyberterrorism and International Cooperation: General Overview of the Available Mechanisms to Facilitate an Overwhelming Task Superintendent Süleyman ÖZEREN, Ph. D. Police Academy, Ankara, Turkey Abstract. Terrorism has emerged as one of the most complex and perplexing phenomena the world has faced. In addition to the tactics and ideological complexities, the dynamic nature of terrorism proves itself in the way terrorists adapt new technologies, like computers and other IT tools. Establishing consensus- based, concrete, result-oriented international cooperation in responding to terrorism seems very difficult in practice. However, available mechanisms to facilitate formal or informal cooperation in the area of cybercrime and cyberterrorism may be encouraging. The purpose of this article is to review the current situation with regards to international cooperation in responding to cyberterrorism by assessing the available mechanisms. The article also provides a list of recommendations to facilitate more concrete ways of realizing result- oriented international cooperation. The first section of the article considers the definition of cybterterrorism, along with a typology. The second part of the article analyzes international cooperation, including different forms of international cooperation, public and private cooperation, and international organizations which have facilitated cooperation among different countries. Finally the article provides policy implications as well as a list of recommendations. Keywords. Terrorism, counter-terrorism, international cooperation, treaties Definition of Cyberterrorism While the discussion of what constitutes cyberterrorism is presented under the second main heading, the definition of the term is given here to introduce the concept. Cyberterrorism can simply be defined as coercing others for a political cause, while using computing resources in cyberspace. “More comprehensively, cyberterrorism refers to the convergence of terrorism and cyberspace. It is generally understood to mean unlawful attacks and threats of attacks against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political and social objectives” (Denning 2000). To clarify the difference between information warfare and cyberterrorism, it should be understood that cyberterrorism can be a component of information warfare,
    • S. Özeren / Cyberterrorism and International Cooperation 71 in other words, information warfare encompasses cyberterrorism (Taylor, Caeti, Loper, Fritch, and Liederbach, 2004, p. 20). According to Ron Dick, Director of NIIPC in 2002, cyberterrorism means any “criminal act perpetrated through computers resulting in violence, death and/or destruction, and creating terror for the purpose of coercing a government to change its policies” (as cited in Berinato, 2002). By combining the above concepts, cyberterrorism may also be defined as the politically motivated use of computers as weapons or as targets by sub-national groups or clandestine agents intent on violence, to influence an audience or cause a government to change its policies” (Wilson, 2003, p. 4). In her article, “What Is Cyberterrorism?” Conway defines the term cyberterrorism as “premeditated, politically motivated attacks by sub-national groups or clandestine agents against information, computer systems, computer programs, and data that result in violence against noncombatant and targets” (2002, p. 436). By this definition, Conway excludes cybercrime activities, including stealing credit card information, sending emails with pornographic content, or hacking a Web site. Some researchers in this area characterize an act as cyberterrorism only if the act results in destruction, death, and/or injury, and creates fear among the public (Denning 2000, Conway, 2002). Furthermore, some also claim that we have not witnessed the destructive aspect of cyberterrorism yet, and therefore they suggest that cyberterrorism does not exist at all (Denning, 1999). In terms of witnessing cyberterrorism, the claim might be considered to be an accurate one; however, there is also evidence indicating that terrorist organizations have been considering attacking information infrastructures and other communication networks by engaging in cyberterrorism (Devost 1995). In their article, “In Defense of Cyberterrorism: An Argument for Anticipating Cyber-Attacks,” Brenner and Goodman attempt to answer the question “why has cyberterrorism not yet manifested itself?” As an answer, they review the literature. The conclude that for some people, the reason why international terrorists have not mounted cyber attacks yet is that they do not have the capability in terms of the technical background. That explanation is called the “there are not enough good terrorist hackers theory,” which claims that the terrorists do not have the computer expertise to launch such attacks, and this perspective gives the target countries, in particular, Western countries, the comfort of thinking that they are safe (Brenner and Goodman, 2002, p. 46). Brenner and Goodman consider two problems with respect to that theory: First, this theory ignores the fact that the countries where the terrorists are active have the sophistication that is necessary to launch cyber attacks against the information infrastructure of other countries. For example, the Pakistani hacker groups, G-Force Pakistan and The Pakistani Hackers Club and the Sri Lankan Internet Black Tigers, a special unit of Sri Lankan Tamil Tigers of Tamil Eelam, are credited with executing attacks that seem to be a cyberterrorism campaign (Brenner and Goodman, 2002, p. 47). The second problem with the theory is that it underestimates the imminent possibility that terrorists can recruit “hacker mercenaries” who have the expertise and motivation to launch cyber attacks if they are paid (Brenner and Goodman, 2002, p. 48). Another explanation of why we have not seen cyberterrorism is that the leaders of the terrorist organizations come from an older generation; therefore, they may not see that type of attack as an alternative (Brenner and Goodman, 2002, p. 48). Another perspective for defining cyberterrorism is presented by Devost, Houghton, and Pollard. They define information terrorism as the “intentional use of a digital
    • 72 S. Özeren / Cyberterrorism and International Cooperation information system, network or component toward an end that supports or facilitates a terrorist campaign or action” (1997). The importance of such a definition is reflected in their statement that cyberterrorism is the “nexus between criminal information system fraud or abuse, and the physical violence of terrorism” (1997). They are fully aware of the fact that one of the most important aspects of defining terrorism is to include politically motivated violence instead of defining the term with actions which may have nothing to do with violence. However, with this definition, they want to “allow for the inclusion of pure information-system abuse” as a new face of terrorism (as cited in Conway, 2002, p. 437). Of course that kind of approach results in including cybercrime activities within the context of cyberterrorism only if they are politically motivated. In addition to these perspectives, a guide prepared by the Federal Emergency Management Agency (FEMA) discusses the concept of cyberterrorism and presents its own perspective as to what it is. According to the FEMA, in order for an attack to be qualified as cyberterrorism, it should cause violence against property or person, or “at least cause enough harm to generate fear” (FEMA, 2002). Also, FEMA reveals the distinction between cybercrime and cyberterrorism (2002): “Cyberterrorism is distinct from computer crime, economic espionage, and “hactivism,” although terrorists may employ any of these forms of computer abuse to further their agendas. The weapons of cyberterrorism computers differ from weapons of mass destruction such as biological agents, chemical agents, and radiological agents in that they don’t directly cause death and injury. However, acting indirectly, they can cause serious consequences to individuals, businesses, industry, government, and the public at large. Depending on how they are used, they can lead to injury and death.” The definition offered by the FEMA has an important component which underlies the definition of terrorism and cyberterrorism. An action that generates fear in the public may become a means for terrorists; in other words, a politically motivated attack which results in a tremendous amount of fear and panic in the public may well be characterized as cyberterrorism, even though it does not lead to physical injury or death. The fact is: “Anyone who could learn to fly a commercial airliner could probably acquire the expertise to penetrate one of our critical information systems” (as cited in Brenner and Goodman, 2002, p. 45). It is not a reasonable assumption that today’s terrorists do not have the capability of carrying out cyber attacks. Cyber attacks by individuals, such as hackers and other criminal entities, provide strong evidence that the Internet can be a tool for terrorists who attempt to exploit every possible means available to them for their cause. Cyberterrorism as a Force Multiplier Conventional terrorist tactics, such as car bombings, assassinations, suicide bombings, kidnapping, and hijacking may never be replaced by cyber attacks. However, as a force multiplier, cyberterrorism can create more effect if it is executed in concert with other traditional terrorist actions. A good example can be the scenario created by CSIS involving the detonation of a bomb as a conventional terrorist act and a denial of service attack as a force multiplier (Cilluffo, 2000). Brenner and Goodman analyze the characteristics of cyberspace and the advantages that it provides for terrorists and other criminal entities. The first characteristic of cyberspace is that “cyberspace is borderless” (Brenner and Goodman, 2002, p. 12). As the former CIA Director George Tenet affirms, cyberspace gives
    • S. Özeren / Cyberterrorism and International Cooperation 73 terrorists the operational flexibility and greater security which can be capitalized on in many ways, including establishing networks with other terrorist organizations and members, communicating between members, and facilitating use of the Internet as a propaganda mechanism (as cited in Brenner and Goodman, 2002, pp. 13-14). Also, cyberspace enables terrorists to attack multiple targets at the same time, which can increase the significance of the attack. An interesting perspective by two authors, Brenner and Goodman, is that cyber attacks can act as “terror multipliers,” which is a term for force multiplier (2002, p. 26). Terror multiplier can be explained as the effect of a cyber attack which is created by the anonymous nature of the attack source, and its unknown consequences. Terrorists will attack vulnerable targets, as opposed to the well-protected ones, in order to be successful in their actions and create appropriate conditions which will serve their cause. Vulnerability represents one of the most important concepts of this research. Therefore, the next section focuses on the definition and detailed explanation of vulnerability. Typology of Cyberterrorism There are different approaches in terms of the typology of cyberterrorism. For example, Collin (1999) identifies three types of cyberterrorist acts: Destruction, alteration, and acquisition and retransmission. Grabosky et al. (1998) also identifies three major forms of cyberterrorist acts: destruction of the files, impeding accessibility to data files by encrypting it, and significantly overloading a system, thereby impairing the system’s capability. Another classification of cyberterrorism, “information operations,” is presented by Zanini and Edwards (2001, p. 41). The term they used, in fact, has the same meaning as “cyberterrorism.” According to Zanini and Edwards (2001, p. 41), there are three types of offensive activities terrorists can use: First, terrorists can use information technologies such as the Internet for perception management and propaganda. Second, by using the Internet and other computer networks, terrorists can carry out disruptive attacks. Finally, they can use the networks for destructive purposes (2001). Perception management and propaganda involve both influencing public opinion and recruitment of new members. The final type of attack is the destructive attack, which is carried out to cause actual destruction of virtual and physical systems, including power, water, or traffic control systems (2001, p. 45). However, some analysts argue that since these attacks may not result in loss of human life they may not produce the same emotional reaction as traditional attacks do (Denning, 2001). On the other hand, Ballard et al. conceptualized a more comprehensive typology of cyberterrorism called “cyber incident typology” (Ballard, Hornik, and McKenzie, 2002, p. 1009):
    • 74 S. Özeren / Cyberterrorism and International Cooperation Table 1. Cyber incident typology Category Definition and Explanation Information Cyberterrorist attacks focused on altering or destroying the content of electronic files, attacks computer systems, or the various materials therein. Infrastructure Cyberterrorist attacks designed to disrupt or destroy the actual hardware, operating attacks platform, or programming in a computerized environment. Technological Use of cyber communications to send plans for terrorist attacks, incite attacks, or facilitation otherwise facilitate traditional terrorism or cyberterrorism. Fundraising and Use of the Internet to raise funds for a violent political cause, to advance an promotion organization supportive of violent political action, or to promote an alternative ideology that is violent in orientation. Source: Ballard, J. D., Hornik, J. G., & McKenzie, D. (2002), “Technological facilitation of terrorism: Definitional, legal and policy issues,” American Behavioral Scientist, 45, (6), 989-1016. International Cooperation as a Tool to Confront the Cyberterrorism Threat Cooperation with other countries must be a central part of building cyber security (Lewis, 2003, xii). However, “The Internet does not yet have the Web of cooperation that has been built up elsewhere” (Lewis, 2003, p. xii). There are reasons behind this lack of cooperation. First of all, it is new to some states, secondly, some states may not know what is needed, and finally, it touches on many sensitive issues ranging from economic competition, privacy, and access, to national security (Lewis, 2003). In particular, the difficulty with respect to national security and cyber security is that it is always a question as to the extent to which free states are willing to cooperate with other nations in national security issues while they may be required to advertise their own vulnerabilities (Lewis, 2003, p. xix). With advances in technology, financial and banking systems, telecommunication networks, aviation systems, and air traffic control become more reliant on computer and telecommunication networks, which serve many countries but are not controlled by a single country. Therefore, it may be reasonable to claim that it may be easier to facilitate international cooperation in critical infrastructure protection by starting with areas where the transnational connections are very large, such as financial services (Lewis, 2003, p. xix). Models of International Cooperation According to Miyawaki (1999), “The ease with which the origins of cyber attacks can be hidden, and the fact that cyber attacks on one nation can come from anywhere on the globe, mean that cybercrime and cyberterrorism are truly international threats.” Ever since terrorism and other types of transnational criminal activities became the main topics in the international arena, the term ‘cooperation’ has become a focal point for every government. In particular, bilateral and multilateral cooperation have been shown as the most effective method to respond to transnational cybercrime and cyberterrorism. The next section will present strategies, attempts, and efforts with respect to countering cyberterrorism and cybercrime.
    • S. Özeren / Cyberterrorism and International Cooperation 75 Lukasik presents a detailed analysis of responding to transnational cybercrime and cyberterrorism. Lukasik asserts that in order to have a successful global response, the following elements should be in place: A common terminology between parties involved in the incident to include identification of the intruder’s modus operandi, the technical attack details, and the identification of the targets Knowledge of the technical skills of all parties involved in resolving the incident Knowledge of existing agreements on how incidents of a variety of types are to be handled An understanding of the common and conflicting societal issues surrounding the incidents (2001, pp. 152-153). Later he lists the critical elements that have to be in place in order to have what he calls a “framework for international cooperation”: Broad membership, consisting of both the world’s most technologically advanced nations as well as developing nations, all of whom share the benefits and the risks of global information architectures A voluntary and non-coercive environment based on concepts of consensus and practical experience Open technical standards that prevent the manipulation of information technology for unilateral gain An open organizational structure that provides opportunities for all constituencies to express their concerns A mechanism for providing continuous monitoring of actions that can adversely impact privacy Mechanisms for reviewing the state of information technology and its practical implementations to enable the international framework to remain relevant in the light of changing capabilities and requirements Mechanisms that can assist in building trust relationships globally Funding arrangements that can assist less developed nations in meeting their responsibilities to protect the information commons (2001, pp. 176-177). In terms of international cooperation, there are different forms of relationship among governments and their related law enforcement agencies. These cooperative efforts are: 1. Formal bilateral cooperation: Mutual legal assistance treaties (MLATs) 2. Informal bilateral cooperation: Individual police contacts (inter-agency cooperation), CERTs, etc. 3. Formal multilateral cooperation: Council of Europe 4. Informal multilateral cooperation: G-8, OECD, APEC, CERT collectives. The necessity for multilateralism emerges because countries have different rules to regulate extradition and legal assistance as well as different substantive laws that govern computer crime (Barkham, 2001). “Operational efforts to prevent and respond to computer attacks must be global” and so far, the most effective international cooperation to respond to cyber attacks have been bilateral in nature (Vatis, 2003, pp. 1-2). There are advantages and disadvantages of all of these four types of cooperation. For example, Vatis presents some of the obstacles facing MLATs as follows: First of all, the scope of the MLATs is narrow in terms of the number of the countries. For
    • 76 S. Özeren / Cyberterrorism and International Cooperation example, the U.S. State Department has mutual legal assistance in criminal matters treaties (MLATs) in force with 19 nineteen countries. Secondly, most of these treaties do not cover cybercrime specifically or do so in general terms (Vatis, 2003, p. 2). Finally, application of the MLATs can be time-consuming since these may involve more paper work and other bureaucratic procedures. This final obstacle may not be a major problem for traditional crime when the issue is physical evidence; however, in cybercrime, time is significant since it may take a few minutes if not seconds to destroy evidence or lose track of the criminals (Vatis, 2003, p. 3). In addition to the issues discussed above, there are more fundamental issues involving international cooperation. First of all, the growth of computer technology and reliance on these types of technologies may differ from country to country. In other words, some countries have not yet seen such crime while others may have experienced many such crimes; therefore, while some countries may have substantive and procedurally clear laws regarding cybercrime and cyberterrorism investigation, others may not have a clue as to what these concepts represent (Vatis, 2003, p. 3). The second important reason is that it may become very difficult to distinguish cybercrime from information warfare, given the fact that many countries are developing cyber techniques for fighting a war or intelligence purposes (Speeches and Testimony, 1998). Vatis considers bilateral cooperation to be more feasible and gives some of the examples: In February and March 1998, more than fifty civilian, governmental, and private sector computer systems in the U.S. were affected when intruders penetrated at least 200 unclassified U.S. military personnel and other government computer systems. The timing of these attacks coincided with an increase in the U.S. military presence in the Middle East. The NIPC, working closely with the Israel’s law enforcement, identified two people in Cloverdale, CA, and individuals in Israel who were the true perpetrators In February 2000, the NIPC received reports that CNN, Yahoo, Amazon.com, e-Bay and other sites had been attacked through Distributed Denial of Service (DDOS), in which intruders took over the networks. The investigation has been carried out by the NIPC with the cooperation of the companies. The attacks have been traced to Canada. The NIPC has worked with the Royal Canadian Mounted Police (RCMP), and to arrest a juvenile, called “Mafiaboy,”was arrested In May 2000, individuals and companies around the world were attacked by the “Love Bug” or “I LOVE YOU” virus. The NIPC investigated the incident and identified the suspect by tracing the attack to the Philippines. The FBI, working closely with the Philippines’ National Bureau of Investigation, identified the suspect, Onel de Guzman (2003, p. 7) These are real world examples of bilateral cooperation between law enforcement agencies from two different countries. They are promising in the sense that they prove that working together creates results. Cuellar focuses in one article on the importance of the international treaty in terms of responding to cybercrime and cyberterrorism. He summarizes the effect of a treaty with respect to its political consequences which may advance the underlying goals of security and safety: a) deterrence of specific offenses: treaties among states allow for extradition and prosecution, which will marginally enhance deterrence against cybercrime and cyberterrorism. In other words, cyber offenders in general will be deterred from committing cybercrime since jurisdictional difficulties in the
    • S. Özeren / Cyberterrorism and International Cooperation 77 investigation of the offense will be removed with treaties. b) International cooperation for legal cooperation: A treaty will encourage cooperation between signatory countries’ law enforcement entities. c) Enhancing prospects for technical cooperation beyond the boundaries of the treaty: Since the treaty will be a starting point for having an international consensus as to which actions define cybercrime or cyberterrorism against civil aviation, eventually law enforcement and other entities responsible for investigating and prosecuting cybercrime and cyberterrorism will go beyond the confines of the treaty (Cuellar, 2001, p. 121). Public and Private Cooperation “The Internet and other aspects of the information infrastructure are inherently transnational” (Sofaer and Goodman, 2001, p. 2). The transnational nature of cybercrime and cyberterrorism requires that the public and the private sectors work together and cooperate. “The most active international cooperation for cyber security has been in law enforcement,” however, there has not been large scale cooperation outside of law enforcement” (Lewis, 2003, p. xix). For example, even though critical infrastructure protection has a law enforcement component, issues can go beyond the capacity of the law enforcement and it becomes an issue of national security (Lewis, 2003, p. xix). “Cyberterrorism and cybercrime could also overlap in damaging ways; groups can steal credit card numbers or important data to damage economies and for their own gain” (Lewis, 2003, p. xv). Localized law enforcement efforts toward cyber criminal activities are at a disadvantage in an interconnected world due to the limited jurisdiction that every law enforcement agency has. Nevertheless, Lewis is of the opinion that “cyber attacks are far less damaging than physical attacks” (Lewis, 2003, p. xiv). The next section focuses on the efforts aiming at responding to cyberterrorism and cybercrime. The examples are both of national and international level cooperation between law enforcement agencies as well as other international entities. They also include public- private cooperative efforts. Multilateral Level International Cooperation Group of 8 The Group of 8 (G-8) countries is composed of the U.S., the United Kingdom, France, Germany, Japan, Canada, Italy, and Russia. The leaders have been meeting annually since 1975 to discuss issues of importance, including crime and terrorism, and the information highway (Group of 8, 2003). The G-8 Subgroup on High-Tech Crime was founded in 1997. In January 1997, the G-8 also set up a “24-Hour-Contact-Group” to facilitate law enforcement communications for investigations (Group of 8, 2003). This type of network enabled group members to foster speedy communications between and among the members which allow them to preserve digital evidence until legal processes can be started (Vatis, 2003, p. 3). The idea is to produce global agreements so that there cannot be digital havens where anybody can plan and execute illegal business (Hancock, 2003).
    • 78 S. Özeren / Cyberterrorism and International Cooperation The G-8 also held meetings between law enforcement and industry representatives, and through these meetings the G-8 aims to foster cooperation, not only among the law enforcement group members, but also industries so that each party can present their concerns, experiences, and visions (Vatis, 2003, p. 5). These activities have had several impacts, including being a model for larger formal multilateral efforts, and identifying difficulties that individual states and multilateral entities may encounter (Vatis, 2003, p. 5). The G-8, in their meeting in 2000, published the Okinawa Charter on Global Information Society, and indicated its commitment to the creation of international cooperation to target cybercrime (G7-G8 Summit in Okinawa, 2000). This meeting created another task force—the Digital Opportunity Taskforce (dot force)—in order to integrate its efforts into a broader international approach. To this end, it was decided that the dot force would convene as soon as possible to explore how best to secure participation of stakeholders. This high-level task force is in close consultation with other partners and in a manner intended to be responsive to the needs of developing countries. Efforts made by the G-8 states demonstrate the importance of cooperation at the international level which may lead to the creation of a deterrent for the criminals, in the sense that the investigation and prosecution of the criminal act will be swift and certain. The G-8 held a meeting in Paris, France, in May 2003, and ended up with three significant decisions with respect to critical infrastructure protection: To combat this threat, they determined that they needed unprecedented global cooperation to protect their information infrastructures, including computer network and communication systems. They also saw the need to respond to terrorist and criminal threats against them (Meeting of G8 Ministers of Justice and Home Affairs, 2003). Council of Europe (CoE) The Council of Europe (CoE) is an intergovernmental organization, which is made up of forty-five European countries. In addition to these countries, states such as the U.S., Canada, and Japan have observer status (Council of Europe, 2003). In 2001, the CoE drew up a Convention on Cybercrime, and non-European countries, such as the U.S., Canada, and Japan, participated in the drafting process. The underlying reasons behind having a convention are described by the CoE (International Working Group, 2002). It was drafted: Considering that the aim of the Council of Europe is to achieve a greater unity between its members; Recognizing the value of fostering co-operation with the other States parties to this Convention; Convinced of the need to pursue, as a matter of priority, a common criminal policy aimed at the protection of society against cybercrime, inter alia by adopting appropriate legislation and fostering international co-operation; Conscious of the profound changes brought about by the digitalization, convergence and continuing globalization of computer networks; Concerned at the risk that computer networks and electronic information may also be used for committing criminal offences and that evidence relating to such offences may be stored and transferred by these networks;
    • S. Özeren / Cyberterrorism and International Cooperation 79 Recognizing the need for co-operation between States and private industry in combating cybercrime and the need to protect legitimate interests in the use and development of information technologies; And believing that an effective fight against cybercrime requires increased, rapid and well-functioning international co-operation in criminal matters. The purpose of this convention was “to make criminal investigations and proceedings concerning criminal offences related to computer systems and data more effective and to enable the collection of electronic evidence of a criminal offence” (International Working Group, 2002). According to Weber, the Convention on Cybercrime establishes three general principles to international cooperation. First, international cooperation will be provided among the states “to the widest extent possible”. Second, the obligation to cooperate extends not only to the crimes established by the treaty, but also to the collection of electronic evidence whenever it relates to a criminal offense. Third, the provisions for international cooperation do not supercede preexisting provisions of international agreements on these issues (2003, p. 433). The CoE has taken a more comprehensive approach by publishing and refining a Draft on Cybercrime (Sofaer, 2001). The Draft includes a detailed description of the concepts, computer system, computer data, and data traffic (Convention on Cybercrime, 2001). The Draft also includes several provisions which criminalize some of the activities in the cyberspace. The significance of that convention is that, once in force, all countries that ratified it, including those who are non-member observer states, are required to standardize their laws to comply with the provisions of the Convention (Westby, 2003). Especially those countries which are signatory states are required to adopt such domestic laws in order to establish minimum standards (Council of Europe, 2001). In Budapest, on November 23, 2001, the CoE opened the treaty for signature by the member states and by non-member states, including the U.S. As of December, 2002, there were 32 thirty- two signatories and it had been ratified by Albania and Croatia (Weber, 2003, pp. 429- 430). Of course, there was some criticism directed towards the Draft of the Convention regarding the issue of basic human rights and information freedom. For some, the Draft was “contrary to well-established norms for the protection of the individual … that it improperly extends the police authority of national governments … that it will undermine the development of network security techniques … and that it will reduce government accountability in future law enforcement conduct” (Ever, 2000). Some even said this treaty will “kill the Internet” (Davis, 2003, p. 217). Nevertheless, the convention addresses deterrence as a necessary function and it aims at swift and efficient law enforcement efforts toward cybercrime detection, investigation, and prosecution, all of which will protect “confidentiality, integrity, and availability of computer systems” (Baron, 2002, p. 268). The treaty of the CoE on cybercrime is important for a number of reasons. “The Council’s approach recognizes that accomplishment of this goal is predicated upon finding solutions to the lack of criminal statutes, the lack of procedural powers, and the lack of enforceable mutual assistance provisions that result from the jurisdictional gap in cybercrime regulation” (Weber, 2003, p. 430).
    • 80 S. Özeren / Cyberterrorism and International Cooperation European Union (EU) The European Union (EU) emerged from three organizations formed in the 1950s by Belgium, West Germany, France, Italy, Luxembourg, and the Netherlands: the European Coal and Steel Community (ECSC), the European Atomic Energy Community (Euratom), and the European Economic Community (Sussmann, 1999, p. 479). “The EU is, in fact, unique. Its Member States have set up common institutions to which they delegate some of their sovereignty so that decisions on specific matters of joint interest can be made democratically at the European level” (The European Union at a Glance, 2003). Currently there are more than twenty-five member states within the EU. With respect to cyber security and critical infrastructure security, the EU has published several documents. It has also created entities to respond to the challenges of critical information infrastructure security. Among these efforts, in April 1998, the European Commission prepared a study called COMCRIME which focused on security of information infrastructures and combating computer-related crime (Cybercrime European Commission, 2004). In January, 1999, the European Parliament and the Council adopted an action plan on promoting safer use of the Internet by combating illegal and harmful content on global networks. In 2001, the European Commission prepared a document entitled “Network and Information Security: Proposal for a European Policy Approach,” in which the following four conditions were presented as key conditions in order to be successful in responding to cybercrime and information infrastructure vulnerabilities (Cybercrime, European Commission, 2001): The adoption of adequate substantive and procedural legislative provisions to deal with both domestic and transnational criminal activities. The availability of a sufficient number of well-trained and equipped law enforcement personnel. The improvement of the co-operation between all the actors concerned, users and consumers, industry and law enforcement. The need for ongoing industry and community-led initiatives. Another significant effort by the EU is the eEurope 2005 Action Plan which was approved by the European Council in June, 2002 (Council of Europe, 2002). The central component of the eEurope 2005 Action Plan is information infrastructure protection (Westby, 2003), and it stresses “the importance of ensuring the appropriate security of networks and the information that is transmitted through them for individuals, business, administrations and other organizations” (Council of Europe, 2002). In terms of important agencies of the EU with regard to critical information and infrastructure protection, there is the European Network and Information Security Agency (ENISA). The objectives of the ENISA are to facilitate and intensify European coordination in the area of information security, provide the highest security of the information infrastructure systems for the members, and to create common understanding of information security among the member states in the EU (Information Society, 2003). “The management board of the Agency will be composed of five representatives appointed by the Council, five by the Commission, two by the European Parliament, as well as four industry and two consumers’ representatives” (EU News Report, 2003). The agency has a budget of 24 million euro over a five-year period and it is intended to help the Commission and the member states cooperate more efficiently in their responses to information security and network problems such as
    • S. Özeren / Cyberterrorism and International Cooperation 81 viruses and unauthorized interception of communications, computer crashes, and information technology (IT) network failures (EU Business, 2003). United Nations (UN) The United Nations (UN) has increased awareness of information security, in particular, computer related crimes. In 2000, the Tenth United Nations Congress on Crime Prevention and the Treatment of Offenders was held in Vienna, Austria. In sum, the meeting emphasized the importance of internationally coordinated efforts toward preventing and responding to threats against information systems and cyber security. In addition, it was emphasized that the exchange of technical and forensic expertise between national law enforcement authorities was crucial for faster and more effective investigation of such crimes (Tenth United Nations Congress, 2000). Furthermore, in different meetings, the members of the UN expressed their concerns about the threat of cybercrime and cyberterrorism, and proposed training programs about cyberterrorism for the national law enforcement agencies (Security Council 4,792nd Meeting, 2003). Asia Pacific Economic Cooperation (APEC) APEC was formed in 1989 in response to the growing interdependence among Asia- Pacific economies, and since then APEC has become the primary regional vehicle for promoting open trade and practical economic cooperation (TIA Online, 2002). Asia Pacific Economic Cooperation (APEC) established the Telecommunication and Information Working Group (APEC-TEL), which provides coordination between the governments, private sectors, and business of the 21 twenty-one APEC members (Westby 2003, p. 103). The Fifth APEC Ministerial Meeting on Telecommunications and Information Industry was held in May 2002 in China and the members of the APEC declared the need for economies to promote the development of advanced, secure and reliable information infrastructures and expressed their commitment to improving the multilateral and bilateral cooperation in the APEC region in developing telecommunications regulatory policies, and information and network security (APEC Shanghai Declaration, 2002). They also made clear that it is very important to establish a legal basis to address the criminal misuse of information technologies and law enforcement cooperation in combating that misuse (TELMIN 2002). Organization for Economic Co-operation and Development (OECD) The Organization for Economic Co-operation and Development (OECD) defines cyber security in their Guidelines for the Security of Information Systems as “the protection of the interest of those relying on information systems from harm resulting from failures of availability, confidentiality, and integrity” (OECD, 2002). The Guidelines for the Security of Information Systems and Networks states that due to increased interconnectivity, information systems and networks have now become more vulnerable to a growing number and a wider variety of threats, which explains one of the fundamental issues in information security (OECD, 2002). By stating “… participants, as appropriate to their roles, should be aware of the relevant security risks and preventive measures, assume responsibility and take steps to enhance the security of information systems and networks,” the OECD put the responsibility on
    • 82 S. Özeren / Cyberterrorism and International Cooperation the shoulders of every member in the organization (OECD, 2002). The OECD Council adopted nine important principles to develop “the culture of cyber security” (OECD, 2002). Interpol Interpol is the abbreviation for the International Criminal Police Organization. It was established in 1956 to enhance globally and facilitate cross-border criminal police cooperation (Interpol, 2003). Currently, there are 181 countries in over five continents that participate. Interpol is the largest international police organization, which serves as an entity to help member countries with their investigations involving international crimes. Interpol, among other crimes, focuses on the misuse of information technologies under the name of information technology crime (Interpol, 2003). Interpol has created parties of information technology crime in regions around the world. Instead of establishing a new division, Interpol gathered “working parties” or experts from members of national computer crime units (Interpol, 2003). Currently there are five major working parties that Interpol works with: a) European Working Party on Technology Crime, b) American Regional Working Party on Information Technology Crime, c) African Regional Working Party on Information Technology Crime, d) Asia- South Pacific Regional Working Party on Information Technology Crime, and e) Steering Committee for Information Technology Crime (Interpol, 2003). Among these working groups, the European Working Party on Technology Crime, formed in 1990, has shown significant achievements, some of which include the compilation of the Computer Crime Manual, now called the Information Technology Crime Investigation Manual (ITCIM), a best practice guide for the experienced investigator, numerous training courses in order to share its expertise with other members, a rapid information exchange system which essentially consists of two elements, and preparing training video / CD-ROM for international law enforcement (Interpol, 2003). European Police Office (Europol) The Council Act of 26 July, 1995, signed up the Convention on the establishment of a European Police Office (Europol Convention, 2003), which was established to improve police cooperation between the member states to combat terrorism, illicit drug trafficking, and other serious types of international crime. It became fully operational in 1999 (Area of Security, 2003). “The official inauguration of Europol in 1998 … marked a new watershed of EU cooperation in the field of “Justice and Home Affairs” … which reflects a shift in the direction of supranationalism and away from Europe’s long-standing intergovernmental approach to international law enforcement” (Occhipinti, 2003, p. 1). Europol has also the following principal tasks (Europol 2003): to facilitate information exchange between member states; to obtain, assemble and analyze information and intelligence; to notify the authorities of the member states without delay of information concerning them and of any relations identified between criminal offenses; to assist investigations in the member states; to keep a computerized system of collected information.
    • S. Özeren / Cyberterrorism and International Cooperation 83 In other words, Europol can serve as an effective mechanism in terms of investigating crimes involving information technologies, such as cybercrime and cyberterrorism. “It is important to emphasize that Europol will not have executive authority, and it is important that Europol should not be viewed as a European equivalent of the Federal Bureau of Investigation in the United States. Nor will Europol take over from, or place any type of restraint on, national counter-terrorist agencies” (Marotta, 2001, p. 18). However, according to Occhipinti, recent developments indicate that the nature of collaboration on policing in the EU has become more supranational and the EU will move even closer to having a supranational form of police cooperation, “including a role for Europol that increasingly resembles that of the U.S. FBI” (2003, p. 238). Policy Implications This study strongly emphasizes the importance of cooperation in response to the threats coming from cyberspace. In particular, countries with high level of vulnerabilities need to be involved in cooperative efforts not only with those countries that are highly vulnerable, but also with other countries with lower levels of vulnerability. Given the fact that a cyber attack can be launched from anywhere, the source of such an attack does not necessarily have to be a country with a high level of technological development. This brings us to the issue of having a vested interest in expanding an alliance to include many countries with a variety of different backgrounds. In terms of a theoretical discussion, any country concerned with cyberterrorism should embrace the double approach. That is, while taking every necessary step to ensure the safety of their critical infrastructures, they should also make every effort to achieve an inclusive partnership/alliance with other countries. To achieve such an overwhelming task, different venues should be sought, including formal and informal cooperation. Cooperation may involve both formal and informal relationships, and the effectiveness of both may vary depending on the case in question. While the desired relationship should be formal cooperation, it has drawbacks, most notably time-consuming bureaucratic procedures, although time can be crucial for law enforcement and other national security agencies. Particularly, investigating cyberterrorism does not allow the luxury of spending time going through bureaucracy. On the other hand, while informal mechanisms are efficient in terms of time, in some countries, informal cooperation may not be approved by their governments. Therefore, in responding to cyberterrorism or cybercrime, both informal and formal cooperation should be put into practice, while efforts are made to lessen the bureaucratic procedures, and this can be achieved by bilateral agreements. Awareness is another milestone toward achieving real, concrete cooperation. Developing awareness at the domestic and international level toward cyberterrorism and cybercrime will help concerned parties to work with other countries. Recognizing existing or potential risks will motivate countries to start to take necessary measures to respond to cyberterrorism and cybercrime, to include legal, technical, and political procedures. Another important issue with respect to policy is the legal discrepancies and/or lack of legal measures targeting cyberterrorism and cybercrime. While countries amend new laws or update the existing ones to compensate for the gap stemming from new trends in responding to cyberterrorism, they also should try to establish a consensus as
    • 84 S. Özeren / Cyberterrorism and International Cooperation to what cyberterrorism constitutes and what the general procedures should be in terms of handling investigations and prosecution of cyberterrorism related incidents. Conventions, such as the Council of Europe Convention on Cybercrime—even though there are some questions about articles in the Convention Treaty—is an ambitious attempt toward achieving such a consensus. In terms of facilitation of cooperation at the national and international levels, a number of entities can play important roles. In particular, institutions such as CERT and FIRST can be instrumental in carrying out informal and formal bilateral and multilateral cooperation. In the area of cyberterrorism and cybercrime such an activity at the informal level among private or public institutions can lead to formal cooperation since informal processes can guide the development of a culture of cooperation. Moreover, entities such as G-8 and OECD can lead other non-member countries toward developing a certain level of awareness. While these entities do not have operational branches, they can set the standards for future applications and strategies for themselves and be examples for other countries. On the other hand, institutions such as the UN and the Council of Europe can be more active organizations since they have more member states. Also the members can be obliged to fulfill the requests from these multilateral entities, which can be vital to achieving consensus. In addition, developed countries can offer technical and legal assistance to other countries; in other words, developed countries can expand the response policies by supporting other countries. One way to accomplish a sound cooperation is to identify regions and focus those areas. Countries such as Turkey can be a center in the Middle East, including the former Soviet republics. Turkey can work with experts from the U.S. and other European countries to train law enforcement in the region in the area of terrorism and cybercrime. Given the fact that Turkey has a long history of struggle against terrorism and organized crime, the experience can be utilized toward advancing regional countries’ abilities and understanding of how to handle terrorism, in particular, cyberterrorism and cybercrime. Other critical and rather sensitive issues are national sovereignty and jurisdiction. National sovereignty is a political issue that may be an obstacle since countries have every right to claim their sovereignty when it comes to investigating cyberterrorism. Respectively, the issue of jurisdiction becomes a legal issue when investigating cyberterrorism and cybercrime, both of which are transnational in nature. To overcome these two critical issues, existing applications from other areas can be considered. Aviation is one of those areas that involve internationally recognized and implemented regulations worldwide. Agreement in such an area can be a model for cyberterrorism and cybercrime initiatives. Another application is the “European Arrest Warrant” which can give a clue as to how the international community will overcome issues of jurisdiction. Of course the author of this study does not imply that we need to have such a system; however, the European Arrest Warrant can be taken as an example. In terms of overlaps between cybercrime techniques and cyberterrorism, the study suggests that cybercrime techniques are readily available tools for terrorists to exploit. More importantly, technology provides ample opportunity for terrorists to expand their operations and establish new networks with other terrorist organizations. Cyberspace gives terrorists new tools to recruit new members and to support their activities financially. The C-F-R-P factor is very critical in terms of responding not only to cyberterrorism, but also to traditional terrorism. The C-F-R-P factor can, in fact, be monitored by law enforcement and can be used to identify possible recruitment techniques, possible new recruits, and finance sources. Also, it can provide invaluable
    • S. Özeren / Cyberterrorism and International Cooperation 85 information in terms of communication. It is true that not every terrorist organization uses the Internet for communication; nevertheless, communication on the Internet can provide leads for further investigations. Recommendations Cooperation is very critical in terms of responding to cyberterrorism. Cooperation at the national level includes law enforcement and private sector. Sometimes overlaps in terms of the responsibilities and authorities between different law enforcement agencies may cause confusion. To avoid such an event, law enforcers should establish a coordination center that will not be a supervisory unit, but a unit which will facilitate coordination and collaboration between layers of bureaucracy. This is particularly important in countries like the U.S., where there are numerous law enforcement agencies with a number of laws giving authority to them. Also, implementations, such as the U.S.’s Secret Service Electronic Crime Task Force, should be expanded across the world. The most important aspect of such programs is that they create a sense of trust between law enforcement agencies and the private sector. Of course, the purpose of these programs should be to share the concerns and support each other. Finally, increasing awareness of vulnerabilities to cyberterrorism and cybercrime can be facilitated by training of law enforcers and the public. At the National level, documents, such as the National Strategy to Secure Cyberspace, published by the U.S., indicated the importance of national and international levels of cooperation to respond to threats coming from cyberspace. It also emphasizes the importance of cooperation and collaboration between the public and private sector to respond adequately to cyber threats. It is true that a document, alone, may not be effective, but it may describe the path to be followed. While there are numerous issues regarding how to achieve sound international cooperation, the first step toward it involves believing in establishing international cooperation. In other words, countries should spend time and energy establishing a general consensus as to what they should do to achieve real cooperation. Based on the research results, while multilateral cooperation is desirable, bilateral agreements are considered as more achievable than multilateral agreements. Therefore, countries should focus on establishing more bilateral agreements; they also should explore new venues to set up multilateral cooperation. To achieve real cooperation at the international level, countries should practice real coordination and exchange of intelligence. Formal bilateral and multilateral agreements and organizations achieve some level of cooperation, but bureaucracy and other obstacles may slow down the procedures which are very critical in investigating cybercrime. To solve that problem, countries should look for ways to practice informal cooperation at least among the law enforcement agencies. Moreover, legal measures play a very critical role in responding to cybercrime and cyberterrorism. Laws and conventions, such as the Council of Europe Convention on Cybercrime, are useful tools to facilitate cooperation. In order to respond to this kind of transnational crime, having a common definition of the crime is vital. Recognizing the importance of defining a crime according to its unique characteristics will not only ease the investigation procedures, but also enable cooperation with other countries. Therefore, countries should again attempt to come up with internationally accepted definitions of terrorism, cybercrime, and cyberterrorism.
    • 86 S. Özeren / Cyberterrorism and International Cooperation Finally, we need to find new strategies and tactics to respond to the overwhelming problems we face today. The global nature of the issues such as cybercrime and terrorism requires global responses. It is necessary to look for a radical approach. Globalization of crime, in fact, asks for globalization of law enforcement. This statement may sound overambitious; however, given the extent and complexity of cybercrime and terrorism, it may be underestimating the seriousness of these problems if we claim otherwise. References APEC Shanghai Declaration. (2002). The Fifth APEC ministerial meeting on telecommunications and information industry. Retrieved February 13, 2004 from http://www.apecsec.org.sg/apec/ministerial_statements/sectoral_ministerial/ telecommunications/2002.html Area of Security. (2003). Europol Convention: European Police Office. Retrieved March 13, 2004 from http://europa.eu.int/scadplus/leg/en/lvb/l14005b.htm Ballard, J. D., Hornik, J. G., & McKenzie, D. (2002). Technological facilitation of terrorism: Definitional, legal and policy issues. American Behavioral Scientist, 45,(6), 989-1016. Barkham, J. (2001). Cyberwar, cybercrime, and cyberterrorism: A bibliographic essay. American Society of International Law. Retrieved March 10, 2004 from http://www.asil.org/barkham.pdf Baron, R. M. F. (2002). A critique of the international cybercrime treaty. The Catholic University of America, 10, 263. Berinato, S. (2002). The truth about cyberterrorism. CIO Magazine. Retrieved on April 13, 2004 from http://www.cio.com/archive/031502/truth.html Brenner, S. W., & Goodman, M. D. (2002). In defense of cyberterrorism: An argument for anticipating cyber-attacks. University of Illinois Journal of Law, Technology & Policy, 1,(57). Cilluffo, F. J., & Pattak, P. B. (2000). Bad guys and good stuff: When and where will the cyber threats converge? DePaul Business Law Journal, (12),131- 169. Collin, B. C. (1997). Cyberterrorism from virtual darkness: New weapons in a timeless battle. Retrieved from http://www.counterterrorism.org Convention on Cybercrime. (2001). Retrieved December 05, 2004 from http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm Conway, M. (2002). Reality bytes: Cyberterrorism and terrorist 'Use' of the Internet. First Monday, 7, (11). Retrieved April 04, 2004 from http://firstmonday.org/issues/issue7_11/conway/index.html Council of Europe. (2001). Convention on cybercrime. Retrieved February 15, 2004 from http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm Council of Europe. (2002). Council resolution on the implementation of the eEurope 2005 action plan. Retrieved March 12, 2004 from http://europa.eu.int/information_society/eeurope/2005/index_en.htm Council of Europe. (2003). What is what? Retrieved December 10, 2004 from http://www.coe.int/T/E/Com/About_Coe/whatswhat.asp Council of Europe. (2003). The Council of Europe's Member States. Retrieved December 15, 2004 from http://www.coe.int/T/E/Com/About_Coe/Member_states/default.asp Cuellar, M. F. (2001). Past as prologue: International aviation security treaties as precedents for international cooperation against cyberterrorism and cybercrimes. In A. D. Sofaer, & S. E. Goodman (Eds.), The transnational dimension of cybercrime and terrorism (pp. 91-124). Stanford, CA: Hoover Institution Press Publication. Cybercrime European Commission (2001). Network and information security: Proposal for a European policy approach. Retrieved March 14, 2004 from http://europa.eu.int/information_society/eeurope/2002/news_library/pdf_files/netsec_en.pdf Cybercrime European Commission. (2004). Anti cybercrime legislative proposals on Council table. Retrieved March 14, 2004 from http://europa.eu.int/comm/justice_home/fsj/crime/cybercrime/wai/fsj_crime_cybercrime_en.htm Cybercrime European Commission. (2004). What steps is the EU taking to combat cyber-crime? Retrieved March 14, 2004, from http://europa.eu.int/comm/justice_home/fsj/crime/cybercrime/wai/fsj_crime_cybercrime_en.htm Davis, E. S. (2003). A world wide problem on the World Wide Web. International responses to transnational identity. Washington University Journal of Law & Policy.
    • S. Özeren / Cyberterrorism and International Cooperation 87 Denning, D. E. (1999). Encryption and evolving technologies as tools of organized crime and terrorism. National Strategy and Information Center Denning, D. E. (2000). Cyberterrorism. Global Dialogue. Retrieved from http://www.cs.georgetown.edu/~denning/infosec/cyberterror-GD.doc Devost, M. G. (1995). National security in the information age. Master thesis. University of Vermont. Devost, M. G., Houghton, B. K., Pollard, N. A. (1997). Information terrorism: Can you trust your toaster?. Retrieved September 13, 2002 from htttp://www.terrorism.com Evers, J. (2000). The Netherlands adopts cybercrime pact. Retrieved December 20, 2004 from http://www.theexperiment.org/articles.php?news_id=980 EU Business. (2003). European network and info security agency set for January launch. Retrieved March 04, 2004 from http://www.eubusiness.com/topics/Rd/EUNews.2003-11-21.2957 EU News Report. (2003). new European agency for network and information security. Retrieved March 01, 2004 from http://www.iwar.org.uk/news-archive/2003/10-08-6.htm Europol Convention.(2003): European Police Office. Retrieved March 07, 2004 from http://europa.eu.int/scadplus/leg/en/lvb/l14005b.htm European Union at a glance. (2003). Retrieved March 10, 2004 from http://europa.eu.int/abc/index_en.htm Europol. (2003). Fact Sheet on Europol. Retrieved October 11, 2003 from http://www.europol.eu.int/index.asp?page=facts FEMA. (2002). Retrieved from http://www.fema.gov Grabosky, P. N., & Smith, R. G. (1998). Crime in the digital age. Riverwood, Australia: Ligare Pty Ltd. Group of 8. (2003). Retrieved December 04, 2003 from http://www.privacyinternational.org/issues/cybercrime/ G 7- G 8 Summit in Okinawa. (2000). Okinawa Charter on Global Information Society. Retrieved from http://ec.europa.eu/external_relations/g7_g8/intro/global_info_society.htm Information Society. (2003). Establishment of a European network and information security agency. Retrieved March 12, 2004 from http://europa.eu.int/scadplus/leg/en/lvb/l24153.htm International Working Group. (2002). Common position on data protection aspects in the draft convention on cyber-crime of the Council of Europe. Retrieved December 15, 2004 from http://www.datenschutz- berlin.de/doc/int/iwgdpt/cy_en.htm Interpol. (2003). Interpol an overview. Retrieved March 14, 2004 from http://www.interpol.int/Public/Icpo/FactSheets/FS200101.asp Interpol. (2003). Interpol’s contribution to combating information technology crime. Retrieved March 14, 2004 from http://www.interpol.int/Public/TechnologyCrime/default.asp Interpol. (2003). Regional working parties. Retrieved March 14, 2004 from http://www.interpol.int/Public/TechnologyCrime/WorkingParties/Default.asp#europa Lewis, A. J. (2003). Introduction. In J. A. Lewis (Ed.), Cyber security: Turning national solutions into international cooperation (pp. xi-xxiii). Washington D.C.: The CSIS Press. Lukasik, S. J. (2001). Current and future technical capabilities. In A. D. Sofaer, & S. E. Goodman (Eds), The transnational dimension of cybercrime and terrorism (pp. 125-184). Stanford, CA: Hoover Institution Press Publication. Marotta, E. (2001). Europol’s Role in anti-terrorism policing. In M. Taylor & J. Horgan (Eds.), The future of terrorism (pp. 14-18). London, England: Frank Cass & Co. Ltd. Meeting of G8 Ministers of Justice and Home Affairs. (2003). Public statement by the ministry of the interior, internal security and local freedoms. Retrieved January o5, 2005 from http://www.g8.fr/evian/english/navigation/news/meeting_of_the_justice_and_home_affairs_ministers_ of_the_g8_in_paris__on_5_may_2003.html Miyawaki, R. (1999) The Fight Against Cyber Terrorism: A Japanese View, paper presented to the Centre for Strategic & International Studies, June 29, 1999. Occhipinti, J. D. (2003). The politics of EU police cooperation: Toward a European FBI?. London, England: Lynne Rienner Publishers. OECD. (2002). Guidelines for the Security of Information Systems and networks: Towards a culture of security. Retrieved March 13, 2004 from http://www.ftc.gov/bcp/conline/edcams/infosecurity/popups/OECD_guidelines.pdf Pollitt, M. M. (1997). A Cyberterrorism: Fact or fancy? Proceedings of the 20th national information systems security conference. Security Council 4792nd Meeting. (2003). Fight against terrorism would be long with no short cuts, Counter- terrorism Committee Chairman Tells Security Council. Retrieved February 07, 2004 from http://www.un.org/News/Press/docs/2003/sc7823.doc.htm Sofaer, A. D. & Goodman, S. E. (2001). Cybercrime and security: The transnational dimension. In A. D. Sofaer, & S. E. Goodman, (Eds). The transnational dimension of cybercrime and terrorism (pp. 1-34). Stanford, CA: Hoover Institution Press Publication.
    • 88 S. Özeren / Cyberterrorism and International Cooperation Speeches and testimony. (1998). Testimony by director of Central Intelligence George J. Tenet before the Senate Committee on Government Affairs. Retrieved March 10, 2004 from http://www.cia.gov/cia/public_affairs/speeches/1998/dci_testimony_062498.html Sussmann, M. A. (1999). The critical challenges from international high-tech and computer-related crime at the millennium. Duke Journal of Comparative & International Law (9). Taylor, R. W., Caeti, T. J., Loper, K., Fritsch, E. J., & Liederbach, J. (2006). Digital crime and digital terrorism. Upper Saddle River, NJ: Prentice Hall. TELMIN. (2002). Statement on the security of information and communications infrastructures. Retrieved February 15, 2004 from http://www.tiaonline.org/policy/regional/asia/telmin5_statement.pdf United Nations Universal Declaration of Human Rights. Article 12. Retrieved from http://www.unhchr.ch/udhr/lang/eng.htm Vatis, M. A. (2000). The NIPC's international response to cyber attacks and computer crime. Before the House Committee on Government Affairs Subcommittee on government management, information, and technology Washington D.C. Retrieved March 24, 2004 from http://www.fbi.gov/congress/congress00/vatis072600.htm Vatis, M. (2003). International cyber-security cooperation: Informal bilateral models. In James A. Lewis (Eds), Security: Turning national solutions into international cooperation (pp. 1-12). Washington D.C.: The CSIS Press. Weber, A. M. (2003). Annual review of law and technology: VIII. Foreign & International law: A cyberlaw cybercrime: The Council of Europe’s convention on cybercrime. Berkeley Technology Law Journal, 18, 425. Westby, J. R. (2003). International strategy for cyberspace security. American Bar Association. Wilson, C. (2003). Computer attack and cyberterrorism: Vulnerabilities and policy issues for Congress. Congressional Research Service ˜The Library of Congress. Retrieved June 10, 2004 from http://www.fas.org/irp/crs/RL32114.pdf Zanini, M. & Edwards, S. J. A. (2001). The Networking of terror in the information age. In J. Arquilla & D. Ronfelt (Eds), Networks and netwars, (pp.29-60). Santa Monica, CA: RAND Corporation.
    • Responses to Cyber Terrorism 89 Centre of Excellence Defence Against Terrorism, Ankara, Turkey (Ed.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. Legal and Policy Evaluation: International Coordination of Prosecution and Prevention of Cyber Terrorism Ms Eneken TIKK,a Ms Reet OORNb a Lecturer, Faculty of Law, University of Tartu, Estonia b Advisor on Data Protection and IT Law, Estonian Informatics Centre, Tallinn Abstract. This article first touches upon the notion of cyber terrorism in the context of the relevant international framework and the recent cyber attacks against Estonia by addressing issues of the dependence of a society on ICT. The purpose of such an introduction is better to explain the international debate on prosecution and prevention of cyber terrorism. In the author’s opinion, effective prevention of cyber terrorism needs to be performed on a national level. Therefore the third main subject of this article is the (inter)national legal framework of preventing cyber terrorist acts and the prospect of the legal and practical problems that countries may face when addressing this mostly cross-border problem area. Keywords. Cyber terrorism, IT law, international IT law, cyber attacks on Estonia, prevention of cyber attacks 1. The Notion of Cyber Terrorism The word “terrorism” comes from the Latin word “terrere” which means “to frighten”. In very general terms we can view terrorism as any concerted action (or threat of action) undertaken in order to provoke fear. No common understanding of this notion has been reached on an international level. Often, a uniform definition of terrorism will not even exist across the various concerned agencies of a given country. Such is the case with the United States, where the range of definitions is currently applied. 1 Therefore the legal notion of terrorism can only be explained on the basis of certain characteristics and types of action. 2 It is agreed in general that terrorism seeks to spread fear across a society, the actions taken tend to be large, deadly and spectacular. Therefore it is not difficult to imagine death, injuries or major loss of property as possible results of a terrorist attack. It becomes more complicated when we try to combine terrorism with the notion 1 http://www.cdi.org/friendlyversion/printversion.cfm?documentID=1564#_edn4. 2 The League of Nations adopted a convention to prevent and punish terrorism in 1937 (it never came into force). Since 1963 the United Nations has produced thirteen conventions on the subject, relating to various types of activities (see http://www.un.org/terrorism/instruments.html).
    • 90 E. Tikk and R. Oorn / Legal and Policy Evaluation “cyber”, as often the use of information and communication technology serves other, maybe less vital, interests of the society, such as informational privacy, freedom of information or access to public services. The expression “cyber terrorism” is about an intentional negative and harmful use of information technology for producing destructive and harmful effects. The consequences of a network or information system may be different. In a society like Estonia a denial-of-service attack is likely have decreased the functionality of public e- services as its consequence. The perception of fear therefore needs to be measured by certain characteristics of the specific society, such as dependence on ICT, and potential conflicting interests and interest groups prepared to use extraordinary measures for pursuing their aims. Obviously, there is not a reasonable basis for talking about any international agreement or consensus in terms of the expression “cyber terrorism”. However, as the dependence on ICT is growing, and technology carries with it new possibilities for terrorist action, the discussion on these topics needs to go on. 2. The Existing International Legal Framework The United Nations As mentioned above, there are several legal instruments dealing with different types of terrorist activities. The UN-banned terrorist actions include: Offences Committed On Board Aircraft, Unlawful Seizure of Aircraft, Crimes against the Safety of Civil Aviation, Crimes against Internationally Protected Persons, Taking of Hostages, Unlawful Use of Nuclear Material, Unlawful Acts against the Safety of Maritime Navigation, Unlawful Acts against the Safety of Fixed Platforms Located on the Continental Shelf, Making of Plastic Explosives for the Purpose of Detonation, Terrorist Bombings, Financing of Terrorism and Nuclear Terrorism. In addition to the above, the United Nations has launched a global strategy to fight terrorism, in which it seeks to help its member states develop the capacity to take the fight forward. Perhaps the most important is the ongoing coordination work done pursuant to Security Council Resolution 1373. The UN web site gives an excellent overview of its approach. We might note, however, that despite all of this work, the United Nations has not developed a single working definition of terrorism. Instead, the UN has worked ad hoc. One could argue that the method of developing legal instruments that the United Nations has used fails because it is too focused on building a consensus about already employed existing methods used by terrorists. It cannot lead the fight against new methods (such as cyber terror). Thus, we might consider using the United Nations experience as an argument to avoid an overly reactive (rather than proactive) approach to coping with terrorist threats. The Council of Europe The CODEXTER (Committee of Experts on Terrorism) pursues its work regarding the analysis of international law and action against terrorism. The work of the CODEXTER is currently focusing, inter alia, on the use of the Internet for terrorist purposes, the notion of cyber terrorism, enhanced co-operation between the Council of
    • E. Tikk and R. Oorn / Legal and Policy Evaluation 91 Europe and its member States and Interpol, as well as on the consideration of possible work concerning false identity information as a challenge to immigration authorities. In the CODEXTER framework the Council of Europe has proposed possible legal responses to cyber terrorism. Professor Sieber outlined in particular: a) the harmonization of national substantive criminal law and of national procedural law; b) the improvement of international co-operation; and c) other important aspects, such as, inter alia, the duty to protect infrastructures/data 3 security certifications and preventive monitoring of data. As regards the option of cutting off internet resources, in CoE opinion such a restriction would be difficult to establish as various means of communication exist. However, such an option could be applied as a sanction, for example, to a particular server used as a safe harbour for terrorists. Limited results could be achieved with national filtering techniques. Even if traffic goes through central server (as in China and Iran) the flow could be controlled for the general public but there would be many ways to avoid it. Newsgroups are also used for the diffusion of messages of a terrorist content. Furthermore, it would be difficult to reach an international agreement on what constitutes illegal content as the current definition of terrorist content is very vague. The main common problem of existing international instruments is the insufficient number of states parties. This is especially true with respect to the Cyber Crime Convention (ETS No. 185), as well as to the Convention on the Prevention of Terrorism (CETS No. 196), which are the most important international instruments for fighting cyber terrorism and other terrorist use of the Internet. At present, serious threats to commit terrorist acts are not adequately covered either by this Convention or by other Council of Europe conventions, and this deficit is not fully compensated for by the instruments of other international organizations. Considering the effects of threats to commit terrorist acts, we believe that there is a need for action in this area – possibly in the form of a protocol to the Convention on the Prevention of Terrorism. Regarding the possible updating of ETS No. 185, this Convention should be evaluated with regard to its ability to cover technological advances, particularly in the area of forensic investigative techniques (such as online searches or the use of key logger software). In the fast-paced technological environment of cyber crime, such evaluations, which frequently lead to revisions and updates, are an absolutely normal process, especially when dealing with high risks such as those posed by terrorism. Should a decision to amend the Convention be taken, the possibility of excluding the political exception clause for some of the Convention’s offences might also be considered, especially in serious cases of data and system interference. It is necessary for countries to make sure that their domestic statutes on data and system interference provide sanctions appropriate for cases involving terrorist attacks against computer systems. Indeed, “effective, proportionate and dissuasive sanctions” are already required by the Cyber Crime Convention, and it can be left to national legislatures to achieve this result by means of sentencing rules, aggravated offences on data interference, or infrastructure offences. Professor Sieber has proposed that international efforts should focus on developing repressive and preventive measures that target the dissemination of illegal content on 3 Sieber in CODEXTER 11th report, clause 88.
    • 92 E. Tikk and R. Oorn / Legal and Policy Evaluation the Internet and that are both effective and respectful of civil liberties. This could be done either with a special focus on illegal terrorist content or in a more general way that would encompass other types of illegal content as well. As far as substantive law is concerned, this would also require harmonized rules regarding the responsibility of Internet service providers. The necessary developments in the areas of criminal procedure and international co-operation would require specific regulations based on technical control mechanisms on the Internet that do not unduly inhibit the free exchange of information. In his opinion, the Council of Europe, with its long tradition of balancing security interests in criminal matters with the protection of human rights, would be the ideal institution to tackle the difficult problems posed by the development of such international standards and procedures for regulating illegal content on computer networks. OSCE OSCE activities on cyber terrorism include the Joint OSCE-CoE Expert Workshop and Ministerial Council Decision no. 3/04 “Combating the Use of the Internet for Terrorist Purposes”. The OSCE supports the view that existing legal instruments could provide a basis on which to fight terrorist-related use of Internet, but this legal basis was not used sufficiently. Thus, adherence to international instruments, in particular to the Convention on Cyber Crime and the CoE Convention on the Prevention of Terrorism, must be promoted. There is significant difference in national approaches – in some countries “content” offences are considered terrorist offences; in others they imply interference with the right to the freedom of expression, which is of the utmost importance. There are other possible actions for the monitoring of sites of a terrorist content: the setting-up of hotlines, similar to those set up for child pornography websites, interstate exchanges of information and the restricted use of filtering, e.g. by educational institutions. As for requests from other states for co-operation, there should be two options for dealing with requests – if a country cannot close a website on the grounds of national legislation, it should at least collect information. 4 The European Union The role of the EU in addressing cyber terrorism issues is significant in that the EU law has internet as an object of regulation: the issues of ISP liability, fighting against spam, personal data protection, etc., have been regulated in many EU countries directly because of the influence of the relevant directives. Recently, there have been attempts to also regulate on cyber crime and cyber terrorism issues: The communication on cyber crime sets out the future approach of the EU-wide combat against cyber crime. The policy aims to include improved operational law enforcement cooperation; better political cooperation and coordination between Member States; political and legal cooperation with third countries; awareness raising; training; research; a reinforced dialogue with industry and possible legislative action. 5 4 11th report, 100. 5 A good overview of recent EU activities can be found at https://www.csialliance.org/policy_priorities/eu/.
    • E. Tikk and R. Oorn / Legal and Policy Evaluation 93 Other Developments As regards different countries, the US has developed substantial means for prevention and prosecution of cyber terrorist acts. However, the actions of the US, as of several other nations (France, UK, Austria, Pakistan, India), which have invested in developing a sound framework against cyber terrorism, are directed mostly to internal cooperation and a national legal framework. Some useful ideas may also be derived for international cooperation. The U.S. has stressed that the key threat to cyber security originates in the relentless criminal attacks by organized criminals, individual hackers and non-state actors, including terrorists. From this perspective, the benefits of cyberspace can best be protected by focusing both on the effective criminalization by States of the misuse of information technology and on the systematic national implementation of measures designed to prevent damage to critical information infrastructures no matter the source of the threat; what the U.S. calls the creation of a global culture of cyber security. In this view, all parties (government, business, civil society) are aware of their responsibilities and act appropriate to their roles to ensure cyber security. An attempt to impose borders in cyberspace as a direct challenge to democratic principles that could easily be used by governments to justify restrictions on the free flow of information and the peaceful use of information technology. 3. The Attacks on Estonia: A Case Study Background Estonia leads in the role of an e-state, not only because it has developed some new and attractive e-services, but also because Estonians have accepted the Internet as a “human right” and common living standard for all. The first steps towards the e-state were initiated by the Estonian private sector after gaining the independence in 1991. The banks were the first entities to introduce and promote Internet-based solutions, as it was crucial for them to gain the market and reach also the distinct rural areas. Together with the introduction of electronic Internet- based banking solutions, the access to the Internet was made easy by the government initiative called the “Tiger Leap”, whose aim was to provide free Internet stations at schools and public libraries. This solved also the banks’ dilemma whether they should introduce check books or electronic banking cards with coherent code cards for Internet banking, working a way ahead towards all new Internet-based e-solutions. The second important step was the creation and development of the national population registry, which was started by the change of currency from Russian roubles to Estonian croons on 1992. The population registry marked the beginning of the era of digital databases and information systems which has by now developed into a nationwide state information system with its functional infrastructure – data exchange layer, distributed information systems functionality, and different hardware and software components like portals, elements of public key infrastructure (PKI), governmental databases and information systems. In Estonia, the state information system is regarded as a service-centred organization, meaning that all operations performed by civil servants, entrepreneurs, citizens as well as software are considered services. Thus, the state information system
    • 94 E. Tikk and R. Oorn / Legal and Policy Evaluation is a common service space, which relies on the support systems for the maintenance of databases and is administered with the assistance of the administration system for the state information system. Information systems of different organizations communicate with each other through services, and offer services to citizens and enterprises via the State Portal “eesti.ee” (though, for the time being, a considerable number of services to the end-user are provided directly via the organizations’ own portals). Since users of the state information system may not be very interested in the structure of the state, but rather in their legitimate right to use services, state authorities have been obliged to co-operate and ensure the functioning of the state information system as an integral whole, whereby common single point entries operate in collaboration with state information systems. Uniform authentication of users is ensured by the Estonian public key infrastructure (PKI), where the ID-cards are used as strong authentication measures. Public services in Estonia are considered to be services provided by a service provider (for instance an organization) to the end-user, who could be either a citizen or an organization (including public bodies, enterprises). In addition to public services, the service space contains nested services that do not necessarily have an independent meaning for the end user but are used as a part of a public service operation process for the provision of some other services. In the common service space, services are provided by central and local government agencies as well as private companies and third sector organizations. All of them, as well as individuals, are also users of services. When using public services, the common service space allows individuals to represent, within the limits of their authority, both themselves and the companies they work for. For instance, the social security services (altogether 11) are all made on-line. Important is that these services are fully digitalized – services are used 100% online – which means that the applications on paper are not possible. In case a person lacks the knowledge or does not possess a computer, it is possible for him/her to turn to the public official who will carry out the administrative process on-line on the basis of his/her ID number. One very good example is the parental benefit on-line: before the year 2005 there were seven different documents involved in the process of providing parental benefits. Seven different inquiries in different ministries and agencies were supposed to be made (the Tax and Customs Office, the Register of Social Insurance Board (several times in different stages of the application), his/her employer, the population register and the vital statistics office). Inquiries had to be made personally, according to opening hours, and taking into account the (sometimes) long queues. The process normally took two months. Now it is all done on-line. Five different information systems process the data, inquiring into it itself, and visualizing the service in the state’s portal “eesti.ee”. The whole process takes approximately five minutes. In the use of data services, the application of the data exchange layer (X-Road) allows transition from an architecture that is based on bilateral agreements to that based on multilateral ones. Such an approach reduces the number of connections between information systems and facilitates the management of communication between them. Organizations providing and using services over the data exchange layer can be authenticated in a standardized manner and the data exchange between them is secure. Service providers are obliged to ensure the quality of their service, i.e. systematically to perform operations necessary for guaranteeing that the service complies with the requirements established for it. All services provided by the state information system
    • E. Tikk and R. Oorn / Legal and Policy Evaluation 95 are described by service providers in the state information systems’ administration system, where they are available for all interested parties. A part of the description can be published in the public web. Strict rules have been established for a service description published in the state information systems’ administration system. It should contain at least the syntax and protocol of the service, the service provision policy (based on which principles, to whom, and for which purposes the service is provided), and the quality indicators of the service – its functionality, reliability and efficiency – these are necessary for evaluating and ensuring the quality of the service. Therefore the state information system, taken together with its integrated databases and information systems, could play a crucial role in the context of an information war and cyber terrorism. It is not possible to point out some information systems that are more vulnerable to attack than the others, because it forms an integral whole together with the private sector information systems (mostly the banks, insurance companies, and stock exchange). The loss of this freedom of information could affect many if the appropriate countermeasures are not taken on time. These countermeasures can be technological, geographical or even educational; their aim is to secure and protect the social order of the state. In a context where some integrated electronic services are provided only on- line, without any piece of paper involved, it is important to have the possibility of using alternative means of communication, which in some cases can only mean turning back to the paper-based administration. But then again, in ten or more years it could be rather difficult to turn back to those long and rigid administrative processes. The fact Estonia is considered to be dependent on the Internet and electronic services means that it also forms a perfect test base for cyber attacks and information warfare, as is the best shown in numbers. The concrete numbers say that 98% of Estonia is covered with Internet penetration: fixed line, broad band, WiFi and KÕU, which stands for the MNT-based mobile wireless Internet. Basically, the Internet has been brought into everywhere where people live and travel, leaving some small areas out because of the hills and forests. Mobile phone penetration is approx. 98%. It is also true that more than 2/3 of the population in Estonia uses the Internet on a daily basis, and 95% of the banking operations are carried out electronically. In the year 2007 (tax year 2006), 80% of natural persons’ income declarations were declared electronically – this year it is expected to reach 90%. The usage of m-parking (mobile parking) constitutes approx. 50% of the total income gathered from parking fees, and about 90% of the performers of state examinations received their results via SMS. The data exchange layer X-road provides data services for over 70 states’ information systems, which altogether are providing more than 1,000 different combined electronic services. More than 450 public sector organizations and 30,000 entrepreneurs use X-road every day via the states’ portal (eesti.ee) and over 500,000 citizens have used public sector services via X-road. The traffic on X-road has grown by 10 times every year. ID cards have been issued to 83% of the population and they are going to replace all other authentication measures by July 2008 for security reasons (this requirement involves also the private sector, i.e. banks). Mobile-ID was introduced this spring and is already used by thousands of citizens. Mobile ID is similar to the ID card, providing mobile access, identification and authorization, and it was developed to be an alternative measure to overcome the loss or possible denial of service by ID card.
    • 96 E. Tikk and R. Oorn / Legal and Policy Evaluation 3.1. Overview of the Cyber Attacks against Estonia From 27 April to 18 May 2007, Estonia fell under a cyber attack the like of which had not been seen anywhere in the world before. The cyber attacks that were launched this spring targeted both key governmental and private web sites, meanwhile selecting some critical information infrastructure targets while using a wide array of offensive techniques. At the highest moments, the amount of cyber traffic from outside Estonia targeting governmental institutions was almost 400 times higher from its normal rate. The cyber attacks’ implementation had two distinctly different phases. The first phase took place from 27–29 of April 2007 and was considered rather emotional as the attacks were relatively simple Denial of Service (DoS) attacks against government web servers and Estonian news portals. Many Estonian news portals went off-line for a period of time during the beginning of the conflict. There were also a few cases of targeted web defacement attacks where the information on web sites was changed and replaced. Figure 1. The attacks as monitored by CERT Estonia, April 27-28 The campaign which launched the attacks included the following information: “9 . . . ! – ”6 6 “9th of May a massive attack is planned against Estonian web sites. Action needs the support of the people. The reasons you all know. If possible, don’t remain in stand by! Our ambitious plan is to overload and lose Estonnet.”
    • E. Tikk and R. Oorn / Legal and Policy Evaluation 97 The propaganda was easily found from Google and read as follows: “ ! chtoby internet u nih zavis!” “ “site:.ee ”( ). ( !!!), ( -> -> cmd) “ping -n 5000 -l 10000 _ -t”. . !!! : “ping -n 5000 -l 1000 www.riik.ee –t”, and “just run this script.” “ ( ?), DNS SMTP . DOS- . , , 100 . , , , bat. .” These instructions followed: “@echo off SET PING_COUNT=50 SET PING_TIMEOUT=1000 :PING echo Pinguem estonskie servera, chtoby internet u nih zavis! ping -w %PING_TIMEOUT% -l 1000 -n %PING_COUNT% sunic.sunet.se snip out long list of targets ping -w %PING_TIMEOUT% -l 1000 -n %PING_COUNT% ns.gov.ee ping -w %PING_TIMEOUT% -l 1000 -n %PING_COUNT% mail.gov.ee GOTO PING”. The first phase was followed by the main attack, from 30th of April until 18th of May. It can be said that the second phase was much more sophisticated because of the use of larger botnets and the professional coordination of all of the attacks that appeared. Most dangerous were Distributed Denial of Service (DDoS) attacks against critical national information infrastructure, which were sometimes temporarily successful. For example, the two biggest banks in Estonia came under heavy DDoS attacks, of which one lasted for almost two days and on-line services were unavailable for several hours. Several attacks were also performed against critical routers at the Internet Service Providers level, which did manage to disrupt the government’s Internet based communication for a short period of time. Large scale DDoS attacks were also organized against government web sites. Some of the sites experienced difficulties and temporary loss of service. Fortunately none of the attacks were targeted against the state’s information system or its most important central components, and those which were affected were working again after some hours.
    • 98 E. Tikk and R. Oorn / Legal and Policy Evaluation Figure 2. The first week-end 3.2. General Assessment of the Attacks In all, there were two separate phases that were tied together by the same political event. The attacks came in waves, with strongest ones coordinated for politically significant dates. For example, the most massive attack wave on the 9th of May coincides with the day of the victory in WW II is celebrated in Russia. Based on available information, the work of vital databases, systems or registers of public and private sector was not disturbed. The main objective of the politically motivated attacks was to bring down the Internet system by overloading it. It is not clear which persons, groups or organizations were behind the attacks. The anonymity of the Internet makes it difficult to identify a specific attacker. The only known self-proclaimed attacker so far is a commissar in the pro-Kremlin Russian youth group Nashi. However, it’s possible to affirm that while the first phase was mainly an emotional and spontaneous response of simple hackers to the political events, highly skilled cyber attack specialists were involved in the second phase. Many attacks in the campaign were well coordinated, which usually requires significant resources. 7 3.3. Estonian Legal Responses to the Cyber Attacks On the basis of the recent attacks against Estonian computer systems and the Communication of the European Commission from May 2007, regulating the general 7 Evaluation of the situation by the Ministry of Foreing Affairs of Estonia.
    • E. Tikk and R. Oorn / Legal and Policy Evaluation 99 Figure 3. Measuring the amount and capacity of the attacks Figure 4. Paid botnets time ended shortly after midnight policy of fight against cyber crimes in the EU, the Estonian Government has begun to analyze regulations on cyber crime and related legal fields in national as well as international law. Estonians hold the opinion that additional protection measures should be taken with respect to certain critical infrastructure and computer systems which are used to provide public services. It is difficult to tell the Estonian case study in legal terms – as there are no suitable terms available. Instead, we will next present the legal framework of what happened, together with solid facts.
    • 100 E. Tikk and R. Oorn / Legal and Policy Evaluation In terms of the existing cyber crime framework, Estonia suffered denial-of-service attacks against governmental, and to some extent also private, networks. Also, few defacements of websites took place. Loading extra traffic to websites is nothing new or extraordinary in itself. It is the context of the April events that needs to be clarified in order to justify the terms like “cyber war” and “cyber terrorism”, often used by the Estonian and also foreign media and politicians. The term “fear” obviously has many characteristics in common for every nation in the world, but at the same time depends on the political, historical and other factors individual for a specific country. The cyber attacks were investigated based on national criminal law. As there is currently no specific provision in the Estonian Penal Code about computer crimes as terrorist crimes, the investigation followed the rules of criminal proceedings. Estonia obtained the cooperation of several countries during the investigation. Charges were pressed against one person residing in Estonia and requests for legal cooperation were submitted to Russian Federation. At this point the criminal proceedings faced the first significant drawback: As Russia has not criminalized computer crimes, the requests for cooperation remained unanswered. This means practically that the Estonian authorities have no legal or other means to continue the investigation. Without an investigation there is in practical terms no prosecution. When it comes to prosecution, the maximum penalties imposed for computer crimes are up to one year imprisonment. Again, the drafters of the Penal Code as well as the Cyber Crime Convention never viewed these acts as (publicly) organized and activity targeted on interests other than financial. Even if cross border criminal proceedings are possible, it would be difficult to get to prosecution as there is no general agreement on what data the communication service providers need to gather or submit to the authorities. To convict a person, the evidence has to indicate that person’s direct involvement in the committing of the crime. Normally, preparing a compute crime, providing assets or resources, or training for it are not sanctionable actions. The case would be different when reviewing the same action as a terrorist act. In cases where a terrorist purpose for the actions can be determined, the means of investigation and prosecution improve. The Estonian national law has been reviewed on a much broader plane. We have introduced computer-related crimes as possibly terrorist acts and thereby provided for a more efficient set of investigation and prosecution tools. In the EU legal framework strict rules apply for personal data processing. The provisions on processing personal data require a sound legal basis for each action performed by public authorities. Therefore, the legal capacity and tasks of different authorities have been reviewed to create a transparent chain of reaction, and also to provide more legal certainty in terms of information privacy. As a country with high IT-ego, Estonia has comprehensive provisions on the publication of public sector information. Every governmental authority is obliged to maintain a website and post more than 30 categories of information on it. The potential threat of loss of information or unwanted publication has determined the need to review the IT legal policy and legal regulation of information systems. Another area of legal attention is the rights and obligations of internet and other communication service providers – as long as no understanding exists of what units of data need to be logged and saved, there is no certainty that this information will be
    • E. Tikk and R. Oorn / Legal and Policy Evaluation 101 readily available for investigation. Therefore the legal framework of rights and duties of ISPs has been thoroughly revised. Other less comprehensive amendments concern law on electronic communications in general, state secrets regulations, additions to IT legal policy and an additional systematic approach to cyber defence issues in state defence law. As a consequence of the April events, Estonia has revised the whole legal framework with a view to potential attacks and their impact on society. One must keep in mind that regulating an area so new and developing is dangerous. Laws must be viewed as stabilizing and balancing factors in the community and therefore over-regulation or legislation of poor quality may lead to even more loss of control than any cyber attacks. Therefore the cyber security legal expert group has introduced several instruments of draft law and self-regulation (information system security auditing, consulting processes, contractual cooperation between public and private sector, etc.). As the work of the legal expert group is still ongoing, we will introduce one of the interim results, namely the Estonian initiative at the EU. 3.4. The Estonian Initiative in the EU We are currently preparing a draft in order to amend the Estonian Penal Code, but we also consider bringing up that issue and initiating possible legal changes on the European Union level. The act concerned would be the Framework Decision from the 24th of February 2005 on attacks against information systems 2005/222/JHA. Although in many EU member states attacks against computer systems may in certain cases be treated as terrorism, we find that at present it would be necessary to amend the Framework Decision on attacks against information systems. Currently the framework decision covers all attacks, whatever their range and aim. The Framework Decision includes only minimum standards and member states can lay down additional regulations in their national law. The concept of “cases which are not minor” is used in Article 3 (Illegal Access to Information Systems), or Article 4 (Illegal Interference with Information Systems) of the Framework Decision. In point 13 of the preamble of the Framework Decision it is noted that the aim is to avoid over-criminalization, particularly of minor cases. Point 15 provides that it is appropriate to provide for more severe penalties where such an attack has caused serious damages or has affected essential interests. Thus member states have some flexibility in deciding which cases are important and which not. Therefore, in order to harmonize the law and practice of member states on the EU level, the framework decision should be amended in such a way that attacks which are directed against the critical infrastructure and attacks which threaten public services would be treated as involving aggravating circumstances. Currently the Framework Decision does not differentiate between the various kinds of attacks against information systems – it is of no importance whether these are directed against public or private information systems. But the impact of disrupting and hindering these systems differs greatly when state and public interests are concerned. The framework decision should be amended in such a way that attacks against vital spheres (critical infrastructure) would always be punished as a crime, and a more severe penalty than usual would be imposed in these cases.
    • 102 E. Tikk and R. Oorn / Legal and Policy Evaluation Based on the above, Estonia has proposed to make the following addition into the Framework Decision on attacks against information systems (2005/222/JHA), Article 7 (Engraving circumstances), p.3: “3. All member states take appropriate measures to ensure that offences listed in articles 2–4, which are directed against critical infrastructures or disturb the providing of public services, are punishable with criminal penalties of a maximum of at least between two and five years imprisonment.” Such a proposal is not entirely new. When the Commission presented the Framework Decision COM(2002) 173 final form on 19.04.2002, its Article 7 (aggravating circumstances) included a regulation according to which one of the aggravating circumstances was the causing of substantial damage to critical infrastructure of a member state. As there are currently discussions going on in regard to Commission proposal COM 2006 (787): “Proposal for a directive of the Council on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection,” we are on the opinion that, after it is adopted and an agreement has been reached on the definition of the critical infrastructure, it would be appropriate to make the amendments to the Council Framework Decision 2005/222/JHA as well. Estonia sees the need for the fight against cyber crimes in the EU in much broader terms than that. We believe that the impact of cyber crimes on the competitiveness of the EU would need a more through analysis and that it should be discussed in the framework of the Lisbon Process. The adequacy of the EU legal basis in regard to new dangers should be studied in that context. Conclusions The Internet will be a perfect battlefield of the 21st century as countries develop more dependence on the networks, and new generations feel more and more comfortable and skilled in using all the features of ICT. Countering cyber threats requires a significant increase of assets in terms of improving awareness, training, investments in technology, as well as advancing conceptual and doctrinal approaches. Increased dependence on the Internet, on-line services, and on critical information infrastructure in general, makes modern societies increasingly vulnerable. Politically motivated cyber attacks pose a challenge to governments, as cyber attackers are attempting do destabilize the society. As Estonia was the first EU member state to suffer massive and coordinated cyber attacks, in May this year, Estonia has a special interest in the subject, and we would like to take an active part on the international level in developing a policy against cyber crimes. Cyber crime and cyber terrorism is not a problem specific to Estonia, but a new danger, to which any developed country in the world using actively IT systems could become a victim. This danger should not be underestimated. The first priority for achieving cyber security should be the further development of international as well as national legal systems. As a result of effective political propaganda, a significant number of people could be motivated to launch a massive cyber attack almost instantly. Hence it is possible to inflict serious damage to critical information infrastructure even in case of ad hoc and amateur level attacks. For example, blocking all cyber traffic coming from outside a state is one of the countermeasures against cyber attacks. This might cause an
    • E. Tikk and R. Oorn / Legal and Policy Evaluation 103 information blockade for the attacked one. However, an information blockade might be the main goal for the attacker. In such a case a defensive action becomes a tool in achieving the objective for the attacker. Therefore, fighting cyber terrorism is not only about ad hoc reactions or even concerted reactions. There is often no time to react when under attack. Therefore, proactive measures will be increasingly important in combating cyber terrorism. Cyber attacks could have military consequences if a considerable amount of military technological systems are dependent on civil telecommunication services. It is possible that terrorist groups or rogue states will include cyber attacks in their arsenal. The usability of the existing political, diplomatic and legal framework is limited as it is difficult, if not impossible, to track down the origins of an attack. Dealing with the cyber attacks is even more complicated as there is no common definition of the phenomenon. The only effective way to fight cyber attacks is through strong co-operation within the international community (similar to terrorism and drug trafficking). Efficient response to cyber attacks requires a rapid reaction, pre-existing international arrangements between states, and between a state and its private entities. It is vital to create and understand the legal environment of cyber warfare/cyber terrorism and other related items. Nations should exchange information and lessons learned concerning the cyber attacks.
    • 104 Responses to Cyber Terrorism Centre of Excellence Defence Against Terrorism, Ankara, Turkey (Ed.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. The Internet as a Tool for Intelligence and Counter-Terrorism Yael SHAHAR Director, Database Project Institute for Counter-Terrorism, Interdisciplinary Center, Herzliya, Israel Abstract. The internet is crucial to the daily operations of the radical groups making up the global jihad. The internet supplies the jihad movement with its recruiting and propaganda interface, as well as the means for ideological growth and the exchange of ideas. The jihadi online presence is literally the physical brain of the global jihad movement. The very openness and accessibility of this medium provides the intelligence community with a wealth of material for foundation intelligence and analysis. This resource has been neglected in recent years due to lack of qualified researchers and linguists. The key to countering these problems may lie in harnessing the power of the private and academic sectors as unofficial research arms of the counter-terrorism community. Keywords. Open source intelligence, internet intelligence monitoring, global jihad movement Introduction The uses made of the internet by terrorist organizations and extremists groups is nothing new. The terrorists use the net for the same reasons—and in the same ways— that we all use the net: for marketing, for communications, command and control, for intelligence gathering and datamining. Analysts have been bemoaning this fact for almost a decade, noting all the while that intelligence agencies consistently lag behind the terrorists in the use of the web. These complaints are legitimate, and highlight a central difference in both attitude and aptitude between terrorists and their more institutional opponents. At present, intelligence agencies are focusing most of their efforts on the threat posed by the larger jihad movement, also referred to as the salafist jihad movement or the global jihad. For the purposes of this paper, I will use the later term, with the stipulation that the global jihad refers not only to the loose network of radical organizations and cells currently under scrutiny by the intelligence community, but also to the larger social movement espousing the jihad ideology. Without this social movement, the global jihad would not be the threat that it is.
    • Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism 105 Moreover, without the internet, the radical groups making up the global jihad’s cadre of militants would remain a widely dispersed and isolated group of cells that happened to claim the same historical roots. It is the internet which has “globalized” the jihad movement. The network of global jihad is a product of the communications revolution. But of course, the same can be said of Microsoft. The internet has changed the way large organizations operate, be they multinational corporations or political movements. The internet is a facilitator of globalization and the global jihad is by definition a global movement. The internet supplies the jihad movement with more than its recruiting and propaganda interface. It also provides the organization with the means for ideological growth and the exchange of ideas. Without free and open communication, a movement of this size breaks down. The jihadi online presence is literally the physical brain of the global jihad movement. The very openness and accessibility of this medium provides the intelligence community with a wealth of material for foundation intelligence and analysis. This resource has been neglected in recent years due to lack of qualified researchers and linguists. The key to countering these problems may lie in harnessing the power of the private and academic sectors as unofficial research arms of the counter-terrorism community. 1. The Internet as Training Camp: To Shut Down or to Tune In? A common refrain over the past few years has been the constant complaint that the terrorists are “winning the battle in cyberspace.” They’re technologically creative, highly mobile, unfettered by either moral or bureaucratic constraints. They’ve got websites out there to fight their battle for the hearts and minds of supporters and potential supporters, to terrify their enemies, and in general “win friends and influence people.” And of course, you can’t shut them down. If you close down a website, assuming that you can persuade the service provider to do this, then you can be sure it will just pop up again somewhere else. It was some time before the analysts began suggesting that, instead of engaging in the futile effort to close down websites, we should make full use of the potential to learn about our enemy from what they say about themselves, and even more importantly, among themselves. After all, a good intelligence agency should make a point of reading everything that the enemy writes, squeezing every drop of information on the opponent’s psychological state, tactical capabilities, and strategic planning. This is what intelligence agencies do. Only it wasn’t being done—or wasn’t being done very well—with regard to the vast publishing empire of the internet. And with good reason. The sheer number of websites out there dealing with stuff that we should know about is daunting. Its content is ever changing. And of course there are linguistic issues, as well as cultural issues. To really make sense of it all would require the services of a veritable army of qualified personnel, and would be far beyond the budgetary—not to mention the bureaucratic—capabilities of most intelligence agencies. But such an army of personnel does exist, even if it’s a modest and rather irregular army. Independent research bodies and individuals have been monitoring terrorist websites and listening in on jihadist forums for years. Some of these people are contributors to the current volume—people like Gabi Weimann, who catalogued
    • 106 Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism terrorist websites long before it became fashionable to bemoan the terrorists’ subversion of the internet; or the folks at MEMRI, who’ve been translating relevant documents for years. Aharon Weisburd has been sleuthing into the identities of the jihadi webmasters and forum posters. The Arizona Artificial Intelligence Lab has pioneered new tools for finding out who’s who on the “jihadnet,” and analyzing their methods of persuasion. Note that all of this has come from the private sector. Smart governments realize the usefulness of these skills early on, and have taken some steps to make effective use of them. Arizona’s AI Lab has been the beneficiary of more than $20M in research funding from federal agencies. And of course, government think tanks and institutes are also dealing with jihadi materials more and more. Of particular note, the Combating Terrorism Center (CTC) at West Point has done some outstanding analysis work in applying what is learned on the web to concrete tactical operations. Some the examples cited here of intelligence gathering from Islamist online materials come from Stealing al-Qaida’s Playbook, by Jarret M. Brachman and William F. McCants [1] of the CTC. Just to give a taste of what such analysts have come up with over the past two years, I would like to present some examples of how open source datamining can clue us into how the “bad guys” think, and what to do about it. 2. Intelligence from the Web Before going further, I would like to review briefly what good intelligence is and is not. Intelligence is not “news”. Governments often press intelligence agencies into service as open source news monitoring agencies, insisting on getting up-to-date reports on things that are covered by the mainstream wire services. This kind of pressure is often detrimental to the agencies’ primary tasks, which is providing an insight into fundamental processes. Yes, an intelligence agency should be up to date with what’s going on in a particular sphere of interest. But intelligence gathering is not meant to be news reportage. At its best, intelligence leads to understanding. Properly understood, intelligence-gathering should lead to a fundamental understanding of what is going on in the sphere of interest, who the main players are, and who their friends and enemies are. With regard to a specific opponent, this intelligence should include what the opponent is doing and what the opponent is thinking. This is called “foundation intelligence”, and without it, an intelligence agency is no more than an under-funded and under-staffed news agency. Understanding leads to predictions. Proper foundation intelligence can lead to a better understanding not only of how things are likely to unfold in the sphere of interest, but also what effect contingencies outside of that sphere may have on events. Extrapolation from foundation intelligence is the work of professional analysts, who provide the crucial link from foundation intelligence to tactical intelligence. Essentially, good foundation intelligence helps to formulate answers to the following questions regarding the opponent What are they saying? What can we learn from it?
    • Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism 107 What should we do about it? While the Internet is unlikely to be a lucrative source of reliable tactical intelligence, it is a goldmine for foundation intelligence. This kind of intelligence deals with the following basic issues regarding the opponent: Ideology. What are their core beliefs? What divisions are there in the movement? Strategy. What are their ultimate goals and overall game plan? Tactics. By what methods do they propose to reach these goals? Structure. How do they make decisions, and who makes them? 3. What We Learn from Jihadist Websites and Forums The real heart of the global jihad is expressed online. This is the venue where ideas are hashed out, dissent is either neutralized or accommodated, and strategies and tactics are discussed. For the most part, we don’t expect to find online discussions of actual attack planning. But we can learn how ideology and opinion are shaping in the larger Muslim community who form the jihad’s target constituency and who supply the movement’s pool of recruits. In essence, Al-Qaida’s flight into cyberspace was necessitated by the destruction of jihadi training camps following the September 11 attacks. The movement’s leaders have had to turn to cyberspace as a way of maintaining contact with a geographically dispersed constituency. However, the use of the web as a primary venue for discussion was not only mandated by necessity, but was also a matter of choice. Since its inception, the global jihad has relied very heavily on the internet and the nature of online communities to further its aims. 3.1. Ideological Lessons The jihad movement’s internet presence is most felt in ideological discussion. The web is essential to the movement’s ideological development, as well as to the actual dissemination of this ideology to potential recruits and supporters. Such freely accessible discussions offer analysts a window into the jihad movement at both the “grass roots” level and the level of its top-level leaders. Senior ideologues, as well as mid-level operatives and up-and-coming scholars write on these sites. This is intelligence straight “from the horse’s mouth.” Downing and Meese of the CTC point out that a fair amount of the jihad’s key doctrinal literature is available online, in addition to documents that have been captured by the intelligence agencies of different countries. One of the best ways to learn about al-Qa’ida is to read the papers, manuals, and other documents which al-Qa’ida leaders have written to guide and discipline their own enterprise. Many of these documents have been captured by military and law enforcement forces and can provide insight into the way the organization works. Other key references are readily available on the World Wide Web.[2] They emphasize that the more access is provided to these documents, the more benefits will accrue to the counter-terrorism community as a result. As archives of translated jihadi documents become more accessible to analysts, the understanding of
    • 108 Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism the movement’s key ideology, strategy, and motivation is growing. What is interesting is that such analysis is increasingly coming from the private and academic sectors. An example of how analysis is leading to a greater understanding of the jihad movement’s vulnerabilities comes out of the Combating Terrorism Center (already mentioned in full). In Stealing al-Qaida’s Playbook, Jarrett Brachman and William McCants demonstrated how “jihadi strategic studies” can be used to identify and exploit the weaknesses of the jihadi movement.[1] The authors point out that the key to defeating the global jihad from an ideological point of view is to understand its ideology from the inside out: who the main ideologues are, and the significant issues that unite and divide the movement. The authors note that jihadi leaders are remarkably open and blunt when discussing who their biggest competition is and what their public relations vulnerabilities are. In a sense, members of the jihadi movement have put their team’s playbooks online. By mining these texts for their tactical and strategic insights, the United States will be able to craft effective tactics, techniques, and procedures to defeat followers of the movement. [1] I’d like to give a few brief examples of the kind of intelligence that can be gleaned from examining some of the strategic dialogue of the global jihad movement. The following examples are from Stealing al-Qaida’s Playbook. 3.1.1. Example 1: Abu Bakr Naji, The Management of Barbarism, 2004 Abu Bakr Naji is one of the more prolific Al-Qaida ideologues of the new generation. He is well-read and articulate, and his works are cited on numerous jihad websites, a testament to the high regard in which he is held by the movement. In The Management of Barbarism, Naji presents a thoroughgoing analysis of his own movement’s strengths and weaknesses, as well as those of his opponents. Obviously, such an analysis is useful for us in that it allows us to see how our enemies see themselves. But no less important is the information they give us as to how they see us. This point is well illustrated by the examination of Naji’s writings.[1] Brachman and McCants studied The Management of Barbarism; below are some key points from Naji’s work, as cited by Brachman and McCants. Naji urges fellow jihadis to study Western works on management, military principles, political theory, and sociology, in order to borrow strategies that have worked for Western governments and to discern their weaknesses. The jihadis cannot defeat the United States in a direct military confrontation. Rather, the clash with the United States is more important for propaganda victories in the short term, and the political defeat of the US is viewed as a long-term goal, as American society fractures and its economy is further strained. Naji also discloses weaknesses in the jihadi movement and the problems that predictably confront such an entity, such as difficulties in resolving chains of command, ferreting out spies within the organization, and reining in overzealous recruits. There is concern that the momentum of the movement may be slowed by clerics who challenge its legitimacy and siphon off its recruits among the youth.
    • Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism 109 Naji observes that the jihadi movement has often split over theological differences. 3.1.2. Example 2: Abu Qatada, Between Two Methods, 1994 Another example of the vulnerability of the jihad movement given by Brachman and McCants comes from Abu Qatada’s work, Between Two Methods. Abu Qatada is scathing in his criticism of a popular Saudi cleric, Rabi`al Madkhali, a serious rival of the salafi movement: “This man is content to claim that he is a Salafi so that he can be an imam for some inexperienced boys whom he feeds slogans and shimmering phrases.” Jihadi ideologues are very open about which Muslim religious leaders they most fear.[1] Brachman and McCants point out that although a specific enemy may no longer be a threat, by understanding why he was a threat in the past, we can look for—and perhaps exploit—similarly threatening enemies in the present. Why was Madkahli a threat? To begin with, he was a quietest, and was supported by the Saudi government. More importantly, his popularity and outreach were such that he was able to draw off young recruits from the more radical movements. 3.1.3. Lessons Learned What do we take away from these examples? Perhaps the most salient piece of information we gain is “what worries them.” Naji openly discusses some of the vulnerabilities of the jihadi movement from an ideological perspective. From his discussion, we see that the movement is vulnerable to ideological splits and knowledgeable clerics who “call them” on their interpretation. What does Naji say should be done about it? His suggestion is to co-opt religious clerics to back the jihadi’s interpretations. Where this is not possible, he suggests that rival clerics either be intimidated into silence or killed. For his part, Abu Qatada provides us with some keys as to what sort of rival cleric is the greatest threat to the movement. The answer seems to be one who manages to appeal effectively to the same target audience, the youth, and yet who espouses a program directly at odds with that of the jihad movement. 3.2. Strategic Lessons The term “jihadi strategic studies” was coined by Thomas Hegghammer and Brynjar Lia, of the Norwegian Defense Research Establishment in Oslo, to refer to books and articles on the strengths and weakness of the jihadi movement and those of its enemies. [3] Hegghammer noted that the Internet has become a vital venue for terrorist cells to organize and “brainstorm” about tactics in a decentralized way. This allows sleeper cells to operate virtually autonomously, deriving their inspiration and operational direction from texts published online by individuals on other continents.[3] Hegghammer argues that it is online that “…you really get the early signs of the ideological developments, which are later going to affect us, or might affect us, physically.”[4] At the same time, the increasing use of the internet as the central brain of the movement has also made the movement more transparent to onlookers. Terrorist/Jihadi thinking is public and susceptible to infiltration. Hegghammer
    • 110 Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism encouraged counter-terrorist agencies to create an “atmosphere of paranoia” on these websites, by posting fraudulent texts and subverting the readers’ trust in the literature. 3.2.1. Example: “Jihadi Iraq, Hopes and Dangers” Hegghammer and Lia analyzed a document on the Internet, “Jihadi Iraq, Hopes and Dangers”, which detailed how terror attacks ahead of Spain’s general election could drive Madrid to pull its troops out of Iraq and thus harm the US-led coalition. Brynjar Lia came across the document in December 2003 on a website called “Global Islamic Media.” According to Hegghammer and Lia, “The main thesis proposed in the document is that America cannot be coerced to leave Iraq by military-political means alone, but the Islamist resistance can succeed if it makes the occupation of Iraq as costly as possible—in economic terms—for the United States.” Their analysis led them to see in the document a blueprint for driving a wedge between coalition members. The document therefore offers a number of specific “policy recommendations” in order to increase the economic impact of the insurgency and the jihadi campaign in Iraq. The most important of these recommendations consists of trying to limit the number of American allies present in Iraq, because America must not be allowed to share the cost of occupation with a wide coalition of countries. If the mujahidin can force US allies to withdraw from Iraq, then America will be left to cover the expenses on her own, which she cannot sustain for very long. The intermediary strategic goal is therefore to make one or two of the US allies leave the coalition, because this will cause others to follow suit, and the dominos will start falling [5]. The document’s anonymous author emphasized that: ...It is necessary to make utmost use of the upcoming general election in Spain in March next year. We think that the Spanish government could not tolerate more than two, maximum three blows, after which it will have to withdraw as a result of popular pressure. If its troops still remain in Iraq after these blows, then the victory of the Socialist Party is almost secured, and the withdrawal of the Spanish forces will be on its electoral programme. [5] A few months later, on 11 March—just prior to the elections—Madrid was rocked by a series of train bombings that killed 190 people. Partly as a result, Spain’s conservative government, which supported the Iraq war, lost the vote to the opposition Socialists, who later pulled Spanish troops out of Iraq. It would be hard to believe that the bombers were unaware of the “Hopes and Dangers” document, given its depth of detail and its widespread distribution. In fact, as pointed out by Lia and Hegghammer, the “nom de terror” chosen by an alleged Al- Qaida video spokesman after the attack—Abu Dujana, a warrior and contemporary of Mohammed—matches one mentioned in the “Hopes and Dangers” document. Further evidence that the bombers had considered the political effect of their actions was provided by the behavior of an alleged ringleader of the Madrid attacks. A cell phone on an unexploded bomb led Spanish police to Jamal Zougam within a day of the bombings. As the New York Times reported: “When Mr. Zougam arrived in court after five days incommunicado, he reportedly asked the clerks, ‘Who won the elections?’”[6]
    • Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism 111 3.2.2. Lessons Learned The “Hopes and Dangers” document is one example of the kind of basic intelligence that is freely available on the Internet. What can be learned from this example of jihadi strategic studies and the way it was put to practical use? One of the most obvious messages is that the new generation of jihadi strategists place a greater emphasis on pragmatism, and less on ideology. The “Hopes and Dangers” document provides a cool analysis of political realities, with fewer references to historical battles and quotes from the Quran. Eschewing flowery rhetoric and exaggeration, it goes to the heart of current events and possible consequences. Clearly, Al-Qaida’s future ideological leadership is evolving in the direction of greater professionalism. 3.3. Tactical Lessons Just as the jihad uses the web for ideological discussion and dissemination of ideas, tactical discussions and training materials are also freely available online. Among the intelligence that can be gleaned from these documents is information on the tactics they see as effective, the weapons they favor and why, and perhaps even more importantly, their assumptions regarding the effectiveness of these weapons. The following two examples are from Brachman and McCants’s Stealing al- Qaida’s Playbook. 3.3.1. Example 1: Abu Mus’ab al-Suri. Abu Mus’ab al-Suri (aka Mustafa Setmarian Nasar) has made a study of failed jihads in the contemporary world. He identifies various reasons for such failures, including: The co-operation of local governments in countering jihads, and the failure of the jihadists to organize simultaneous attacks in neighboring countries. Suri cites as an example the co-operation of Syria with Jordan, Iraq and other neighbors during the 1960s to 1980s. He suggests that if the neighboring states had been struggling against their own jihads, they would not have been so quick to assist Syria. The failure to consider the influence of ethnic minorities and tribes, or the possibility that these populations may be co-opted by the state. The failure to provide jihadi fighters with a sense of personal connection to their leaders, or with the vision that they too may become leaders. The failure to gain popular support from the Muslim majority; Suri identifies the role of propaganda as being crucial in this regard. The insufficient involvement of Muslim clerics. Suri argues that clerics’ involvement is essential for developing new local jihad groups. 3.3.2. Example 2: Abu Bakr Naji Abu Bakr Naji suggests various ways in which the jihad movement could be strengthened. He outlines three stages for establishing the Khaliphate, beginning with the bombing of crucial targets in order to draw the local security forces in around these centers. The ensuing chaos would allow jihad leaders to assume control of the more
    • 112 Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism remote regions, and from there the jihad administrators could network towards establishing a Khaliphate in that country. Naji also suggests that low-ranking jihadists should not be allowed to launch their own attacks, other than small to medium ones. He argues that major attacks such as 9/11 must be organized only by the High Command, since the wrong attack at the wrong time would undermine the movement. Naji notes that mass-scale Muslim support is of prime importance, and that already the Muslim public is wary of the jihadists’ use of violence, and may view the jihadists as trouble-makers. Without Muslim support, Naji cautions, new recruits cannot be found. Finally, Naji argues that the education of young people is only complete when they participate in jihad. He views the education provided by Muslim religious leaders as being of lesser importance, while jihad involvement is seen as providing essential training. The involvement of youth in jihad is viewed as a further step towards establishing the “global Islamic resistance” and, ultimately, the global Khaliphate. 3.3.3. Lessons Learned One way to counter the jihadis’ tactic would be by helping local surrogates establish their own enclaves in those regions left unprotected by security forces. Local ethnic groups can play a role in preventing security vacuums from forming. The jihadis and the counter-terrorism community are competing for the same audience; however, public opinion is more important to the “irregular” side in a low intensity conflict. For this reason, a greater emphasis must be placed on psychological and information operations in the sphere of influence, in order to undermine the popular support on which the jihad movement is dependent. 4. Counter-Attacks 4.1. Terrorism Websites as a Key to Efficacy As mentioned, the jihad relies heavily on the web for the dissemination of information from the upper echelons, as well as for discussion at all levels. Statements by the leaders of the movement should be considered a useful input for intelligence analysis. Content analysis of such statements may give some hint of intentions, although there is a significant amount of bluster, hype, and misdirection present in much of these statements. Context analysis may therefore be of greater utility. This kind of analysis can determine what the person making the statement thinks that his followers want to hear. Thus, context analysis can provide some measure of the “temperature” of the “street.” This is a useful input to foundation intelligence, as well as an aid to determining the focus of tactical intelligence gathering. Special attention should be given to the language, focus, and design of jihadi websites. The languages used can tell us who the jihadis see as their primary audience for recruits. In some cases, this points to perceived vulnerabilities among the targeted group. But it can also tell us who the jihadis would like to have as recruits—who can be of most use to them. For example, European Muslim converts are increasingly the focus of “narrow casting” on jihadi websites.
    • Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism 113 Another point of consideration is the imagery and design of the sites. These sites are frequently the work of some of the best and brightest of the new generation jihadi recruits. They know their audience, and they know what techniques are likely to be effective. With this in mind, we can say that imitation is the sincerest form of counter- terrorism! But it isn’t only the style of outreach that can be copied. Here too, a bottom-up approach can yield benefits that would be unthinkable for top-down institutionalized responses. Web designers from the jihadis’ own target audience can be recruited by the counter-terrorism community to build a counter-offensive. The success of this kind of campaign depends on working at the “grass roots” community level. The main allies of the counter-terrorism community will be those singled out for recruitment by the jihadis themselves. Terrorists and counter-terrorists are competing for the same audience. The techniques used successfully by both sides will reflect this. 4.2. Psychological Operations Analyst Stephen Ulph of the Jamestown Foundation has been monitoring jihadi forums, with a special emphasis on those dealing with the situation in Iraq, the new training ground for the jihadi movement. In July 2005, Ulph noted how news of ongoing discussions between the US military and the Iraqi insurgents was affecting traffic and commentary on jihadi forums [7]: The news evoked considerable notes of distress on the jihadi forums. On the al- Qal’a forum one signing himself al-Sharif al-Idrisi, noted, on June 28, the similarity of this potential development with the situation in Afghanistan, “when those fleeing the Tora Bora caves were met by the Pakistanis not intent on helping them but in selling them to the Americans. We pray God that this doesn’t happen to our brothers in Iraq” [www.qal3ati.net]. This kind of commentary highlights a key weakness as perceived by the jihadi militants themselves—their vulnerability to betrayal by the wider society in which they operate. Such fears are, of course, easily played on. One obvious stratagem for exploiting this sense of paranoia would be to “feed” news of betrayals to local news media, then cast blame in the relevant forums upon elements within the organization, or in rival organizations. Ulph also noted that the news of meetings between coalition leaders and insurgents was met with denial by many: At the same time strenuous denials were being posted on the internet forums that any such meeting took place, including from groups said to have participated in the talks. One posting on June 30 appeared on the al-Qal’a forum signed by The Islamic Army in Iraq, the Army of the Mujahideen and the Army of Ansar al-Sunna. It expressed exasperation at Ayham al-Samarrai’s “lies and America’s games” and swiftly pointed to the impending peril for the Islamist mujahideen in Iraq: “its intentions are to split the ranks of the mujahideen … to divide the Iraqis from non-Iraqis ... to pull the rug from under the mujahideen … How can a heroic mujahid Muslim brother in any country be a foreigner?” [7] What is significant here is the perceived motive of these “American games,” namely, “to split the ranks of the mujahideen … to divide the Iraqis from non-Iraqis ... to pull the rug from under the mujahideen.” One can gain a good deal of insight into the state of insecurity of the opponent from this sort of posting. Obviously, one forum posting or internet statement does not give an indication of the psychology of a whole
    • 114 Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism organization. However, if monitored on an ongoing basis, the total compendium of such statements can provide a real “feel” for the psychological state of the opponent. And if “being sold out” is what they fear, then by all means, one should play up any and every possible case of such a sell-out, and milk it for all it’s worth. The potential of such suspicions to turn the opponents’ forces against his own is indicated by the continuation of the same statement quoted by Ulph above: With America’s designs being “to return the Baathists to power, in the name of the resistance” the statement accused Iyad Allawi of “giving orders to the Baathist Ayham al-Samarrai to intrigue against the mujahideen and the resistance … So we proscribe the life of Ayham al-Samarrai, and declare him to be a target of the mujahideen in general and in particular of all members of the three groups (The Islamic Army in Iraq, the Army of the Mujahideen and the Army of Ansar al-Sunna). … Anyone who allows himself to be seduced into doing what the fantasist Ayham is doing will share the same fate” [www.qal3ati.net]. [7] In other words, whether correct or not, the suspicions served to drive a wedge between the organization and its perceived enemies. Ulph points out that if the same suspicion can be cast upon elements within the organization, instances of “red on red” firing between opponent groups will be seen to increase. 4.3. Countering Recruitment and Propaganda The global jihad movement, like any other major social movement, depends on a broad base of support. Positive public opinion from within its constituencies is a must, not only for bringing new recruits into its cadres, but also for garnering support for its less obviously goal-driven activities. As has been pointed out by Yoav Mimran, one of the key values of Muslim societies is social unity and harmony. Anyone seen as sowing discord or endangering public order is likely to be seen as an enemy of the public good, no matter how otherwise worthy are his goals. Brachman and McCants have noted that the movement “declines in popularity when it is perceived to be attacking fellow Muslims, causing public disorder, damaging critical national industries, or engaging in sectarianism.” [1]. They point out that one effective point of counter-attack would be to “harness the power of the ‘Shayma Effect’ [referring to an incident where an Egyptian schoolgirl was killed in a jihadi attack], broadcasting images of jihadi attacks that have killed Muslim children. [1] The authors point out, however, that any such campaign must be managed very much “from the rear” and by proxy. To this we may add that an institutionalized campaign can never have the same power or reach as a genuine “grass roots” campaign among the potential constituency of the opponent. Only when we are able to inspire local actors to join the fray will such a media counter-offensive really be effective. A government-sponsored campaign, no matter how skillfully managed, is no substitute for the participation of local bloggers, media people, and commentators. 4.4. Undermining Trust From articles which are available online regarding the training of activists, we can learn of areas that the jihad movement itself sees as weaknesses, the better to exploit them.
    • Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism 115 For example, a number of articles have been posted warning forum posters of possible digital interception, and suggesting ways of getting around the problem. In other instances, internal debate can point to potential splits within the movement, or to a lack—or perceived lack—of leadership. In addition, these kinds of debate can show what issues are of greatest concern to the jihadis themselves. 4.4.1. Example 1: Divide and Conquer In fact, the penetration of Islamist forums by counter-intelligence agencies has resulted in the arrests of several key figures. These may include the arrests of forty mujahideen in Saudi Arabia, and the arrests of the attackers of the Abqaiq (Buqayq) oil facility. Most certainly, the arrest of the infamous “internet jihad” Irhabi007 was due to a fairly common lack of attention to basic security procedures online. A significant spin-off of such events is the mistrust and confusion which abounds on jihadist forums in their wake. During the first half of 2005, Stephen Ulph and other researchers at the Jamestown Institute noted a spate of warnings and debates which appeared on jihadist forums. The warnings were to the effect that forum participants should not enter certain websites—not even as a visitor—for fear of being identified by the “dogs in intelligence” (cited by Ulph, as posted on the Syrian site “Minbar Suriya al-Islami”). The debates concerned the authenticity of certain jihadist forums, or of site administrators or participants who were suspected of being counter-intelligence spies [8]. The end result is that jihadists’ confidence in their ability to dodge state control via the use of Internet forums has dropped significantly in the past couple of years. Despite the jihadist forum administrators’ best efforts to use proxies and to conceal participants’ identities, this kind of confidence may not be all that easily recovered. 4.4.2. Example 2: Encourage Sectarianism According to Ulph, “the pool of experienced, credible ideologues may be draining” amongst jihadist supporters. Ulph has noted that in the wake of the kidnapping and assassination of the Egyptian ambassador to Baghdad, al-Zarqawi’s Al-Qaida group was criticized by the two main Egyptian militant Islamist organizations. [8] These detractors argued that Al-Qaida in Iraq was more focused on destroying the Shi’a and Kurd populations than it was on fighting the enemy occupier. They also suggested that the organization was unable to learn from its past mistakes, and that it was causing “the average Muslim” to feel alienated from Islamist groups in general.[9] The latter criticism was echoed by Abu Muhammad al-Maqdisi of the al-Tawhid wal-jihad movement, who argued that the true nature of jihad was being distorted by al-Zarqawi and other mujahideen in Iraq. In addition, criticisms regarding the London bombings were posted on jihadi forums by Abu Baseer al-Tartusi [www.abubaseer.bizland.com]. These kinds of criticisms are particularly important since they have been publicly aired by members of the Muslim community. In both instances cited above, internal debate and dissent can work to undermine the confidence of the jihadis in their own organizations. This drop in confidence can affect the organizations’ infrastructure, as in the case of the perceived use of Internet forums by counter-terrorism operatives; alternatively, confidence in the leaders themselves may be affected, as in the case of the criticism of Zarqawi.
    • 116 Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism 5. Conclusions and Recommendations Terrorists’ use of the Internet for command and control, propaganda, and intelligence gathering has been bemoaned for years by law enforcement officials and intelligence agencies. Too often, the field has been ceded to the terrorists, with the counter- terrorism community struggling to catch up—amid allegations of inefficiency, misplaced funding, and organizational ineptitude. The examples presented above show the kind of conclusions that can be drawn from jihadi texts and inter-organizational dialogue, as well as examples of practical lessons learned. The fact that almost all of the raw material for this analysis is available online should not detract from its importance in the eyes of intelligence agencies. There is a tendency for intelligence agencies to get caught up in the “top secret implies top value” mentality, leading them to overlook some of the most crucial inputs to intelligence that are freely available to all takers. 5.1. Horizontal Dataflow versus Vertical Dataflow In order to fight the type of terrorist entity that has evolved out of the communications revolution, intelligence agencies will need to learn the lessons taught them by the terrorists themselves. This means the establishment of a “ground-up” grassroots approach to counter-terrorism—a horizontally-structured counter-terrorism apparatus to replace, or at least complement, the older top-down hierarchical model. What is needed is not only a technological shift (which is now underway), but an organizational shift. In practical terms, this means that information flow, too, will need to be less vertical (from the top down) and more horizontal. At the same time, the organizational structure of the counter-terrorist community as a whole will need to be reworked to take full advantage of the Internet, both as a tool for intelligence gathering and as a means for command and control. It’s a tall order. But the reality on the ground increasingly calls for it. What’s more, the means now exist for doing it. If they can do it, why can’t we? And in fact, it’s already happening. Increasingly, we’re seeing the initiative for intelligence gathering and analysis shifting from the hands of government agencies into private hands. This is as it should be. Terrorism endangers us all—citizens as well as military and law enforcement personnel. In fact, due to the nature of terrorism as psychological warfare, it is the private sector that is most at risk; and this is also the designated target. It is important that the “professional” intelligence community understand this shift from governmental to private inititiative, and in fact embrace it. They need to learn to make proper use of the ground-up efforts of academics, internet sleuths, and independent analysts. Brachman and McCants note that at present few agencies have access to the kind of experts who have a deep enough background in the culture and language of the opponent to provide the kind of analysis essential for good foundation intelligence. Even when they do, such analysis tends to remain within the “orbit of the agency where it originated.” They suggest that the United States government “might consider establishing a think tank staffed with highly trained experts on the Middle East and counterinsurgency whose sole purpose would be to identify the major jihadi thinkers and analyze their works.” [1]
    • Y. Shahar / The Internet as a Tool for Intelligence and Counter-Terrorism 117 While such a think tank is a worthy goal, these problems will not be overcome by the establishment of yet another government-sponsored entity, no matter how well- funded or well-staffed. It is the nature of bureaucracies to become monolithic, self- perpetuating, and inward-looking. A better solution is for governments to establish links of mutual support with the grassroots organizations already doing these analyses. This means that government agencies need to know who these entities are, what they produce, and what they need in order to keep working—usually money. What is needed is a working relationship, though it isn’t clear whether this should be based on a “consumer/supplier” relationship, or on cooperation. In addition to fundamental intelligence gathering and analysis, information operations too are shifting from the government to the private sector. This is a positive step, regardless of the potential for “vigilantism”. Governments will need to recognize the potential of the private sector, particularly in the sphere of interest, to manage their own information and media operations. To be effective in low-intensity conflict, our definitions of tactical counter-terrorist operations will need to be expanded to include web-based operations. In particular, web-based PsyOps and counter-propaganda should be seen as key elements in the counter-terrorist arsenal. It is crucial that any information campaign make use of the same tactics and the same venue as those used by the jihad movement itself. It is also crucial that the counter-terrorism community understand the implications of the change brought about by the communications revolution. Today’s battles are being fought more and more in the sphere of public opinion rather than on the battlefield. The counter-terrorism community is competing for the same audience as the jihadis themselves. In this type of warfare, the Internet is both battlefield and weapon. For the jihadis, this is a two-edged sword; the greater their dependence on the Internet, the greater their reach and efficiency, but also the greater their vulnerability. References [1] Jarret M. Brachman, William F. Mccants. “Stealing al-Qa’ida’s Playbook.” CTC Report. February 2006. [2] Wayne A. Downing and Michael J. Meese, “Harmony and Disharmony Exploiting al-Qa’ida’s Organizational Vulnerabilities.” Combating Terrorism Center Department of Social Sciences United States Military Academy 14 February 2006. [3] Jihadi Strategic Studies: The Alleged Al Qaida Policy Study Preceding the Madrid Bombings Studies in Conflict and Terrorism. Routledge, part of the Taylor & Francis Group, Conflict, Security and Strategic Studies, Volume 27, Number 5/September-October 2004. p. 355-375. August 19, 2004. [4] Australian Broadcasting Corporation. TV Program Transcript: Al Qaeda weaves web of terror. Broadcast: 18/03/2004. http://www.abc.net.au/lateline/content/2004/s1069029.htm [5] Brynjar Lia and Thomas Hegghammer. “FFI explains al-Qaida document.” Forsvarets forskningsinstitutt. 19 March 2004. [6] New York Times. “As Europe Hunts for Terrorists, The Hunted Press Advantages.” March 22, 2004, Section A, Page 1, Column 1. [7] Stephen Ulph. “Islamist insurgents seek to contain PR disaster: notes of defeatism.” Terrorism Focus. Volume 2, Issue 13 (July 13, 2005) [8] Stephen Ulph. “Zarqawi’s declining ideological support among Islamists”. Terrorism Focus. Volume 2, Issue 14 (July 22, 2005) [9] www.alsakifa.net, July 14, 2005; cited in Ulph [8].
    • 118 Responses to Cyber Terrorism Centre of Excellence Defence Against Terrorism, Ankara, Turkey (Ed.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. NATO and Cyber Terrorism Lt. Paul EVERARD NCIRC – NATO (SHAPE) Belgium Abstract. NATO is very aware of the need to secure its systems, and we have been the subject of numerous politically-motivated cyber attacks. We will look at the beginning of the brief at the issue of when these can be said to amount to cyber terrorism, and compare the NATO definition with those of other organizations. We will move on to cyber attacks, and give some examples of this activity. This raises the question of what the response to cyber attack should be. We will look at the decisions taken by NATO on this subject, and at what NATO is doing to prevent such activity on its networks. I will conclude the presentation with some recommendations for our defensive stance against cyber terrorism. Keywords. Cyber terrorism, cyber security, NATO, NCIRC The Scope of this Presentation This presentation will consider not only ‘cyber terrorism’ but related topics, like cyber attacks and security more generally. NATO is very aware of the need to secure its systems, and we have been the subject of numerous politically-motivated cyber attacks. The issue of when these can be said to amount to cyber terrorism we will address at the beginning of the brief. I will provide the current NATO definition, and compare it with some from other organizations. We will move on to cyber attacks, and give some examples of this activity. This raises the question of what the response to cyber attack should be. We will look at the decisions taken by NATO on this subject, and at what NATO is doing to prevent such activity on its networks. I will conclude the presentation with some recommendations for our defensive stance against cyber terrorism. Definitions of Cyber Terrorism There are some in the world of Information Technology (IT) who believe that cyber terrorism in the true sense of the word does not exist. According to these people, what we observe is simply individuals, groups, or organizations using ‘information warfare’ (communication and attacks using the internet and other networks) for their own goals, but without creating the destruction and devastation that we associate with terrorism. It can often be very difficult to determine if an attack is ‘terrorist motivated’ or ‘criminally motivated’, and these two categories of motivation could be broken down further. Clearly however, what we are looking at here is the development of new terrorist capabilities provided by modern technologies and networked organizations,
    • P. Everard / NATO and Cyber Terrorism 119 which at present allow terrorists to conduct their operations with little or no risk to themselves. NATO Definition The current NATO Definition of cyber terrorism is: “A cyberattack using or exploiting computer or communication networks to cause sufficient destruction or disruption to generate fear or to intimidate a society into an ideological goal.” This originates in a NATO document, but the report goes on to concede that due to its non-physical nature, accurate definitions of cyber terrorism are not easy to produce. The NATO Office of Security does recognize that it is becoming increasingly feasible to exploit the many vulnerabilities of cyber space, especially with regard to those services that rely on computer and communication networks. NIPC Definition The National Infrastructure Protection Center, now part of the US Department of Homeland Security, states as their understanding of cyber terrorism: “A criminal act perpetrated by the use of computers and telecommunications capabilities resulting in violence, destruction and/or disruption of services to create fear by causing confusion and uncertainty within a given population, with the goal of influencing a government or population to conform to a political, social or ideological agenda.” FBI Definition The Federal Bureau of Investigations has the following definition of cyber terrorism: Any “premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents.” CSIS Definition In his 2002 report “Assessing the risk of cyber terrorism, cyber war and other cyber threats”, James A. Lewis of the Center for Strategic and International Studies (CSIS) gives another widely-quoted definition: “The use of computer network tools to shut down critical national infrastructures (such as energy, transportation, government operations) or to coerce or intimidate a government or civilian population.” These definitions have much in common, although the emphases differ. The results of cyber terrorism may be measured by the terrorist having the ability ‘to affect physically’ something which is of importance to the victims. However, even if attacks are not ultimately successful, the attacker may manage to spread the fear of attack among many, with often painful economic results for businesses. Although perhaps the most likely use of the internet for what would unquestionably be an act of terrorism would be in the form of a ‘hybrid attack’, with a Denial of Service attack combined with a conventional attack, what I think of as true cyber terrorism is the sole use of a network for an attack, that is, the network’s use as the method of delivery for the attack.
    • 120 P. Everard / NATO and Cyber Terrorism It is certainly possible to think of ways in which the networks could be abused in ways that result in mass casualties. Considering the Internet or networks, the attacker will want to disrupt or destroy traffic passing through, install malicious software (‘malware’) onto systems, initiate fraudulent transactions with a desire to erode confidence in world marketplaces, or access sensitive information and to exploit it for further attacks that may not be network based. Attacks through the networks could be on air traffic control systems, or on the operation of train signals, particularly those located at busy intersections. A successful attack against air traffic control facilities, for example at London’s busy Heathrow Airport, could result in a triumph for the attacker able to carry it out. Profile of the Cyber Terrorist Another approach to looking at the issue of cyber terrorism is to ask: who are the cyber terrorists? For the most fatal forms of attack they would have to be hackers, i.e. advanced computer users who dedicate their time to finding vulnerabilities in IT systems. Our typical impression of hackers is of people generally lacking the motivation to cause severe economic or social harm. Hackers in the news include, for example, the two teenagers who in 1998 were found to be accessing US airforce IT systems, amongst other things, and who were eventually brought to justice. However, interest in using hacking for terrorism has certainly featured in al-Qaeda communications. It is frequent that terrorist activities overlap with more widespread kinds of criminality. There are already innumerable computer criminals, determined to commit any form of fraudulent activity generally for financial gain. We could find terrorists making use of such methods as phishing, extortion using e-mails, and the insertion of viruses, especially Trojans. Anyone with an average ability to use the Internet, and enough money and motivation, could mount a Denial of Service attack. The use of bot-nets is available for a price on the Internet. Aspects of Cyber Terrorism Cyber terrorism involves offensive information technology, whether it operates alone or in combination with another form of attack. Cyber attacks are usually limited to non- physical effects like the destruction of data. However, we should bear in mind that although protection against attacks with physical effects is paramount, the wiping out of files and data on systems could be disastrous to an organization, while the destruction of health records could endanger lives. There is the possibility that hostile actions would threaten to bring down the Internet itself. However, the terrorist requires the network to be in place, which poses the question how far does he go in his effort to destroy/disrupt? One distinctive factor of this kind of terrorism is that the attacker requires the network to be kept in place in order to carry out the attack, or to retrieve more information from it. Specific areas of the network are undoubtedly targeted and services denied, but the attacker uses the network. Only if it was essential would the terrorist want to cause wholesale the closure of it.
    • P. Everard / NATO and Cyber Terrorism 121 For one thing, terrorist communications are to a large extent over the Internet. Terrorist propaganda also has the ability to substitute their ethics for our own, i.e. broadcasting by states or established companies is replaced by their own. They use the freedom of the Internet to bypass normal moral restraint in favour of using shocking media. We have seen the broadcasting of horrific scenes, particularly of the treatment of hostages. What Are the Objectives of Attack? What might be the objectives of an attack over the networks? When we list the aims of terrorism in general, in each case we find that these aims can be met by attacks through the networks. Terrorists want to cause: Loss of integrity Contaminated systems could lead to fraud, incorrect decisions being made, or may be the precursor to loss of availability and confidentiality. Information must be protected from unauthorized changes. Loss of confidentiality Disclosure of data could lead to loss of public confidence, especially during times of crisis. Loss of availability of services This could prevent governments or other organizations fulfilling their mission, whatever or wherever it may be. Support services could be hampered or prevented in their efforts to provide a service to the front-line. Physical destruction The is the possibility of creating physical harm through the use of IT. We should be aware of the danger of hacking attacks on the SCADA (Supervisory Control and Data Acquisition) systems that manage our modern world, our power, water treatment and distribution, and other aspects of our critical infrastructure. We will look at this in more detail later. It is a good point to consider that the high demand for, and dependence on, resources globally greatly enhances the impact of this potential threat. Examples in the News of Attacks over the Networks Attacks on Organizations The following are examples of the Internet-connected attempts to disrupt services which later appeared in public news reports. We begin by noting the cyber attacks in response to NATO’s operational activities. To quote from CNN (31 March 1999): “Access to NATO website disrupted. The NATO website has been under a deliberate bombardment from Yugoslavia that has made e-mail service and access to the site ‘erratic’, NATO spokesman Jamie Shea said Wednesday …” The following is taken from Reuters (2 Sept 1999): “Chinese hackers mounted a cyber blitz against US and NATO. Hackers with Chinese Internet addresses mounted a cyber blitz against US and allied forces, after NATO bombed the Chinese embassy in Belgrade, a top US Air Force officer said on Wednesday. Lt.-Gen. William Donahue, Commander of the Air Force Communications and Information Center at the Pentagon, said hackers ‘came at us daily, hell-bent on taking down NATO networks’.”
    • 122 P. Everard / NATO and Cyber Terrorism It is the increasing frequency of events such as these that put the issue of cyber defence firmly on the agenda during the 2002 NATO Prague Summit. There are also examples of attacks on other organizations. Very recently, in the past months, the United Nations (UN) has been hit by a string of hacking attacks aimed, among other things, as building ‘botnet’ hordes. 1 These financially-motivated incursions, launched from the same remote location, infected a server common to three websites and downloaded a Keylogger and a Trojan to ‘visitor computers’ via ‘drive-by attacks’. The quote is from Darren Pauli of Computerworld Australia: “Keylogger and Trojan target United Nations. UN serves dangerous malware after online attack: The United Nations (UN) has been hit by a string of hacking attacks aimed at identity and credit card theft, and building botnet hordes. The attack on the UN Asia Pacific website is believed to originate from the same group responsible for attacks on the US-based Biotechnology Information Organization and the prominent Indian Syndicate Bank. It is unknown if the group is responsible for more attacks.” Trojan E-mails Targeted Trojan e-mail attacks have become a more pervasive threat over recent years. The attack will initially depend on the unsuspecting user casually clicking on an attachment in an e-mail to release the malware onto the host. The processes used are sophisticated, and the e-mails are made to seem credible. Once activated, Trojans can: Upload documents/data to a remote computer. Collect usernames and passwords for user accounts. Collect critical system information and scan network drives. Use infected machines to compromise other computers and networks. Download further programmes (e.g. worms, or more advanced Trojans). Although one variety of these Trojans appears to do nothing more than to harvest e-mail addresses for use in spam emailing, there are a growing number of reports of much more severe consequences such as: Erasing or overwriting of data. Creating a back door programme to allow the exfiltration of documents. Installing keyloggers used in the theft of user accounts credentials. There are also many other facets of such attacks. Some compromises of sensitive data have already been attributed to this method of attack. The perpetrators are very rarely tracked down due to the liberal, uncontrolled nature of the internet. One of the most common types of Trojan aims at building botnet hordes. Here the malware maintains a ‘backdoor’, allowing attackers to monitor and hijack user machines. A ‘Websense Australia and New Zealand’ network official has recently commented that such attacks “exploit remote servers with weak security and typically target common brand names to maximise exposure.” In other words, cyber groups will target ISPs which do not have sufficient security, employ common brands of servers, and place those servers in locations without tight controls or law enforcement. 1 ‘Botnets’ are a collection of compromised systems that are tasked by the attacker via the use of malicious software which runs processes on a system that its user is generally unaware of.
    • P. Everard / NATO and Cyber Terrorism 123 Cyber Attacks for Sale To illustrate how easily Denial of Service (DoS) attacks can be bought on the Internet, here is an excerpt taken from an article from the PandaLabs blog website: “DDoS 1 hour US $10-20 (depends on the seller), 2 hours US $20-40, 1 day US $100, more than 1 day from US $200 (depends on the complexity of the job).” The price usually depends on the attack time. Later we will look at the Estonian incident, where attackers purchased such packets of DoS attacks for use against government computers and others. The following advertisement aimed at financial fraudsters is also quoted. It was posted by pmontoya on 23 April 2007: “Accounts, FTP accounts: US $1 per account. 50MB of limbo Trojan logs US $30 (contains e-mail accounts, bank account numbers, credit card numbers, etc.. A percentage is guaranteed…).” The writer of the article went on to ask the questions: “How do hackers make money out of programming malware? Where do they sell their creations? For how much?” And, interestingly: “Who buys the malware and what for?” Digital espionage is a tool that is available to the cyber terrorist for his intelligence purposes for future attack. Attacks on SCADA Systems To illustrate the danger of attacks on SCADA systems we can look at a US Department of Homeland Security-commissioned experiment to exploit a vulnerability in such a system. The exercise was intended to demonstrate how a remote digital attack by hackers could cause real world damage. Following the experiment, in which part of a power grid caught fire, the press report read: “Simulated cyber-attack shows hackers blasting away at the power grid …” Such attacks are not science fiction. US government officials in 2002 claimed that they had evidence, retrieved in the form of training manuals from al-Qaeda training camps, that terrorists had explored such vulnerabilities in SCADA systems with the intention of conducting attacks. The Australian authorities are also taking the potential threat to critical systems very seriously, having experienced the results of an attack of this nature. Symantec’s security reports also highlighted the Australian case, in which a disgruntled ex- employee, Vitek Boden, hacked into a computerized waste management system in Maroochy Shire, Queensland, and caused millions of liters of raw sewage to spill out into local parks, rivers and even into the grounds of a Hyatt Regency hotel in March 2000. The incident was reported in this way: “SCADA Systems a Real Cyber Security Threat, Brisbane, March 02, 2005. ‘Most Australian SCADA-dependent utilities are currently ill prepared for a cyber security breach meaning that some of our most critical infrastructure services, such as electricity and water are in danger of becoming seriously compromised … The ongoing integration of SCADA systems with technologies such as the Internet and wireless, and the integration with other business systems, means that these systems are now more accessible and vulnerable to electronic attacks,’ said Kim Duffy, managing director of Internet Security Systems Australasia (ISS) (Nasdaq: ISSX).” 2 2 http://www.iss.net./about/press_center/releases/pr_27429.htm, and
    • 124 P. Everard / NATO and Cyber Terrorism Worms The famous ‘Slammer Worm’ of early 2003 was 400 times faster than the ‘Code Red Worm’. It disrupted banking, airlines, infrastructure and emergency services, and the disabled the safety monitoring system at a nuclear power plant for combined period of 11 hours. Although site staff stated that there had been no threat posed to safety, the potential for failure had already been identified in a governmental report some 6 years earlier. The 1997 report was compiled after a six-month investigation of power grid cyber security, described a “national system controlled by byzantine networks riddled with basic security holes.” DDoS Attacks For a number of days during April–May 2007, Estonia experienced a mass cyber attack by attackers which succeeded in mounting a large-scale Distributed Denial of Service (DDoS), in which selected sites were bombarded with traffic in order to force them offline. Nearly all Estonian government ministry networks encountered difficulties because of the quantity of directed traffic, and there was disruption to international connections and general performance levels. Also, the party website of Estonia’s Prime Minister Andrus Ansip featured a counterfeit letter of apology for removing a Russian World War II memorial statue, an event seen as linked to the motive behind the attack. Estonia is thought to be one of the most ‘wired’ countries there is. Even so, the attack had a significant effect. NATO’s Improving Cyber Security The effects of NATO’s policies for protecting against cyber attacks are illustrated by the fact that we were able to detect an attack that occurred some time ago on one of our mail servers. A Denial of Service was detected by our network monitoring devices, and our team was able to respond appropriately before much damage could be done. During the period 9–10 August 2006 a NATO mail server came under a distributed attack from a network of infected systems. We were able to reconstruct the attack with a diagram in which each red node represented an individual attacking system, and blue nodes were the type of attack carried out. Somewhere in the middle was a white square indicating the attacked system. In total, over a 15 hour period, around 25,000 attempts to relay traffic through the target were observed. The target mail server in this case was incorrectly checking emails that were not for its internal network, and appeared to offer the capability of relaying e-mail traffic. At some time during the morning of 9 August, one ‘system’ connected to the server and identified a way of spreading spam emails across the Internet. This system then contacted all the other members of its network (the botnet), which then tried to attempt to relay traffic through the server. In the event, NATO was able to stop the attack by re-configuring the mail server to respond correctly to the attempted e-mail relay traffic. http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage
    • P. Everard / NATO and Cyber Terrorism 125 NATO and Vulnerabilities NATO depends on the Internet for much of its business, either directly, for contacts with governments or commercial organizations, or as a bearer, and during the Pakistan relief operation not long ago the Internet was the primary means of co-ordination. The following are threats that I believe we at NATO should prepare ourselves against: The malware within: that which is already present behind our defences. Targeted espionage: prolonged attempts to compromise our network which we may not detect. Classified information leaks: are our users practicing good security? Vulnerabilities exposed by poor maintenance: are we responding quickly enough once they are identified, and what is in place to prevent re-occurrence? System privilege abuse: do we practice a good security policy based on the need to know or the requirement to access certain areas of our network? Do we know exactly who our system administrators are? NATO’s dependence upon information technology in every area of its business, brings with it an attendant level of risk in fact the same sort of risk as the rest of the world’s major organizations face. We have either direct or indirect connections to many global networks, and thus face the same global threats. An incident or attack against one part of the Internet, for example in South America, can directly affect our own infrastructure within minutes. And let us not forget that, even though our internal networks are supposedly ‘closed’ and separated from the Internet, documents, messages and other data is being uploaded onto the internal network from external networks at almost every minute of every day. We can assume that cyber terrorism will utilize the processes of cyber attack that we have seen, and probably there are others that we have yet to see. The defenders need to be constantly alert, and ask themselves: How do we know that what we daily observe is not cyber terrorism? Do we ignore the threat of cyber terrorism and simply defend against attack? If we are pro-active, how can we identify the target before the attacker? NATO’s Response The NATO Computer Incident Response Capability (NCIRC) is a new addition to NATO’s InfoSec Services, arising from a security review following the events of 9/11. The review identified risks to critical infrastructure in particular. The 21 Nov 2002 Prague Summit, attended by the leaders of the NATO nations, announced a Cyber Defence Initiative in the final communiqué “to strengthen our capabilities to defend against cyber attacks”. As a result, the NCIRC and NCIRC IDS (Intrusion Detection System) projects were approved. It was decided that an initial operating capability would be established, with a transfer to a full operational capability starting in 2009. It will provide a full 24/7 operation. The NAC has approved NATO’s Cyber Defence Programme. The NCIRC, with the IDS and IOC projects, were seen to be an urgent requirement. The NCIRC and IDS in particular provide a centralized incident detection and response capability, and expertise in computer and network security.
    • 126 P. Everard / NATO and Cyber Terrorism In general, a requirement was identified for cyber attack ‘counter-measures’ based on good technology. The NATO Office of Security identified the threats that exist because of the access to the means of cyber attack that we know the terrorist has. It is also aware that terrorists already utilize the Internet extensively, as a primary tool to support their activities: Terrorists raise funds, spread propaganda and to communicate amongst themselves. It has also long been accepted to be a primary intelligence tool. There are three main areas where further action is recommended: Legislation: Can the Internet be placed under a common legislation? Co-operation: How can national cyber defense capabilities work better together? Setting the Example: What is the role that NATO can play to help defend against world-wide cyber terrorism threats? Cycle of Security The cycle of security that we strive for, based on NATO’s requirement, is as follows: Protect: This involves system hardening measures, full coverage of anti- malware support, and specialist advice to projects. Prevent: Conducting vulnerability assessments, comprehensive vulnerability notification, and training and awareness. Detect: Utilizing IDS and mail content checking. This includes out of hours monitoring of those IDS systems. Respond: Providing a 24/7 incident response capability. Recover: Maintaining a highly responsive on-line or on-site incident recovery support facility. Conclusion: Recognize the Cyber Terrorists The cyber terrorist needs the cyber attack to act, although it may not of itself amount to cyber terrorism. Will we know which attackers are the terrorists? They use the methods of cyber attack to achieve their aims. The motivation for the attack could be: blackmail, destruction, exploitation, or revenge, and knowing the motivation is the key to distinguishing which is a terror attack. The Internet has become such powerful medium that the terrorist is bound to utilize it. ‘Economy of effort’ is one of the principles of war, and the nature of attacks through the Internet is such that the terrorist can continue to perpetrate crimes time and time again, without the requirement for martyrdom or any risk to themselves. The funds required for such activity are minimal. Checks conducted by the NCIRC have confirmed that some cyber attacks are being directed against NATO networks that are connected to the Internet. Although it can be a slow process, with co-operation sometimes proving complicated, we are working together with NATO members’ security teams to identify the extent of this threat and to put in place measures to protect our networks.
    • Responses to Cyber Terrorism 127 Centre of Excellence Defence Against Terrorism, Ankara, Turkey (Ed.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability Erdoğan ÇELEBİ, Capt. Centre of Excellence – Defence Against Terrorism (COE–DAT), Ankara Abstract. The PKK/KONGRA-GEL terrorist group makes extensive use of the internet, notably for propaganda. The prominent PKK websites are listed in a dataset which shows the way these sites relate to each other with links. An overview of their content is given, then various software and analysis tools, notably Unicet, are used to reveal different aspects of this network of Websites; Centrality Analyses to show prominence and hierarchical structure, Density and Geodesic Distances Analyses, and Connectivity Analyses. Keywords. Terrorism, PKK/KONGRA-GEL, PKK Websites, network analysis 1. Introduction On 12 September 2006, a bomb blast at a children’s park in Diyarbakir, Turkey killing eleven and wounding seventeen people, seven of whom were children. After the incident, a PKK/KONGRA-GEL-linked website published a news story indicating that a new radical group called the Turkish Revenge Brigade took responsibility for the attack. The “new” group called the Turkish Revenge Brigade was portrayed by the PKK/KONGRA-GEL website as retaliating to an incident in which a Turkish soldier had been killed in a clash between Turkish Security Forces and PKK/KONGRA-GEL terrorists. In the story there were also pictures of the bomb’s detonation system, and statements alleging that these pictures were taken from the website of the Turkish Revenge Brigade (TRB), where the TRB’s communiqué of responsibility could allegedly be found. The communiqué was obviously designed to provoke hatred between Kurds and Turks saying that “kill 10 Kurds in Diyarbakir for every Turk killed.” The incident sparked a lot of violent street demonstrations in the southeastern region of Turkey and major cities like Istanbul with the provocations of the PKK/KONGRA-GEL terrorists and their media supporters. When the story was first published on the PKK/KONGRA-GEL website, there was no link to the alleged website in which the communiqué of responsibility was published. One day later, the story was republished with an URL address to the website (http://www.turkintikantugayi.8m.com). However, people who entered this site through
    • 128 E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability the link saw the responsibility communiqué and frog images in the place of IED system photographs, which the PKK/KONGRA-GEL site alleged was taken from turkintikantugayi.8m.com. The reason why frog pictures appeared in the site was that the website did not have enough capacity to store the IED system pictures that were published in the PKK/KONGRA-GEL’s news story. The PKK/KONGRA-GEL terrorist network already had the pictures before the bombing. This was their very deliberate psychological campaign to take the advantage of the incident. However it was prepared very unskillfully. The bombers, story makers, website designers, and the provocateurs all proved to be the same group, which was the PKK/KONGRA-GEL. Investigations later showed that the bomb was a PKK/KONGRA-GEL device that exploded prematurely before it could be planted next to a big police station very close to the children’s park.1 The incident was an illustration of how a modern terrorist group uses the internet. What was the group that killed seven children and attempted to misinform the people using black propaganda to provoke ethnic hatred? What were their aims? It is useful to describe the group in the context of Turkey’s terrorism experiences in its 72 year history. Turkey’s PKK/KONGRA-GEL Problem On August 15, 1984, a small group of Kurdish separatists began to attack Turkish military outposts in the Southeastern region of the country. The separatist terrorist group, which called itself the Kurdish Workers Party, commonly known as PKK/KONGRA-GEL, engaged in a massive terrorism campaign which has resulted in more than 30,000 fatalities, mostly terrorists, civilian ethnically Kurdish citizens, civil servants, security forces and anti-PKK/KONGRA-GEL village guards.2 Abdullah Ocalan, who was born in 1948, founded the terrorist organization PKK/KONGRA-GEL. He studied political science in Ankara University where he became a Maoist. By 1973 he had organized a Maoist group whose goal was socialist revolution in Turkey. After years of indoctrination and recruiting, the PKK/KONGRA- GEL terror network was formally established on 7 November 1978. Since then, PKK/KONGRA-GEL has been using its terrorism campaign to support its political goal of building a Maoist Kurdish state in areas of Turkey, Iran, Iraq and Syria. As a result of the successful military operations against the PKK/KONGRA-GEL and determined behavior of Turkish Government against the countries that supported the organization, the Turkish Special Forces in Nairobi arrested Ocalan after reportedly following a tip-off from American intelligence.3 Although the capture of Ocalan caused the terrorist network to lose support for its armed campaign, the group reorganized itself in the power vacuum areas of northern Iraq and began its intensive terrorist campaign in August 2004.4 1 “PKK appears to be behind deadly blast, say police” Turkish Daily News September 16, 2006 available at http://www.turkishdailynews.com.tr/article.php?enewsid=54200 accessed on 25 October 2006. 2 United States Department of State Office of the Coordinator for Counterterrorism, “Country Reports on Terrorism 2005” April 2006, available at http://www.mipt.org/pdf/Country-Reports-Terrorism-2005.pdf accessed 8 November 2006. 3 Bruce Hoffmann, “Is Europe Soft on Terrorism,” Foreign Policy, Summer 1999, p. 63. 4 Country Reports on Terrorism 2005, p. 224.
    • E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 129 As with other modern terrorist organizations, the resilience of PKK/KONGRA- GEL comes from the adaptive strategies that the organization implemented through almost thirty years. The first adaptive strategy of PKK/KONGRA-GEL was declaring so-called “unilateral ceasefires” when the Turkish military operations intensified and hurt the infrastructure of the terrorist network. The Turkish authorities for two main reasons have never accepted these announcements. The first reason is that the terrorist network is not a main actor in international arena and can not use terms like “ceasefire,” that connotes some legal status. The second reason is to prevent them from disguising their weakness from their support base in times of inaction, because terrorist systems have to maintain a minimum level of violence in order not to be seen as weak in the eyes of their support base. The last so-called “ceasefire,” or time period between terrorist campaigns, ended in 2004, after it had been declared following the arrest of its ringleader in 1999. 5 At times of inaction, the terrorist organization consolidated its power in the uncontrolled areas of northern Iraq, and resumed its terrorist attacks. The second adaptive strategy of the PKK/KONGRA-GEL terror network is imitating other terrorist organization’s successful tactics. Suicide attacks, hunger strikes in prisons and prison revolts were some the tactics that they adopted from the other revolutionary terrorist organizations. Ocalan urged his terrorists to imitate Hamas in 1996 but the persuasion tactics of the bombers were a little bit different from that of Hamas. Rosemarie Skaine explains PKK/KONGRA-GEL’s tactics: “On October 25, 1996 Turkan Adiyaman [a female terrorist of PKK/KONGRA-GEL], was shot by her own group, [because] she had refused to volunteer for suicide bombing. She was shot in front of Leila Kaplan [another female PKK/KONGRA-GEL terrorist] as an example of the fate that befalls shirkers. Kaplan, who was 17 years old, then performed the bombing.”6 The third adaptive strategy of PKK/KONGRA-GEL terrorist network has been to change its name periodically because different names enable them to escape from the international pressure that puts the network on designated terrorist lists, and second, deceive the international community about its violent side. It attempts to give the impression that the main terrorist group PKK/KONGRA-GEL does not use violence. Since its foundation, the organization has been operating with the names of “PKK/KONGRA-GEL,” “Kongra/GEL,” “KADEK,” “HPG,” “TAK,” “KKK,” and “PJAK (Iranian branch).”7 TAK (Teyrêbazên Azadiya Kurdistan, Kurdistan Freedom Hawks in English), for example, engaged in a bombing campaign in the big cities like Istanbul and recreation centers of coastal Turkey. 8 The first attack of TAK was on August 2004 and this date coincides with the announcement that PKK/KONGRA-GEL would begin its terrorism campaign again after five years of inaction, demonstrating that TAK is a subordinate group of the PKK/KONGRA-GEL terror network directed by the organization’s hierarchical leadership. 5 Lenore G. Martin, “Turkey's Iraq Problem,” Washington Post, September 16, 2006; p. A21. 6 Rosemarie Skaine, Female suicide Bombers, (North Caroline: McFarland Company Inc.), 2006 p. 84. 7 United States Department of State Office of the Coordinator for Counterterrorism, “Country Reports on Terrorism 2005” p.224 April 2006, available at http://www.mipt.org/pdf/Country-Reports-Terrorism- 2005.pdf accessed 8 November 2006. 8 “Turkish resort blast kills five,” BBC news, 16 July 2006, available at http://news.bbc.co.uk/2/hi/europe/4688575.stm accessed on 14 November 2006.
    • 130 E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability The fourth strategy of the terrorist network is its technological adaptation. PKK/KONGRA-GEL is, perhaps, the first terrorist network to have a private satellite TV by which they can mobilize people with extensive propaganda on a 24/7 basis. The Roj TV station, a television station of PKK/KONGRA-GEL, has been banned in the UK and France, but it is still broadcasting from Denmark, despite the Turkish Government’s efforts to stop it.9 2. Motivational Training Through the Net The emphasis on the ideological training in the program demonstrates that their first priority is creating robust, indoctrinated, ideologically devoted terrorists and then giving them operational skills to kill. According to Brandon, Internet connection is available from a few computers through satellite uplinks in the camp.10 Satellite TV is not the only way they can make their propaganda, transmit their messages, mobilize their people and motivationally train and sustain the motivational commitment among members. The Internet is largely used by the PKK/KONGRA-GEL terrorist network for these purposes. As observed by a political science professor at Concordia University, “when Turkish forces arrested Ocalan, Kurds around the world responded with demonstrations within a matter of hours.” He attributed the swift action in part to the Internet and web. “They responded more quickly than governments did to his arrest,”11 The systematic use of internet by PKK/KONGRA-GEL for motivational training will be the main focus in rest of the paper. Below is a list of the most prominent websites of the terrorist organization PKK/KONGRA-GEL-KONGRA-GEL. The explanation of the table is below the table. The table is used as an input for further content and network analysis of the PKK/KONGRA-GEL websites. 2.1. Dataset Table 1. List of PKK/KONGRA-GEL websites 1 Web address Language Links Design 2 http://www.rojaciwan.com Kurdish Turkish 3,4,5,6,7,10,12,15,16,17,19 3 20,22,23,24,25,27,38 3 http://www.pkk.org Turkish Kurdish 4,5,6,7,11,24 3 Farsi English Arabic 4 http://www.hpg-online.com Kurdish Turkish 2,3,5,6,11,26 3 Arabic German 9 Sedat Laciner, “The West and Terrorism: PKK as A Privileged Terrorist Organization,” Turkish Weekly, 14 May 2006, available at http://www.turkishweekly.net/editorial.php?id=29 10 James Brandon, “Mount Qandil: A Safe Haven for Kurdish Militants—Part 1,” Terrorism Monitor, 4, 18 September 2006. 11 Michael Dartnell, quoted in Dorothy Denning, “Activism, Hacktivism and Cyber Terrorism: Internet as a tool for influencing foreign policy,” 2004, p.256, RAND monograph report available at http://www.rand.org/pubs/monograph_reports/MR1382/MR1382.ch8.pdf accessed on 10 November 2006.
    • E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 131 English 5 http://www.pajk-online.com Turkish 2,3,4,6,7,8,10,14,15,16,17, 3 20,23 6 http://www.kongra-gel.com cannot be reached none none 7 http://www.kurdishinfo.com Turkish Kurdish 2,8,10,11,14,16,17,18,19, 3 English French 20,22,32,33 German 8 http://www.gundemimiz.com Turkish 9 3 9 http://www.cewlik.net Turkish Kurdish none 2 10 http://zaningeh.yxk- Turkish Kurdish 2,8,11,12,13,20 3 online.com German 11 http://www.abdullah- Turkish Kurdish none 3 ocalan.com Farsi Arabic Greek English Russian 12 http://www.rojame.com Turkish 2,3,4,5,6,7,8,10,15,16,17, 3 19,20,22,23,33,34 13 http://www.amigra.org Turkish 8,10,15,16,17,22 2 14 http://www.denge- Kurdish none 3 mezopotamya.com 15 http://www.roj.tv Turkish, Kurdish none 3 16 http://www.azadiyawelat.com Kurdish none 3 17 http://www.firatnews.com Turkish none 3 18 http://www.rojev.com Kurdish none 3 19 http://www.dozame.org English 3,4,5,6,7,8,10,14,15,16,17, 3 20,22,23,32,36,37 20 http://www.yeniozgurpolitika. Turkish none 3 com/ 21 http://www.urmiye.org Turkish Farsi 2,3,4,5,6,7,8,10,11,15,22, 2 Kurdish Finnish 23 Assyrian 22 http://www.diclehaber.com/ Turkish none 3 23 http://www.serxwebun.com Turkish none 1 24 http://www.pjak.com Farsi none 2 25 http://www.emkine.dk Turkish Kurdish 2,3,4,5,6,7,10,17,29,30, 3 26 http://www.gerila-online.net Turkish 2,3,4,5,10,12,15,16,17,24, 3 28 27 http://www.sehid.com Turkish none 3 28 http://www.kon-kurd.org Turkish Kurdish 8,16,18,21 1 English French German 29 http://www.kurder.dk Turkish Danish 25 1
    • 132 E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 30 http://www.welatparez.com Turkish none 3 31 http://www.kurdlander.com/k Turkish Kurdish 2,8,11,14,1516,17,18,19,22 3 urd English Farsi Finnish 23,25,35 Spanish 32 http://www.freedom-for- English Italian 7,15,34 2 ocalan.com German 33 http://www.flash-bulletin.de Turkish none 2 34 http://www.hernepes.com Kurdish 2,3,4,5,6,78,10,12,15,16,17 3 19,20,23,24,28,38 35 http://www.cmg-team.com Turkish Kurdish none 2 36 http://rastibini.blogspot.com English 3,4,6,7,19,27,33 3 37 http://www.nadir.org German none 1 38 http://www.ciwanenazad.roja Turkish Kurdish none 3 ciwan.com. The first two columns are the URL of the websites with a number attached to it. The third column is the languages in which the websites are published. The fourth column shows the links from this particular row’s URL to the other sites. The fifth column shows the design quality of the websites on a number scale of 1 to 3. For example, the website http://www.gundemimiz.com in the 8th row is being published in Turkish. It contains news sympathetic to the terrorist network and has a hyperlink to http://www.cewlik.net in the 9th row. It is professionally designed, has multimedia content and colorful view, thus it is graded 3 in terms of design quality. 2.2. Content Analysis of PKK/KONGRA-GEL Websites The content of these 37 websites generally include: the history of the organization, biographies of its influential people and its killed terrorists, information on the political aims of the terrorist network, the maps of so-called free Kurdistan, an intensive informative campaign about the Kurdish ethnicity, history, language, and culture. They claim that Kurds are the oldest people of the region, beginning from the Sumerian era, to create and enforce identity based on ethnicity. PKK/KONGRA-GEL websites avoid mention of the organization’s violent record and basically highlight positive issues like freedom of speech, democratization, ecology, and its imprisoned ringleader. They aim at Western audiences who are sensitive to these norms in order to provoke sympathy in democratic societies. The websites exaggerate the casualties of the security forces and hide their losses in order to encourage sympathizers, and make calls to the youngsters not to sign up for the Turkish Armed Forces. The main reason for publishing the sites in eight different languages, especially European languages, is to reach the second or third generation of ethnically Kurdish immigrants in these countries who can not speak either Kurdish or Turkish. Turkish is so popular because it is a common language even for the Kurdish speaking people who
    • E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 133 do not understand each other due to their dialect differences. Arabic and Farsi are used to reach the Kurdish population living in Syria and Iran. The web site named “pajkonline.com” aims at the women who were mostly used in suicide bombings in the past. Abdullah Ocalan urged his militants to imitate Hamas militants by becoming human bombs in 1996. Female militants have carried out 70% of all the suicide bombings of the organization.12 The tribal (ashiret in Turkish) nature of the social structure in the region and its consequences (low education rates, early age marriages, polygamy, and honor killings) make the young female population very susceptible to ideological exploitation. The socialist ideology, which claims to repudiate any dominant factor in the society including masculine dominancy, is used as an ideological message to attract this vulnerable group of people of the region. Almost every website in the dataset contains a part dedicated to women and the content of these pages is very fanatically feminist to a degree that leads one to conclude from these sites that PKK/KONGRA-GEL is a violent feminist organization. The Iranian branch of the PKK/KONGRA-GEL or PJAK is published only in Farsi and has no out links although it has three in links—one from the youth branch’s web site, one is from PKK/KONGRA-GEL’s own web site, and one from the European branch’s website. Almost every page alleges that the PKK/KONGRA-GEL terrorist network will not accept any solution to the so-called Kurdish issue without their ringleader Abdullah Ocalan. Letters written by the militant terrorists praise him to a degree that one gets the impression that he is supernatural. His writings reinforce this supernaturalism too. He defines his capture as crucifixion, and claims that the alternative ideology that he brings—he names it Ecological Democratic Confederation—is superior to that of Durkheim, Marx and Lenin. Moreover, he makes an analogy between his so-called universal struggle and that of a god from Greek mythology—Prometheus, who took fire from the hearth of the gods by stealth and brought it to men, thus allowing mankind to keep warm. 13 This situation was observed by Clara Beyler who comments on the female suicide bombings of PKK/KONGRA-GEL: “The incentive and justification for suicide attacks were all based on Ocalan’s orders. The leader had such power and influence on the group’s members, that they did not need the pretext of religion, for Ocalan himself reached the status of God in the terrorist network. It was on this god- like leader’s orders that suicide bombings started. It was also on his command that they stopped.”14 The struggle of PKK/KONGRA-GEL seems to transform into a struggle for saving Abdullah Ocalan’s skin rather than allegedly pursuing Kurdish rights. A great majority of the web sites have multimedia content like videos, flash animations, audio, and colorful views. Some sites gives links to popular new trends like Kurdish protest rock music, Kurdish hip hop and interviews with popular bands and singers to attract the youth. One of the web sites of the network secured with the password “cmg-team.com” is dedicated to cyber attacks and encourages the members to learn hacking techniques and provides information about the vulnerabilities of computer operating systems, basic 12 Robert A. Pape, Dying to Win: The Strategic Logic of the Suicide Terrorism (New York: Random House, 2005), p. 208. 13 Abdullah Ocalan, “Defense of Free Mankind” vol. 1 translation from Turkish available at www.abdullah-ocalan.com accessed on 12 July 2006. 14 Clara Beyler, “Messengers of Death: Female Suicide Bombers,” International Policy Institute for Counter-Terrorism, February 12 2003, from http://www.ict.org.il/articles/articledet.cfm?articleid=470
    • 134 E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability knowledge about hacking, computer security, and basic computer programming languages. The website “zaningeh.yxk-online.com” serves as an intellectual base from which the organization issues its strategic assessments about the future of their cause. The website contains assessments of terrorist organizations (especially ETA and IRA), and derives lessons learned from struggle against their governments, which can be used against the Turkish government as well. Critical information, or what the site administrators think is critical information, is not discussed nor allowed to appear in open channels. The message postings are not done instantly. First, messages are evaluated by the site administrators, and then those that are approved are posted on the site. When this author began his research and monitoring of these sites, “sehid.com” in which the organization posts the killed terrorist biographies (almost updated) did not exist. Some users were asking questions about the situations of active members (generally if they are alive or not), especially after clashes between security forces and PKK/KONGRA-GEL. This reveals that some of these sites are administered from the main camps of PKK/KONGRA-GEL. In these situations, site administrators warned the users that they must be aware that the Turkish Intelligence monitors these sites, and the administrators directed their users to instant messaging tools like msn messenger to communicate privately. Some of the websites in the network have shut down by court warrants due to their terrorist content or access to these sites is denied to the users in Turkey. In this situation, the other websites that are still active give instructions about how to view these sites by changing their proxy server and LAN settings or giving direct links to the mirror web pages of banned sites. Content analyses reveal that PKK/KONGRA-GEL terrorist network uses the Internet for communicating with its target audience, be it government, its support base or the international community. Although this author did not find any operational training material in these sites, they carry out a massive motivational training through the content. 3. Network Analysis of Pkk/Kongra-Gel Websites 3.1. Why Social Network Analysis? The Internet has become the main training environment as a result of counter terrorism efforts to destroy the land-based training camps. For further success, it is essential that the web presence of the terrorist networks be eliminated. The elimination strategy must be performed in a systematic way in order to prevent waste of time and workforce. Social network analyses can be utilized to identify which websites are essential for eliminating as a way to disrupt the whole network. Network data are defined by actors and by relations (or "nodes" and "links"). Network analysis focuses on the relations between actors, and not individual actors and their attributes. This means that the actors are usually not sampled independently, as in many other kinds of studies (most typically, surveys). Often network data sets describe the nodes and relations between nodes for a single bounded population. PKK/KONGRA-GEL websites are the study’s bounded population. The websites are
    • E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 135 the nodes and the hyperlinks between the websites are the links in our study. Because we analyzed the attributes of the nodes in content analyses, our focus in network analyses will be the relations between these websites. Social network analysts use two kinds of tools from mathematics to represent information about patterns of ties among social actors: graphs and matrices. Network analysis uses (primarily) one kind of graphic display that consists of points (or nodes) to represent actors and lines (or links) to represent ties or relations. There are a number of software tools that are available for drawing graphs, and each has certain strengths and limitations. The author used UCINET and NetDraw version 4.14 to draw the map of the PKK/KONGRA-GEL websites. Graphs are very useful ways of presenting information about social networks. However, when there are many actors and/or many kinds of relations, they can become so visually complicated that it is very difficult to see patterns. It is also possible to represent information about social networks in the form of matrices. Representing the information in this way also allows the application of mathematical and computer tools to summarize and find patterns. The UCINET provides these matrices and statistical analyses tools. Statistical analyses are used with the graphs for a better understanding of the PKK/KONGRA-GEL website network. 3.2. Methodology The first step of the study is constructing the dataset of the web sites. Beginning with the organizations designated web site (pkk.org), the author traced the hyperlinks that directed the users to other websites. The same procedure was followed for the each site. Thirty-seven different websites were identified that have links to “pkk.org.” Some impartial links like mainstream media organizations like CNN, AFP or REUTERS or international organizations like Human Rights Watch or Amnesty International were not included in the dataset. The number of hits the web sites took on a daily basis are not included in the analysis because generally sympathizers artificially increase hit numbers by browsing the same sites multiple times. Although the official web page of Kongra-Gel—the same organization but with different name—has a lot of links from the other sites, the link is broken and the page is not currently being published. The same pages that are published with different names are not included in the dataset. From a basic search on a major search engine, one can find hundreds of personal web pages that are sympathetic to PKK/KONGRA-GEL and its cause. These pages also are not included in the dataset. Individual sympathizers also use common video sharing sites like You Tube to post the propaganda videos. These sites have search option with key words. The PKK/KONGRA-GEL propaganda videos usually contains key words like ‘gerilla’, ‘pkk’, ‘Ocalan’, and some popular Kurdish words to attract the sympathizers and misinform the web surfers who have nothing to do with the terrorist network’s cause. The second step is the visual and statistical social network analyses of PKK/KONGRA-GEL linked web pages using network analyses metrics. Instead of analyzing the network according to all the metrics, centrality, density and connectivity degrees are analyzed to identify influential websites and to overview the whole network. The Ucinet® software and analyses tools are used to map the network.
    • 136 E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 3.3. Centrality Analyses Figure 1. Multi-dimensional scaling graph of the PKK/KONGRA-GEL website network The first visual graph of the PKK/KONGRA-GEL website network is obtained using MDS. MDS is a family of techniques used (in social network analysis) to assign locations to nodes in multi-dimensional space (in the case of the drawing, a 2- dimensional space) such that nodes that are "more similar" are closer together. 15 This similarity is based on the number of ties or connections that the nodes have. The Web Sites located in the center are also the influential sites in the network. If an actor receives many ties, they are often said to be prominent, or to have high prestige. That is, many other actors seek to direct ties to them, and this may indicate their importance. Actors who have unusually high out-degree are actors who are able to exchange with many others, or make many others aware of their views. Actors who display high out- degree centrality are often said to be influential actors. 15 Robert A. Hanneman and Mark Riddle, “Introduction to Social Network Methods” (Riverside, CA: University of California, 2005), available at http://faculty.ucr.edu/~hanneman/nettext/ accessed on 12 November 2006.
    • E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 137 Figure 2. Principal components graph of the PKK/KONGRA-GEL website network In this graph the sites in the right hand side is more influential ones and can be said to be the hierarchical structure of the PKK/KONGRA-GEL’s websites. Centrality of the websites is important because it identifies the influential websites in the network. In addition, identifying influential websites will give us data to predict the future structure of the larger network. Even our small sample demonstrates the principals of “scale free networks.” In “scale free networks”, although most actors have only a few links to others, a handful of actors (hubs) have enormous amounts of connections.16 The prospective new websites (nodes) are going to create a link to these influential networks to increase their popularity and people will exercise and reinforce bias toward the old influential nodes by observing the increasing incoming links to 16 Albert Laszlo Barabasi and Eric Bonabeau, “Scale Free Networks” Scientific American, May 2003, p. 64.
    • 138 E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability these sites. Albert Laszlo Barabasi and Eric Bonabeau explain this tendency: “As new nodes appear, they tend to connect to the more connected sites, and these popular locations thus acquire more links over time than their less connected neighbors. This “rich gets richer” process will generally favor the early nodes, which are more likely to eventually become hubs.”17 Reliance on the certain hubs in the network seems to be an advantage for PKK/KONGRA-GEL to disseminate its propaganda quickly by means of controlled popular hubs, but also it is the terrorist network’s vulnerability. Taking out these hubs will make rest of the network individual islands that have no connection to the others. The question in terms of counter terrorism agencies is how many of these hubs have to be taken down to crash the whole network. The recent research suggests that, generally speaking, the simultaneous elimination of as few as 5 to 15 percent of all hubs can crash the subsystem and eventually the whole terrorist system. 18 3.4. Density and Geodesic Distances Analyses The density measures of the network are somewhat loose. The density ratios are as follows: • Density (matrix average) = 0.1366 • Standard deviation = 0.3435 These values mean that the network has only 13% of the all possible ties. This stems from a deliberate strategy of PKK/KONGRA-GEL. Some web pages, especially newspapers and the web page of the television channel and news agencies of the terrorist organization, do not have any outer connections to the other main sites of the organization. This situation creates an impression that newspapers and the news agencies that disseminate news to the world are impartial, because, simply, they do not have any links to PKK/KONGRA-GEL sites. The geodesic metrics are useful for describing the minimum distance between actors in the network. The web page network of PKK/KONGRA-GEL has a maximum value of 4 in terms of geodesic distances; any content published in one of the sites can be reached with a maximum of only four clicks on the hyperlinks. This suggests that information may travel pretty quickly in this network. 3.5. Connectivity Analyses Point Connectivity calculates the number of nodes that would have to be removed in order for one actor no longer to be able to reach another. If there are many different pathways that connect two actors, they have high "connectivity" in the sense that there are multiple ways for a signal to reach from one to the other. The website network of PKK/KONGRA-GEL is very robust in terms of point connectivity. The most influential sites have higher point connectivity which makes it difficult to deny internet users the ability to reach these influential sites. The sites that have the highest connectivity are rojaciwan.com (10), rojame.com (10), dozame.org (10), gerilla- online.net (10), hernepes.com (10), urmiye.org (10), and pajk.com (9) respectively. 17 Barabasi and Bonabeau, p. 65. 18 Ibid. p.66.
    • E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 139 Figure 3. Circular layout graph of the PKK/KONGRA-GEL website network The circular layout graph is a good illustration of a network’s closed nature in systems terms. This can be observed from the centrality degree values of the network. The network has 18 zero out-degree values as opposed to only one zero in in-degree values which is the indicator of the closed nature of the network to its environment. Only one website, “flash-bulletin.de” has links to the outer world that has different view other than that of the organization. This web site has links to the mainstream news media like CNN and AFP. When you enter the network the links directs you to the news that PKK/KONGRA-GEL wants you to read, the music that PKK/KONGRA- GEL wants you to listen, the images that PKK/KONGRA-GEL wants you to view. The only different point of view comes from welatparez.com which has the same cause, that is, to build a free Kurdistan including Turkish territory publishing from Denmark, but criticizes the internal affairs of the organization. The propaganda made in the network of the websites of the PKK/KONGRA-GEL is enough to demonize Turkey and the Turks and to create a sense of us versus them on an ethnic-nationalist basis. 4. Conclusion The content and the network analyses of the PKK/KONGRA-GEL linked websites is a good illustration of how modern terrorist systems use technology to their own benefit.
    • 140 E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability According to Gabriel Weimann there were 4,300 terrorist websites on the Net in 2005 and probably more than that today.19 They use the Net basically as a communication tool, among various other purposes. The Internet is not only a platform for the likeminded terrorists to meet and communicate, but also a weapon to attack basic information structures of their superior enemies on the Net. The Website network of PKK/KONGRA-GEL is designed in such a way that when a neutral internet surfer enters the network, he or she is indoctrinated according to PKK/KONGRA-GEL’s ideology and looks at the world from the terrorists’ perspective. The network is robust in terms of inter-connectivity but vulnerable to coordinated attacks as are all the “small world” networks. 20 In order to disrupt the whole network of terrorist websites the most influential sites (hubs) that almost all the information radiates from must be given priority. Eliminating these hubs will leave the other nodes as individual islands which are not so influential. The loosely controlled nature of Net provides new opportunities for terrorist organizations. The differences between countries about defining terrorism make the situation more complicated to act in concert against terrorism. Terrorist organizations, no matter what their ideological bases, are exploiting this situation and using Net as new safe haven for their various activities. References Aktan, Gunduz and Ali Koknar, in Combating Terrorism: Strategies of Ten Countries ed. Yonah Alexander (New Delhi: Manas, 2005) Barabasi Albert Laszlo and Eric Bonabeau, “Scale Free Networks” Scientific American, May 2003 Beyler, Clara “Messengers of Death: Female Suicide Bombers, International Policy Institute for Counter- Terrorism, February 12 2003, from http://www.ict.org.il/articles/articledet.cfm?articleid=470 Brandon, James “Mount Qandil: A Safe Haven for Kurdish Militants – Part 1”, Terrorism Monitor, 4, 18 September 2006 Denning, Dorothy “‘Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy available at http://www.rand.org/pubs/monograph_reports/MR1382/MR1382.ch8.pdf reached 10 October 2006 Hanneman Robert A. and Mark Riddle, “Introduction to Social Network Methods” ( Riverside, CA: University of California, 2005), available at http://faculty.ucr.edu/~hanneman/nettext/ accessed on 12 November 2006 Hoffmann, Bruce “Is Europe Soft on Terrorism”, Foreign Policy, Summer 1999, Laciner, Sedat “The West and Terrorism: PKK as A Privileged Terrorist Organization”, Turkish Weekly, 14 May 2006 available at http://www.turkishweekly.net/editorial.php?id=29 Martin, Lenore G. “Turkey's Iraq Problem”, Washington Post, September 16, 2006; p. A21 PKK appears to be behind deadly blast, say police, Turkish Daily News September 16, 2006 available at http://www.turkishdailynews.com.tr/article.php?enewsid=54200 accessed on 25 October 2006 Pape, Robert A., Dying to Win: Thee Strategic Logic of Suicide Terrorism, (New York: Random House, 2005), Skaine Rosemarie, Female suicide Bombers, (North Caroline: McFarland Company Inc.), 2006 Turkish resort blast kills five”, BBC news, 16 July 2006, available at http://news.bbc.co.uk/2/hi/europe/4688575.stm accessed on 14 November 2006 United States Department of State Office of the Coordinator for Counterterrorism, “Country Reports on Terrorism 2005” April 2006, available at http://www.mipt.org/pdf/Country-Reports-Terrorism- 2005.pdf accessed 8 November 2006 19 Gabriel Weimann, p. 5. 20 Barabasi and Bonabeau, p.65.
    • E. Çelebi / Analysis of PKK/KONGRA-GEL Websites to Identify Points of Vulnerability 141 Virginia Anderson and Lauren Johnson, Systems Thinking Basics, (Massachusetts: Pegasus Communications Inc., 1997) Weimann, Gabriel, Terror on the Internet: The New Arena, the New Challenges (Washington, D.C.: U.S.Institute of Peace, 2006)
    • 142 Responses to Cyber Terrorism Centre of Excellence Defence Against Terrorism, Ankara, Turkey (Ed.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. Summary of the Working Group Discussions Osman AYTAÇ, Col., ARW Director COE–DAT, Ankara, Turkey Abstract. The following is a compilation of the answers which emerged from the Working Groups. Participants were asked to consider the aims and targets of cyber terrorists, and measures to disrupt terrorist use of the Internet, to respond to cyber attacks, and to defend against cyber terrorism. Keywords. Cyber terrorism, Internet, cyber security The focus of the Advanced Research Workshop was on ‘responses’, in recognition of the fact that it is vital that experts, with the support of governments and international organizations, to meet to agree on priorities and methods, and then to implement a common strategy. The Working Groups that met at the end of each day’s presentations give us an impression of what form these expert discussions might take. The groups addressed six questions, and following tables compile the responses given: Question: What are the aims and targets of cyber terrorists? 1.1 Aims 1.1.1 Demonstrate the inability of governments to protect their populations 1.1.2 Show, or make people feel, that anyone without exception could be a target 1.1.3 Overload a government: Internet increases the leverage of terrorists 1.2 Targets 1.2.1 Individuals: Via the Internet, important figures (politians, etc.) can be targeted with: Threats against person and family Change information in databases, for example medical records Internet theft, clearing out his/her bank account, etc. 1.2.2 Banks, stock exchanges. For attacks on large organizations and populations, bot-nets can arguably be considered a military tool 1.2.3 Governments: Attacks might be on government mail servers, information systems, services, etc.
    • O. Aytaç / Summary of the Working Group Discussions 143 1.2.4 Whole populations: Spam messages might carry the terrorists’ threats into people’s homes 1.2.5 Whole populations: Widely-used systems like traffic lights, rail signalling, etc. 1.2.6 Communication networks 1.2.7 Electricity and power supply 1.2.8 Chemical facilities It was noted that at present terrorists appear have not mastered the technology necessary for launching large scale cyber attacks. However, the services of some ‘techies’ are available for hire on the internet. Notably, bot-masters offer to hire out their networks, which can be used for Distributed Denial of Service attacks. Furthermore, it is probably only a matter of time before a new generation of terrorists embraces cyber terrorism. Question: What measures might disrupt terrorist use of the Internet? 2.1 ‘Noise’. Peaceful interference in a chat-room 2.2 ‘Hack back’ with: Counter-propaganda, for example by placing links to websites offering a different message Changing formulas and recipes in training manuals Sowing distrust with false messages 2.3 Exploit observed vulnerabilities experienced by the terrorist groups, for example concerning challenges to authority 2.4 ‘Active defence’ (imposing a penalty on the attacker). Methods exist to put costs on the perpetrator of an attack 2.5 Censorship. Efforts to censor the Internet are unlikely to succeed, however 2.6 Search engine ban. Cooperation with google, yahoo, etc. Considerable doubts were expressed by participants concerning intervening in these ways to disrupt terrorist use of the Internet. There are problems of legality, and it would be difficult to create a system of warrants. The probability of making mistakes would be high, and mistakes could easily have violent consequences. Problems might be created at an international level. Some participants felt that, if such covert attacks are to be launched, they should be made mainly be volunteers and the private sector, and ‘governments would take a back seat’. Question: What measures might be taken to deal with cyber attacks? 3.1 Within government departments and other organizations use different, not off-the-peg, software 3.2 Air-gap 3.3 Emergency response systems in place, including international mechanisms 3.4 SCADA systems must be made more secure. Security “a factor to be considered over the
    • 144 O. Aytaç / Summary of the Working Group Discussions entire life cycle of any system that is part of the CII.” 3.5 Countries must build cadres of capable defenders, including national-level CSIRTs (Computer Security Incident Response Teams). 3.6 The existing Cyber Crime Response Unit to be expanded works 24/7 first among the G-8 countries now approximately 35 countries, but more are needed widen the scope (add cyber terrorism) 3.7 International body under UN auspices Question: What security measures might protect against cyber terrorism? 4.1 Consequence Management Systems, involving: 4.1.1 Band width availability (coordinate approach with ISPs) 4.1.2 Off-site back-ups 4.1.3 Systems in place to ensure international cooperation 4.1.4 Rapid response to re-build connections 4.1.5 Intrusion detection systems 4.2 Increasing awareness and education (basic security measures like using passwords, regularly changing them) 4.3 Encouragement of techno-diversity (everybody uses Microsoft) 4.4 Develop more usable security 4.5 Defeat anonymity with electronic signatures. This is technically possible, but there are ways to avoid detection. It was generally agreed that anonymity is difficult to fight 4.6 ‘Neighbourhood Watch’ schemes to monitor terrorist websites We were reminded that one hundred years ago there were no civil aviation conventions, but new technology was followed by effective international legislation and control. The same could be done to protect cyberspace.
    • Responses to Cyber Terrorism 145 Centre of Excellence Defence Against Terrorism, Ankara, Turkey (Ed.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. Author Index Aytaç, O. vii, 142 Oorn, R. 89 Brunst, P.W. 34 Özeren, S. 70 Çelebi, E. 127 Shahar, Y. 104 Cridland, C. 1 Tikk, E. 89 Everard, P. 118 von Knop, K. 8 Goodman, S.E. 24 Weimann, G. 61
    • This page intentionally left blank
    • This page intentionally left blank
    • This page intentionally left blank