- Home
- Jared Cohen
The New Digital Age Page 21
The New Digital Age Read online
Page 21
Neither WikiLeaks nor groups like Anonymous are terrorist organizations, although some might claim that hackers who engage in activities like stealing and publishing personal and classified information online might as well be. The information released on WikiLeaks put lives at risk and inflicted serious diplomatic damage.3 And that’s the point: Whatever lines existed between the harmless hackers and the dangerous ones (or between hackers and cyber terrorists, for that matter) have become increasingly blurred in the post-9/11 era. Decentralized collectives like Anonymous demonstrate clearly that a collection of determined people who don’t know each other, and without having met in person, can organize themselves and have a real impact in virtual space. In fact, no critical mass is necessary—an individual with technical prowess (computer-engineering skill, for example) can commandeer thousands of machines to do his bidding. What will happen in the future when there are more of these groups? Will they all fight on the side of free speech? Recent examples suggest we should begin preparing for other possibilities.
In 2011, the world met a twenty-one-year-old Iranian software engineer, apparently working in Tehran, who called himself Comodohacker. He was unusual compared to other hacktivists, who generally combat government control over the Internet, because as he told The New York Times via e-mail, he believed his country “should have control over Google, Skype, Yahoo!, etc.” He made it clear that he was intentionally working to thwart antigovernment dissidents within Iran. “I’m breaking all encryption algorithms,” he said, “and giving power to my country to control all of them.”
Boasting aside, Comodohacker was able to forge more than five hundred Internet security certificates, which allowed him to thwart “trusted website” verification and elicit confidential or personal information from unwitting targets. It was estimated that his efforts compromised the communications of as many as three hundred thousand unsuspecting Iranians over the course of the summer. He targeted companies whose products were known to be used by dissident Iranians (Google and Skype), or those with special symbolic significance. He said he attacked a Dutch company, DigiNotar, because Dutch peacekeepers failed to protect Bosnian Muslims in Srebrenica in 1995.
Just months after Comodohacker’s high-profile campaign, another ideological hacktivist from the Middle East emerged. He called himself OxOmar, claimed to live in Riyadh, Saudi Arabia, and declared that he was “one of the strongest haters of Israel” who would “finish Israel electronically.” In January 2012, he hacked into a well-known Israeli sports website and redirected visitors to a site where they could download a file that contained four hundred thousand credit-card numbers (most of these were duplicates, and the total number of compromised cardholders was closer to 20,000). He claimed to represent a group of Wahhabi hackers, Group-XP, who wrote in a statement, “It will be so fun to see 400,000 Israelis stand in line outside banks and offices of credit card companies … [and] see that Israeli cards are not accepted around the world, like Nigerian cards.” Weeks later, when the websites of Israel’s El Al Airlines and its stock exchange were brought down with DoS attacks, OxOmar told a reporter that he had teamed up with a pro-Palestinian hacker group called Nightmare and that the attacks would be reduced if Israel apologized for its “genocide” against Palestinians. Israel’s deputy minister of foreign affairs, Danny Ayalon, said he considered it a “badge of honor that I have been personally targeted by cyber-terrorists.” He later confirmed the attacks on his Facebook page but added that hackers “will not silence us on the Internet or in any forum.” Was Comodohacker really a young Iranian engineer? Did OxOmar really coordinate with another group to launch his attacks? Were these hackers individuals, or actually groups? Could either or both of these figures just be constructs of states looking to project their digital power? Any number of scenarios could be true, and therein lies the challenge of cyber terrorism in the future. Because it is very difficult to confirm the origins of cyber attacks, the target’s ability to respond appropriately is compromised, regardless of who claims responsibility. This obfuscation adds a whole new dimension to misinformation campaigns, and no doubt states and individuals alike will take advantage of it. In the future, it will be harder to know who or what we are dealing with.
Sudden access to technology does not in and of itself enable radicalized individuals to become cyber terrorists. There is a technical skills barrier that, to date, has forestalled an explosion of terrorist-hackers. But we anticipate that this barrier will become less significant as the spread of connectivity and low-cost devices reaches remote places like the Afghanistan-Pakistan border region, the African Sahel and Latin America’s tri-border area (Paraguay, Argentina and Brazil). Hackers in developed countries are typically self-taught, and because we can assume that the distribution of young people with technical aptitude is equivalent everywhere, this means that with time and connectivity, potential hackers will acquire the necessary information to hone their skills. One outcome will be an emergent class of virtual soldiers ripe for recruitment.
Whereas today we hear of middle-class Muslims living in Europe going to Afghanistan for terror-camp training, we may see the reverse in the future. Afghans and Pakistanis will go to Europe to learn how to be cyber terrorists. Unlike training camps with rifle ranges, monkey bars and obstacle courses, engineering boot camps could be as nondescript as a few rooms with some laptops, run by a set of technically skilled and disaffected graduate students in London or Paris. Terrorist training camps today can often be identified by satellite; cyber boot camps would be indistinguishable from Internet cafés.
Terrorist groups and governments alike will try to recruit engineers and hackers to fight for their side. Recognizing how a cadre of technically skilled strategists enhances their destructive capacity, they will increasingly target engineers, students, programmers and computer scientists at universities and companies, building out the next generation of cyber jihadists. It is hard to persuade someone to become a terrorist, given the physical and legal consequences, so surely ideology, money and blackmail will continue to play a large role in the recruitment process. Unlike governments, terrorist groups can play the antiestablishment card, which may strengthen their case among some young and disaffected hacker types. Of course, the decision to become a cyber terrorist is almost always less consequential to one’s personal health than signing up for suicide martyrdom.
Culture will play an important role in where these pockets of cyber terrorism develop in the world. Deeply religious populations with distinct radicalized elements have traditionally been the most fertile ground for terrorist recruitment, and that will hold true for cyber-terrorist recruitment as well, especially as the largely disconnected parts of the world come online. To a large extent, the web experience of users is highly determined by their existing networks and immediate environment. We do not expect radical social change simply from the advent of connectivity. What we’ll see instead are more communication channels, more participation and more rogue identities developing online.
And, of course, there are state sponsors of terrorism who will seek to conduct untraceable attacks. Today, Iran is one of the world’s most notorious sponsors of terror groups, funneling weapons, money and supplies to groups like Hezbollah, Hamas, Palestinian Islamic Jihad, the al-Aqsa Martyrs Brigades and various militant groups in Iraq. But as cyber-terrorist efforts begin to look more fruitful, Iran will work to develop the virtual capacity of its proxies in equal measure. This means sending computer and network equipment, security packages and relevant software, but it also could mean in-person training. Iran’s technical universities may well begin hosting Lebanese Shia programmers with the specific aim of integrating them into Hezbollah’s emergent cyber army. Perhaps they will send them the most expensive encryption tools and hardware. Or Iran could fund technical madrassas in Hezbollah strongholds like Dahieh, Baalbek and the south of Lebanon, creating incubators where promising engineers are trained to launch cyber attacks against Israel. Perhaps instead of giving cash to Shia
businessmen in Brazil to start businesses (a known tactic of the Iranian government), the regime will provide them with tablets and mobile devices carrying specialized software.
But any regime or terrorist group that recruits these hackers will assume a certain risk. While not all recruits will be young, a decent percentage will be, and not just for demographic reasons: Social scientists have long believed that certain developmental factors make young people uniquely susceptible to radicalization. (There is considerable discussion about what, precisely, those factors are, however; some believe it has to do with brain chemistry, while others argue that sociological elements in society are the driving cause.) So not only will recruiters be faced with organizing hackers, who thus far have shown a distinct resistance to formal organization, but they’ll also have to deal with teenagers. As we’ll discuss below, participation in a virtual-terrorism network will require inordinate discipline, not the trait most frequently associated with teenagers. Most young people are attracted to and tempted by the same things—attention, adventure, affirmation, belonging and status. Yet one mistake, or one casual boast online from a teenager hacker (or someone he knows), could unravel his entire terrorist network.
Just as counterterrorism operations today depend on intelligence sharing and military cooperation—such as that between the United States and its allies in South Asia—in the future, that bilateral support will necessarily include a virtual component. Given that many of the most radicalized countries will be among the latest arrivals to the Internet, they will need foreign support to learn how to track down terrorists online and how to use the tools newly available to them. Today, large contractors make a fortune benefiting from foreign military assistance; as bilateral efforts increasingly come to include cyber-security elements, a range of new and established computer-security firms will benefit accordingly.
Military policies too will change in response to the threat cyber terrorists pose. Today, most of the terrorists the military chases down are in failed states or ungoverned regions. In the future, these physical safe havens will also be connected, allowing terrorists to engage in nefarious virtual acts without any fear of law enforcement. When intelligence reveals known cyber terrorists planning something dangerous, extreme measures like drone strikes will come under consideration.
Western governments will try to attract skilled hackers to their side as well. In fact, hackers and government agencies in the United States work together already, at least in matters of cybersecurity. For years, agencies like the Pentagon’s Defense Advanced Research Projects Agency (DARPA) and the National Security Agency (NSA) have recruited talented individuals at venues like the computer-security conference series Black Hat and the hacker convention Def Con. In 2011, DARPA announced a new program called Cyber Fast Track (CFT), created by a former hacker turned DARPA project manager, which aimed to accelerate and streamline the cooperation between these communities. Through CFT, DARPA began awarding short-term contracts to individuals and small companies to focus on targeted network-security projects. This initiative was distinguished by its focus on smaller players and lone actors rather than big companies, and its ability to green-light grants quickly. DARPA approved eight contracts in the first two months of the program—in other words, at lightning speed compared with the normal pace of government contracting. This process allowed groups with considerable skill who would otherwise not work with or for the government to contribute to the important work of improving cybersecurity, easily and in a time frame that reflects the immediate nature of the work. CFT was part of a shift in the agency toward “democratized, crowd-sourced innovation” championed by Regina Dugan.
We asked Dugan about the motivation behind this unconventional approach to problem-solving—after all, inviting hackers into the tent to handle sensitive security matters raises more than a few eyebrows. “There is a sense among many that hackers and Anonymous are just evildoers,” she said. “What we recognized and tried to get others to embrace was that ‘hacker’ is a description of a talent set. Those who were declared (self-declared or otherwise) ‘hackers’ had something rather significant to contribute to the issue of cybersecurity, with respect to how they approach problems, the timelines on which they approach problems and their ability to execute and challenge.” The success of Cyber Fast Track, she added, was a signal of the viability of that model. “I don’t think that should be the only model we use,” she said, “but it should absolutely be part of our approach.”
More outreach to hackers and other independent computer experts should be a priority in the coming years, and we expect that Western governments will continue to try to include them, either overtly, through programs like CFT, or covertly, through the channels of intelligence agencies. Governments will push hard to acquire virtual counterparts in foreign countries to complement their undercover operators and assets active in the physical world, recruiting hackers and other technically savvy individuals to become sources and dealing with them remotely over secure online channels. There are implicit challenges associated with virtual assets, however. Despite their usefulness, there would be an absence of in-person interactions, which intelligence operatives have relied on for centuries to determine the credibility of a source. A video chat is hardly the same thing, so agencies will have to figure out how they can vet new participants effectively. Trusting virtual assets may in fact be harder than turning them.
The Terrorists’ Achilles’ Heel
Terrorists in the future will find that technology is necessary but high-risk. The death of Osama bin Laden, in 2011, effectively ended the era of the cave-dwelling terrorist isolated from the modern technological ecosystem. For at least five years, bin Laden hid in his mansion in Abbottabad, Pakistan, without access to the Internet or mobile phones. He had to stay off-line to stay safe. This drastically reduced his reach and influence through an al-Qaeda network that relied, at least in part, on connectivity to operate. Ironically, it was his lack of Internet access in a large urban home that helped identify him, once his courier pointed intelligence operatives in the right direction.
And while bin Laden may have evaded capture by staying off-line, even he used flash drives, hard drives and DVDs to stay informed. These tools enabled him to keep track of al-Qaeda’s operations internationally and provided an efficient way for his couriers to move large amounts of data between him and various terror cells elsewhere. As long as he was at large, the information on these devices was secure, impossible to access. But when Navy SEAL Team Six raided his home, they seized his devices, getting not just the world’s most wanted man but also critical information about everyone he had been in contact with.
The more likely terrorist scenario continuing into the new digital age will resemble the Mumbai attacks in 2008, when ten masked men held the city hostage in a three-day siege in which 174 people were killed and more than 300 wounded. The gunmen relied on basic consumer technologies—BlackBerrys, Google Earth and VoIP—to coordinate and conduct the attacks, communicating at a command center in Pakistan with leaders who watched live coverage of the events on satellite television and monitored the news to provide real-time tactical direction. Technology made these attacks much more deadly than they could have been otherwise, but once the last (and only surviving) gunman was captured, the information he and, critically, the leftover devices of his comrades, provided allowed investigators to follow an electronic trail to significant people and places in Pakistan that might not have otherwise been known for months, if ever.
The silver lining of cyber terrorism is that, in almost every way, its practitioners will have less room for error. Most of us have no reason to think about how differently we might interact with technology if our freedom or lives depended on erasing the tracks we leave when we go online. Cyber terrorists possess an unusually high technical awareness, but what about their friends? What about the relatives they correspond with? It is unrealistic to expect perfectly disciplined behavior from every terrorist online. Consider the nonterrori
st example of John McAfee, the millionaire antivirus software pioneer who became an international fugitive after fleeing from the authorities who wanted to question him in connection with the murder of his neighbor in his adopted home country, Belize. After inviting journalists from Vice, an online magazine, to interview him at his secret hideout, McAfee posed for a picture with Vice’s editor in chief, taken with an iPhone 4S. What he—and his Vice interviewer—didn’t know was that publishing that photo also gave away McAfee’s location, since many smart phones (including the iPhone 4S) embed metadata about GPS coordinates into camera shots. All it took was one Twitter user to notice the metadata and suddenly the authorities, and the world, knew McAfee was in Guatemala, near a swimming pool at the Ranchon Mary restaurant. Vice should have known better (we’ve known about location metadata for years), but as smart phones become ever more complicated, the number of small details to keep track of compounds.
As social, professional and personal lives move increasingly to cyberspace, the interconnectedness of all digital activity increases dramatically. Computers are very good at recognizing patterns and solving needle-in-the-haystack problems, so with more data, computer algorithms can compute more precise predictions and correlations—faster and with more accuracy than any human could. Imagine a Moroccan extremist in France who has done everything possible to anonymize his smart phone from its mobile network. He has turned off geo-location, opted out of all data sharing and removes his SIM card periodically in case anyone tries to track it. He has even adopted the habit of taking the battery out of his phone as a final safeguard, knowing that when a phone is turned off, a battery retains the power to send and receive signals. His phone number is simply one of thousands, impossible to pinpoint or link to him or his location. Yet law enforcement knows he has a fondness for betting on horse races, and they know there are four off-track betting locations in his town. Using that data, they can narrow down the potential pool of numbers from thousands to the hundred or so that frequent those places. And let’s say a few of his known acquaintances are not as careful with their data tracks as he is; law enforcement can then cross-reference that off-track-betting pool with the various locations of his friends. That could be all they need to do to identify his number. This type of big-data investigation was once unthinkable, but it’s easy today—yet another example of humans and computers splitting duties according to their strengths. Off-line or online, our activities (and those of our friends, families and our demographic) provide intelligent computer systems with more than enough information to identify us.