On 4–5 October 2007 the Centre of Excellence – Defence Against Terrorism (COE–DAT) organized an Advanced Research Workshop (ARW) on the topic “Responses to Cyber Terrorism”. The venue was the Merkez Ordu Evi (Central Officers' Club) in Ankara. This was one of numerous workshops that have been organized each year by COE–DAT, after the Centre was opened in Ankara in 2005. It is the only Centre of Excellence dedicated to supporting NATO on defence issues related to terrorism. Turkey is the framework nation, although at present six other nations also contribute with staff and funds. Through courses, workshops, and academic publications, the aim is to bring western academic rigour and Turkish experience and expertise in terrorism to NATO members, Partnership for Peace (PfP), Mediterranean Dialogue countries, Non-Triple Nations, and others.
One issue touched on repeatedly by the participants at the “Responses to Cyber Terrorism” ARW was the difficulty of arriving at a definition of this kind of terrorism. A NATO Office of Security document cautiously defines it as “a cyber attack using or exploiting computer or communication networks to cause sufficient destruction or disruption to generate fear or to intimidate a society into an ideological goal.”
Cited from Lt. Paul Everard's chapter on “NATO and Cyber Terrorism”.
Cited from Lt. Paul Everard's chapter on “NATO and Cyber Terrorism”.
But the cyber world is surely remote from what we recognize as terrorism: the bloody attacks and ethnic conflicts, or, more precisely, the politically-motivated “intention to cause death or serious bodily harm to civilians or non-combatants with the purpose of intimidating a population or compelling a government …” (UN report, Freedom from Fear, 2005).
It is hard to think of one instance when computer code has physically harmed anyone. Yet a number of our speakers, in particular Prof. Goodman and Lt. Paul Everard, showed that we should be preparing for just such events, potentially on a huge scale. Here we are talking about attacks on critical infrastructure, in particular on SCADA (Supervisory Control and Data Acquisition) systems which control physical processes in places like chemical factories, dams, and power stations.
Focus on Solutions
At the planning stage of the ARW it was agreed that the workshop would bring together people from a range of disciplines, from information technology researchers and lawyers, to terrorism and security experts. The title “Responses to Cyber Terrorism” was chosen in order to put the onus on the discussion of practical solutions, and in some respects the meetings of the Working Groups were as important for achieving the goals of the ARW as were the plenary sessions (see the last chapter on the “Account of the Working Group Discussions”). Accordingly, the speakers all gave time in their presentations to the issue of ‘responding’ to terrorism in cyberspace.
Overview of the Workshop Papers
In the introductory, first chapter of the ARW (see the chapter on “The History of the Internet”), Clare Cridland notes that the Internet was originally developed in the U.S. for military purposes. With ARPANET, the Defense Advanced Research Projects Agency (DARPA) created a network for sending packets of information with no central hub, so that communications could be more resilient during a devastating war. The idea of security was, therefore, part of the original idea of the internet.
However, an entirely different ethos took over after the US Department of Defense relinquished the project to the burgeoning computer and software companies in the 1990s. The architects of the worldwide network saw it, and wrote of it, in terms of the centuries-old struggle for freedom of thought and expression. Clare Cridland's description of the internet also evokes this theme: “New media in the early 21st century is a participatory, user-driven information environment, far from the linear platform of the mass media that delivered information through a ‘gatekeeper’ to a passive mass audience. These outlets …were capital intensive and …somewhat privileged. In contrast, new media, driven by technological change in telecommunications, has undermined this sphere of knowledge ownership …However, we've been here before. ‘Counter-culture’ always used ‘grassroots media’ (folk songs, posters, leaflets, public meetings) rather than the more traditional mass media of radio and television to message audiences.”
Contrast this triumph of the common people, then, with the altogether more pessimistic comments on the freedoms the internet offers by Prof. Seymour Goodman in the third paper of the ARW (see his chapter “Critical Information Infrastructure Protection”). Prof. Goodman is the chairperson of the Committee on Improving Cyber Security Research at the National Research Council, advising the U.S. Congress. Much of what the professor had to say, and this was reflected also in the Working Groups of the ARW, had to do with the vulnerabilities in the globalized net to abuse by terrorists, and the need for CIIP (Critical Information Infrastructure Protection).
It is clear that the “current technology asymmetrically favours the attacker, and provides them with great non-linear leverage. The attackers can put their innovations into practice more quickly and effectively than the defenders.” However, when much of the network is outsourced, or owned by companies in a variety of countries, defence is left to the end user. As Seymour Goodman writes, “most of the 200-plus connected countries have little or no national cyber security capabilities.” The users are often unaware of the seriousness of the risk. Frequently networks controlling important infrastructure are not ‘air-gapped’, or separated, carefully enough from the worldwide internet. If one employee's computer is not air-gapped, perhaps due to negligence, this is enough to create the route for a determined and skilled attacker to gain entry to the whole system.
Professor Goodman's chapter in this book also contains a wide range of recommendations for national and international action. He begins with general measures, which would be equally relevant to protection against accidents, disasters, crime, or different forms of conflict than terrorism. Emergency response systems, including ones with an international dimension, must be in place; SCADA systems must be made more secure, with security as “a factor to be considered over the entire life cycle of any system that is part of the CII”; and countries “must build cadres of capable defenders” including national-level CSIRTs (Computer Security Incident Response Teams).
On the issue of legal measures against cyber terrorism, Seymour Goodman mentions the need for international conventions, as well as effective national laws. The conventions would relate to three areas: crime and punishment, infrastructure protection, and arms control. In each case he gives examples already in place which could guide developments in combating cyber terrorism. Among these, the agreements on civil aviation are the best model for developing a similar legal and institutional framework for CIIP. However, it will be difficult to gain acceptance for a CIIP convention, especially as every country would have to sign up, otherwise measures protecting the network could simply be by-passed. Such a convention could be under the umbrella of the UN, and it would involve the creation of an organization to build and certify national capabilities.
Phillip Brunst's paper (see the chapter “Use of the Internet by Terrorists”) is a highly analytical overview of the subject. This kind of paper is highly valuable for those considering an appropriate legislative approach to combating terrorists' use of cyberspace. The overview covers both of the distinct aspects which emerged at the ARW: cyber terrorism proper, and the issue of terrorist use of the internet for communication, propaganda, researching targets, etc..
After discussing the advantages of cyber attacks for the terrorist (anonymity, low cost, etc.), types of cyber attack are analyzed. In general, attacks on IT systems may take the following three forms: (1) Hacking attacks on individual systems, (2) Denial of Service (DoS) attacks, usually by bombarding a computer with messages so that it cannot process anything else, and (3) ‘hybrid attacks’ which combine one or both of the above with a conventional terrorist attack like a bombing.
(1) Hacking can be further analyzed into three types. The hacker can shut down a computer, although here the administrator can usually recognize the problem and restore the system rapidly. There are also so-called ‘defacements’, which alter the information on the victim computer. Typically these are easily recognized, especially if a hacker places a notice saying “you have been hacked by …”. Potentially more disruptive are defacements which subtly change figures or other information. Thirdly, there is the possibility of introducing ‘Trojan horse’ programmes. These are silent operations, and aim to pass undetected by virus scanners. They gather data from the target computer (typically bank details in cyber crime) and relay it to the hacker.
(2) Distributed Denial of Service (DDoS) attacks are an effective way of putting computers out of action for a period of time. DoS attacks bombard a computer with vast numbers of messages, occupying all its processing capability. ‘Distributed’ attacks make use of worldwide networks of computers (so-called ‘bot-nets’, from their use of ‘robot’ software) infected with a virus which allows them to be ‘zombies’ controlled by a ‘bot-master’. These viruses have become very common. Terrorists would not have to control such systems. The services of a bot-net, typically used for mass mailings, can be hired for prices ranging between 150–400 US dollars per day.
(3) Hybrid attacks combine one or both of the above with a conventional terrorist attack. For example, a terrorist group might combine a bombing with a DoS attack to hamper the work of the emergency services.
Terrorists might also target the physical hardware of IT communications, like the ‘bundles’ of cables, or the so-called ‘peering points’.
All the above types of attack would harm IT data and lead to economic losses. A more fatal kind of cyber attack is now discussed in security circles, namely attacks on the newly-developed SCADA systems, which usually run on well-known operating systems like Windows. Many companies now use SCADA systems to monitor and control production or supply processes. It is clear that, if such a system is hacked, there is a considerable danger of the kind of loss of life associated with ‘conventional’ forms of terrorism.
Phillip Brunst recommends measures to encourage companies to invest more in security. Secondly, referring to Article 35 of the CoE Convention on Cyber Crime, he sees a need for the establishment of designated communication paths within countries and between countries to fight digital attacks. On the issue of the terrorist presence on the internet, he sees efforts to block terrorist communications as bound to fail. These communications should be monitored for intelligence (compare the chapters by Prof. Gabriel Weimann and Yael Shahar).
Lt. Paul Everard attended the workshop to represent the NATO Computer Incident Response Capability at the alliance's European Headquarters in Belgium. His presentation (see the chapter “NATO and Cyber Terrorism”) is an introduction to cyber terrorism and the defensive measures NATO is taking.
Lt. Everard begins by giving numerous illustrations of cyber attacks to show what directions cyber terrorism might take. There was the dramatic hacking of a SCADA system controlling sewage in Queensland, Australia: “Symantec research highlighted an Australian case where a disgruntled ex-employee, Vitek Boden, hacked into a computerized waste management system in Maroochy Shire and caused millions of litres of raw sewage to spill into local parks, rivers, and even the grounds of a Hyatt Regency hotel in March 2000.”
If terrorists could replicate the destructive effects of the ‘Slammer Worm’ of January 2003, they would score a great success in their terms. This computer worm spread across the world in a matter of minutes, and the resultant disruption of banking, airline, infrastructure and emergency services had a high economic cost. Lt. Everard notes that “the safety monitoring system at a nuclear power plant was disabled for a combined period of eleven hours.”
Paul Everard then focuses on the attacks that have been directed at NATO, including attacks from Chinese hackers after NATO bombed the Chinese embassy in Belgrade (1999), and a distributed attack on the NATO mail server on 09–10 August 2006, when “the attack was stopped by re-configuring the mail server to respond correctly to the attempted e-mail relay traffic.” The organization has therefore long been aware of its vulnerability to cyber attacks. It generally uses ‘off the shelf’ software, the vulnerabilities of which are well known to potential hackers. Also, “although NATO's internal networks are supposedly separated from the internet, documents, messages and other data are being uploaded onto the internal network constantly.”
With the approval of the North Atlantic Council, the NATO Computer Incident Response Capability was added to InfoSec after 9/11. At present there is an Intrusion Detection Systems project which will be at full operating capacity in 2008. The Prague Summit of 21 November 2002 was attended by the leaders of NATO countries, who signed a commitment to “strengthen our capabilities to defend against cyber attacks”.
The paper concludes that providing security can be seen in terms of the following cycle: (1) Protect: this involves ‘system hardening measures’, and anti-malware support for NATO projects. (2) Prevent: this means assessing and notifying vulnerabilities, as well as conducting training and awareness-raising. (3) Detect: using intrusion detection systems twenty-four hours a day, and checking incoming mail. (4) Respond: the teams must be ready to respond to incidents at any time of the day or night. (5) Recover: a recovery support service must be present, or available on-line, to ensure minimal disruption.
Both this NATO presentation, but particularly that of Ms Reet Oorn of the Estonian Informatics Centre, Tallinn, referred to the massive DDoS attacks on the Estonian government and institutions in April – May 2007. Ms Oorn gives a fascinating eye-witness account of how the Estonian government fought back against the attacks, when they were able to considerably increase their band width of their computers (see the chapter, jointly written by Ms Reet Oorn and Ms Eneken Tikk, on “Legal and Policy Evaluation: International Coordination of Prosecution and Prevention of Cyber Terrorism”). The Estonians showed a united front, as government equipment was supplemented by that of private sector companies.
Ms Oorn illustrates with detailed graphs and discusses the results of the assessment conducted by her Informatics Centre. These showed that the attack was in two phases: an initial phase of attacks was on a small scale, and seemed to be designed to test the limits of the target computers. These attacks were associated with the 09 May WWII victory anniversary important to pro-Russian Estonians, who were already protesting violently about the prime minister's decision to remove a statue commemorating Russians heroes. The second phase was much more professionally organized, and hours of bombardments by bot-nets had clearly been purchased.
In terms of the success of the attacks, it is generally agreed that Estonia, which has some of the highest figures of internet use in the world, survived well. Two of the biggest banks in Estonia came under heavy DDoS attacks, and on-line services were unavailable for several hours. Attacks were also performed against critical routers at the Internet Service Providers level, and this disrupted the government's internet-based communication for a short time. Some government websites experienced temporary loss of service.
Two speakers at the ARW addressed the issue of whether legal controls can be imposed on the internet. However, Ms Eneken Tikk (Faculty of Law, Tartu University, Estonia), unlike Seymour Goodman, does not expect much of the UN: “One could argue that the method of developing legal instruments that the United Nations has used fails because it is too focused on building a consensus about …existing methods used by terrorists. It cannot lead the fight against new methods (such as cyber terror). Thus, we might consider using the United Nations experience as an argument to avoid an overly reactive (rather than proactive) approach …” (see the chapter, jointly written by Ms Reet Oorn and Ms Eneken Tikk on “Legal and Policy Evaluation: International Coordination of Prosecution and Prevention of Cyber Terrorism”).
The Estonians' paper contains incisive comments on the main legal instruments concerning cyber attacks, relating these especially to terrorism. These address the Cyber Crime Convention (ETS No. 185), which, with the Convention on the Prevention of Terrorism (CETS No. 196), is “the most important international instrument for fighting cyber terrorism and other terrorist use of the Internet.” However, not enough states are party to this agreement, weakening it considerably. Also, “serious threats to commit terrorist acts are not adequately covered either by this Convention … this Convention should be evaluated with regard to its ability to cover technological advances, particularly in the area of forensic investigative techniques (such as online searches or the use of key logger software). In the fast-paced technological environment of cyber crime, such evaluations, which frequently lead to revisions and updates, are an absolutely normal process, especially when dealing with high risks such as those posed by terrorism.”
In general, as with the other lawyers at the Workshop, Ms Tikk warned that attempts at legal control of the Internet might lead to infringements upon civil liberties. However, perhaps with the attacks on Estonia in mind, which led to almost no prosecutions, she adds: “Should a decision to amend the Convention be taken, the possibility of excluding the political exception clause for some of the Convention's offences might also be considered, especially in serious cases of data and system interference.”
The paper also gives details of amendments to the Estonian Penal Code, designed to strengthen the hand of prosecutors if similar attacks come. Estonian politicians have an initiative at the EU level to amend the Framework Decision on Attacks against Information Systems 2005/222/JHA.
One other discussion of international law is offered by Police Superintendent Dr. Süleyman Özeren. His paper (see the chapter “Cyberterrorism and International Cooperation: General Overview of the Available Mechanisms to Facilitate an Overwhelming Task”) discusses definitions and typologies of cyber terrorism. There is a consideration of which of the available international organizations might most effectively achieve “consensus-based, concrete, result-oriented co-operation”.
The papers mentioned so far examine cyber terrorism in the proper sense of the term, and how to respond in terms of technology, awareness, and legal/political measures. However, there is also the related question of responding to the terrorist presence on the internet (so-called ‘terrorist contents’). Here the internet is not a weapon, but an important tool for terrorists' communications (co-ordination, training, recruiting), and information gathering on the targets of planned attacks. The COE–DAT Workshop included four fascinating papers on terrorist contents.
An undoubted expert on terrorist websites is Prof. of Communication Gabriel Weimann, who from an early stage has been archiving literally thousands of terrorist websites, from al-Qaida to FARC, and Hizbullah to the PKK (see the chapter “WWW.AL-QAEDA: The Reliance of al-Qaeda on the Internet”). This project, based at Haifa University, brings many different analytical approaches to bear on this material, including link analysis, participant observation, language analysis, and case studies.
Prof. Weimann's paper reports on his project, with colourful illustrations from the world of terrorist websites. The professor shows how, since 9/11, al Qaeda operatives sharpened their internet skills and increased their web presence. When the Americans drove al-Qaida from its camps in Afghanistan, the organization was dispersed and forced to retreat into cyberspace. As Gabriel Weimann shows, they now make extensive use of the internet, to the extent that they even rely upon it.
Also giving the ARW an account of a terrorist organization's use of the internet, Capt. Erdoğan Çelebi has built up a wealth of knowledge, and uses a high-tech approach, in his research on the terrorist Kurdistan Workers' Party (PKK) (see the chapter “A Case Study: the PKK and Cyberspace”). This is an exemplary study, showing the amount of information that can be gathered from the Internet concerning a single organization. It shows that the PKK has created, or is closely linked to, thirty-eight websites. In addition to data and analysis, the paper gives some indication of the style of the websites, and the way the PKK seeks to present itself to its various audiences.
Of particular interest is that fact that Erdoğan Çelebi uses Ucinet software to conduct various kinds of link analysis of the PKK-related sites. This technology provides a method for demonstrating which sites were used by PKK leaders in the field, and which are the main sites which propagate their message. This may have practical applications: “Taking out these hubs will make the rest of the network individual islands that have no connection to the others. The question in terms of counter terrorism agencies is how many of these hubs have to be taken down to crash the whole network.”
Other papers based on the phenomenon of ‘terrorist contents’ sought to give, in my view, very contrasting practical responses.
Yael Shahar, of the Institute for Counter Terrorism in Herzliya, Israel, spoke on “The Internet as a Tool for Intelligence and Counter-Terrorism”. Yael Shahar notes that “The jihadi online presence is literally the physical brain of the global jihad movement. The very openness and accessibility of this medium provides the intelligence community with a wealth of material for foundation intelligence and analysis.” Arguing that we should ‘tune in’ to, not try to shut down, these communications, she pointed out that much can be learned from analysis of websites and chat-rooms about the enemy's situation, plans, and also weaknesses.
Shahar is also interested in exploiting these weaknesses for counter-terrorism purposes, using the legally-shady method of ‘hacking back’, exploiting the same anonymity and access from which the terrorists benefit. She reveals an armoury of sowing dissent, countering propaganda, and secretly altering instructions on websites.
By contrast, Dr. Katharina von Knop proposes an open source response. Instead of concentrating on breaking down the structures created by the enemy, here is a proposal to build a new counter-structure. Her discussion paper (see the chapter on the “Institutionalization of a Web-focused, Multinational Counter-terrorism Campaign – Building a Collective Open Source Intelligent System”) focuses on the organizational and management issues surrounding such a system. As she writes: “There is an intense need to work on new solutions to develop effective and efficient counterterrorism measures that follow the democratic process, values and freedoms. Knowledge discovery, data mining techniques and data fusion play a central role in improving the counter-terrorism capabilities of intelligence, security and law enforcement agencies. …Having all the challenges in mind, this article will focus on the most important and highly sensitive one, international cooperation. This contribution …highlights the most important factors towards the development and institutionalization of an international interagency collective open source intelligent system regarding the threat of Islamist terrorism.”
Dr. von Knop points out that, if such a co-operative campaign is to succeed, it will need to be arranged in an innovative and flexible way: instead of a hierarchical organization, there would be a network, and knowledge would be pooled. There would be committee management, and a credit point system. Governments would be allowed to use the resource only to the extent that they contribute good quality information and analysis.
The Collective Open Source idea is a well thought-out response to the challenge of organizing international cooperation regarding terrorist contents on the Internet. It is a cause for optimism that the speakers, coming from a variety of backgrounds, presented so many practical ways in which to respond to the problem of cyber terrorism. A vital next step is for the experts, with the support of governments and international organizations, to agree on priorities and methods and to implement a common strategy. Participants at the conference gained, perhaps, an impression of the form the discussions between experts might take from the Working Groups that met at the end of each day's presentations. The answers that emerged from the Groups are compiled in the last chapter of this book (see the “Summary of Working Group Discussions”).
Osman Aytaç, Col., ARW Director