23 April 2013
The Rise of Terrorist Hackers: Eric Schmidt and Jared Cohen
Related: WikiLeaks Threat: Eric Schmidt and Jared Cohen
http://cryptome.org/2013/04/wikileaks-threat.htm
Schmidt, Eric; Cohen, Jared (2013-04-23).
The
New Digital Age: Reshaping the Future of People, Nations and Business.
Knopf Doubleday Publishing Group. Kindle Edition. (pp. 162-169)
The Rise of Terrorist Hackers
How serious someone considers the threat of cyber terrorism likely depends
on that persons view of hacking. For some, the image of a basement-dwelling
teenager commandeering phone systems for a joyride endures, but hacking has
developed considerably in the past decade, transformed from a hobby into
a controversial mainstream activity. The emergence of hacktivists
(politically or socially motivated hackers) and groups like the hacking
collective Anonymous signals a maturation of message and method and hints
at what we can expect in the coming years. Increasingly, hackers will find
ways to organize themselves around common causes. They will conduct sophisticated
attacks on whomever they deem a proper target and then publicize their successes
widely. These groups will continue to demand attention from the governments
and institutions they attack, and their threats may come to be taken more
seriously than one might expect judging from todays activities, which
mostly seem like stunts. The story of WikiLeaks, the secrets-publishing website
we discussed earlier, and its sympathetic hacker allies is an illustrative
example.
The arrest of WikiLeaks cofounder Julian Assange in December 2010 sparked
flurries of outrage around the world, particularly among the many activists,
hackers and computer experts who believed his indictment on sexual-assault
charges was politically motivated. Shortly thereafter, a series of cyber
attacks crippled, among others, the websites for Amazon, which had revoked
WikiLeaks use of its servers, and MasterCard and PayPal, which had
both stopped processing donations for WikiLeaks.
This campaign, officially titled Operation Avenge Assange, was coordinated
by Anonymous, a loosely knit collective of hackers and activists already
responsible for a string of prominent DDoS attacks against the Church of
Scientology and other targets. During Operation Avenge Assange, the group
vowed to take revenge on any organization that lined up against WikiLeaks:
While we dont have much of an affiliation with WikiLeaks, we
fight for the same reasons. We want transparency and we counter censorship.
The attempts to silence WikiLeaks are long strides closer to a world where
we cannot say what we think and are unable to express our opinions and ideas.
We cannot let this happen.
This is why we intend to utilize our resources
to raise awareness, attack those against and support those who are helping
lead our world to freedom and democracy. The corporate websites were
back online within several hours, but their disabling was very public and
could have affected millions of customers. Most of those customers had no
idea the websites were vulnerable in the first place. In other words, the
hacktivists made their point. A string of global investigations followed,
leading to the arrest of dozens of suspected participants in the Netherlands,
Turkey, the United States, Spain and Switzerland, among other states.
Neither WikiLeaks nor groups like Anonymous are terrorist organizations,
although some might claim that hackers who engage in activities like stealing
and publishing personal and classified information online might as well be.
The information released on WikiLeaks put lives at risk and inflicted serious
diplomatic damage.3 And thats the point:
Whatever lines existed between the harmless hackers and the dangerous ones
(or between hackers and cyber terrorists, for that matter) have become
increasingly blurred in the post-9/ 11 era. Decentralized collectives like
Anonymous demonstrate clearly that a collection of determined people who
dont know each other, and without having met in person, can organize
themselves and have a real impact in virtual space. In fact, no critical
mass is necessary an individual with technical prowess
(computer-engineering skill, for example) can commandeer thousands of machines
to do his bidding. What will happen in the future when there are more of
these groups? Will they all fight on the side of free speech? Recent examples
suggest we should begin preparing for other possibilities.
In 2011, the world met a twenty-one-year-old Iranian software engineer,
apparently working in Tehran, who called himself Comodohacker. He was unusual
compared to other hacktivists, who generally combat government control over
the Internet, because as he told The New York Times via e-mail, he believed
his country should have control over Google, Skype, Yahoo!, etc.
He made it clear that he was intentionally working to thwart antigovernment
dissidents within Iran. Im breaking all encryption algorithms,
he said, and giving power to my country to control all of them.
Boasting aside, Comodohacker was able to forge more than five hundred Internet
security certificates, which allowed him to thwart trusted website
verification and elicit confidential or personal information from unwitting
targets. It was estimated that his efforts compromised the communications
of as many as three hundred thousand unsuspecting Iranians over the course
of the summer. He targeted companies whose products were known to be used
by dissident Iranians (Google and Skype), or those with special symbolic
significance. He said he attacked a Dutch company, DigiNotar, because Dutch
peacekeepers failed to protect Bosnian Muslims in Srebrenica in 1995.
Just months after Comodohackers high-profile campaign, another ideological
hacktivist from the Middle East emerged. He called himself OxOmar, claimed
to live in Riyadh, Saudi Arabia, and declared that he was one of the
strongest haters of Israel who would finish Israel
electronically. In January 2012, he hacked into a well-known Israeli
sports website and redirected visitors to a site where they could download
a file that contained four hundred thousand credit-card numbers (most of
these were duplicates, and the total number of compromised cardholders was
closer to 20,000). He claimed to represent a group of Wahhabi hackers, Group-XP,
who wrote in a statement, It will be so fun to see 400,000 Israelis
stand in line outside banks and offices of credit card companies
[ and] see that Israeli cards are not accepted around the world, like
Nigerian cards. Weeks later, when the websites of Israels El
Al Airlines and its stock exchange were brought down with DoS attacks, OxOmar
told a reporter that he had teamed up with a pro-Palestinian hacker group
called Nightmare and that the attacks would be reduced if Israel apologized
for its genocide against Palestinians. Israels deputy minister
of foreign affairs, Danny Ayalon, said he considered it a badge of
honor that I have been personally targeted by cyber-terrorists. He
later confirmed the attacks on his Facebook page but added that hackers
will not silence us on the Internet or in any forum. Was Comodohacker
really a young Iranian engineer? Did OxOmar really coordinate with another
group to launch his attacks? Were these hackers individuals, or actually
groups? Could either or both of these figures just be constructs of states
looking to project their digital power? Any number of scenarios could be
true, and therein lies the challenge of cyber terrorism in the future. Because
it is very difficult to confirm the origins of cyber attacks, the targets
ability to respond appropriately is compromised, regardless of who claims
responsibility. This obfuscation adds a whole new dimension to misinformation
campaigns, and no doubt states and individuals alike will take advantage
of it. In the future, it will be harder to know who or what we are dealing
with.
Sudden access to technology does not in and of itself enable radicalized
individuals to become cyber terrorists. There is a technical skills barrier
that, to date, has forestalled an explosion of terrorist-hackers. But we
anticipate that this barrier will become less significant as the spread of
connectivity and low-cost devices reaches remote places like the
Afghanistan-Pakistan border region, the African Sahel and Latin Americas
tri-border area (Paraguay, Argentina and Brazil). Hackers in developed countries
are typically self-taught, and because we can assume that the distribution
of young people with technical aptitude is equivalent everywhere, this means
that with time and connectivity, potential hackers will acquire the necessary
information to hone their skills. One outcome will be an emergent class of
virtual soldiers ripe for recruitment. Whereas today we hear of middle-class
Muslims living in Europe going to Afghanistan for terror-camp training, we
may see the reverse in the future. Afghans and Pakistanis will go to Europe
to learn how to be cyber terrorists. Unlike training camps with rifle ranges,
monkey bars and obstacle courses, engineering boot camps could be as nondescript
as a few rooms with some laptops, run by a set of technically skilled and
disaffected graduate students in London or Paris. Terrorist training camps
today can often be identified by satellite; cyber boot camps would be
indistinguishable from Internet cafés.
Terrorist groups and governments alike will try to recruit engineers and
hackers to fight for their side. Recognizing how a cadre of technically skilled
strategists enhances their destructive capacity, they will increasingly target
engineers, students, programmers and computer scientists at universities
and companies, building out the next generation of cyber jihadists. It is
hard to persuade someone to become a terrorist, given the physical and legal
consequences, so surely ideology, money and blackmail will continue to play
a large role in the recruitment process. Unlike governments, terrorist groups
can play the antiestablishment card, which may strengthen their case among
some young and disaffected hacker types. Of course, the decision to become
a cyber terrorist is almost always less consequential to ones personal
health than signing up for suicide martyrdom.
Culture will play an important role in where these pockets of cyber terrorism
develop in the world. Deeply religious populations with distinct radicalized
elements have traditionally been the most fertile ground for terrorist
recruitment, and that will hold true for cyber-terrorist recruitment as well,
especially as the largely disconnected parts of the world come online. To
a large extent, the web experience of users is highly determined by their
existing networks and immediate environment. We do not expect radical social
change simply from the advent of connectivity. What well see instead
are more communication channels, more participation and more rogue identities
developing online.
And, of course, there are state sponsors of terrorism who will seek to conduct
untraceable attacks. Today, Iran is one of the worlds most notorious
sponsors of terror groups, funneling weapons, money and supplies to groups
like Hezbollah, Hamas, Palestinian Islamic Jihad, the al-Aqsa Martyrs Brigades
and various militant groups in Iraq. But as cyber-terrorist efforts begin
to look more fruitful, Iran will work to develop the virtual capacity of
its proxies in equal measure. This means sending computer and network equipment,
security packages and relevant software, but it also could mean in-person
training. Irans technical universities may well begin hosting Lebanese
Shia programmers with the specific aim of integrating them into Hezbollahs
emergent cyber army. Perhaps they will send them the most expensive encryption
tools and hardware. Or Iran could fund technical madrassas in Hezbollah
strongholds like Dahieh, Baalbek and the south of Lebanon, creating incubators
where promising engineers are trained to launch cyber attacks against Israel.
Perhaps instead of giving cash to Shia businessmen in Brazil to start businesses
(a known tactic of the Iranian government), the regime will provide them
with tablets and mobile devices carrying specialized software.
But any regime or terrorist group that recruits these hackers will assume
a certain risk. While not all recruits will be young, a decent percentage
will be, and not just for demographic reasons: Social scientists have long
believed that certain developmental factors make young people uniquely
susceptible to radicalization. (There is considerable discussion about what,
precisely, those factors are, however; some believe it has to do with brain
chemistry, while others argue that sociological elements in society are the
driving cause.) So not only will recruiters be faced with organizing hackers,
who thus far have shown a distinct resistance to formal organization, but
theyll also have to deal with teenagers. As well discuss below,
participation in a virtual-terrorism network will require inordinate discipline,
not the trait most frequently associated with teenagers. Most young people
are attracted to and tempted by the same things attention, adventure,
affirmation, belonging and status. Yet one mistake, or one casual boast online
from a teenager hacker (or someone he knows), could unravel his entire terrorist
network.
Just as counterterrorism operations today depend on intelligence sharing
and military cooperation such as that between the United States and
its allies in South Asia in the future, that bilateral support will
necessarily include a virtual component. Given that many of the most radicalized
countries will be among the latest arrivals to the Internet, they will need
foreign support to learn how to track down terrorists online and how to use
the tools newly available to them. Today, large contractors make a fortune
benefiting from foreign military assistance; as bilateral efforts increasingly
come to include cyber-security elements, a range of new and established
computer-security firms will benefit accordingly.
Military policies too will change in response to the threat cyber terrorists
pose. Today, most of the terrorists the military chases down are in failed
states or ungoverned regions. In the future, these physical safe havens will
also be connected, allowing terrorists to engage in nefarious virtual acts
without any fear of law enforcement. When intelligence reveals known cyber
terrorists planning something dangerous, extreme measures like drone strikes
will come under consideration. Western governments will try to attract skilled
hackers to their side as well. In fact, hackers and government agencies in
the United States work together already, at least in matters of cybersecurity.
For years, agencies like the Pentagons Defense Advanced Research Projects
Agency (DARPA) and the National Security Agency (NSA) have recruited talented
individuals at venues like the computer-security conference series Black
Hat and the hacker convention Def Con. In 2011, DARPA announced a new program
called Cyber Fast Track (CFT), created by a former hacker turned DARPA project
manager, which aimed to accelerate and streamline the cooperation between
these communities. Through CFT, DARPA began awarding short-term contracts
to individuals and small companies to focus on targeted network-security
projects. This initiative was distinguished by its focus on smaller players
and lone actors rather than big companies, and its ability to green-light
grants quickly. DARPA approved eight contracts in the first two months of
the program in other words, at lightning speed compared with the normal
pace of government contracting. This process allowed groups with considerable
skill who would otherwise not work with or for the government to contribute
to the important work of improving cybersecurity, easily and in a time frame
that reflects the immediate nature of the work. CFT was part of a shift in
the agency toward democratized, crowd-sourced innovation championed
by Regina Dugan.
We asked Dugan about the motivation behind this unconventional approach to
problem-solving after all, inviting hackers into the tent to handle
sensitive security matters raises more than a few eyebrows. There is
a sense among many that hackers and Anonymous are just evildoers, she
said. What we recognized and tried to get others to embrace was that
hacker is a description of a talent set. Those who were declared
(self-declared or otherwise) hackers had something rather significant
to contribute to the issue of cybersecurity, with respect to how they approach
problems, the timelines on which they approach problems and their ability
to execute and challenge. The success of Cyber Fast Track, she added,
was a signal of the viability of that model. I dont think that
should be the only model we use, she said, but it should absolutely
be part of our approach.
More outreach to hackers and other independent computer experts should be
a priority in the coming years, and we expect that Western governments will
continue to try to include them, either overtly, through programs like CFT,
or covertly, through the channels of intelligence agencies. Governments will
push hard to acquire virtual counterparts in foreign countries to complement
their undercover operators and assets active in the physical world, recruiting
hackers and other technically savvy individuals to become sources and dealing
with them remotely over secure online channels. There are implicit challenges
associated with virtual assets, however. Despite their usefulness, there
would be an absence of in-person interactions, which intelligence operatives
have relied on for centuries to determine the credibility of a source. A
video chat is hardly the same thing, so agencies will have to figure out
how they can vet new participants effectively. Trusting virtual assets may
in fact be harder than turning them.
_____
3 At a minimum, platforms like WikiLeaks and hacker collectives
that traffic in stolen classified material from governments enable or encourage
espionage.
|