Assignment 2: Digital Computer Crime

▪ ▪ ▪ ▪ ▪ 20 INTRODUCTION Since the beginning of history, warfare has evolved parallel to the development of tools, weapons, and technology. In the twentieth century, warfare developed from hand-to-hand and small weapons combat to sophisticated air combat, and now to the development of elec- tronic “smart” bombs that are programmed to destroy their targets. Traditional means of warfare have been further distorted through the means of technology and also by the esca- lating events of international terrorist activity. Before September 11, 2001, few would have considered that America’s civil aircraft would have been used as weaponry against America itself. However, al Qaeda operatives did just that, killing over 2,840 people in a few short hours. It should not be a surprise, then, that military and guerrilla offensives could be waged on many fronts, from the skyscrapers of Manhattan to the digital networks that coordinate our critical infrastructure (e.g., the Internet, computer networks, telephone systems, and electricity and water supplies).

CHAPTER OBJECTIVES After completing this chapter, you should be able to ■ Define the concepts of “cybercrime,” “cyberterrorism,” and “information warfare.” ■ List the four categories of attacks that encompass cyberterrorism and/or information warfare. ■ Identify various elements of our critical infrastructure that are potentially vulnerable to cyberterrorism and/or information warfare. ■ Define and describe an information attack. ■ Describe some of the tactics used in cyberspace to share information and promote terrorist ideologies between and within terrorist groups. ■ Define the words “stenography” and “cryptography” and relate their use in information warfare and cyberterrorism. ■ Discuss the concept of information warfare from the Russian and Chinese perspectives. ■ Explain the active role of China and al Qaeda in recent cyber attacks against the United States. 2 Digital Terrorism and Information Warfare ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright Chapter 2 • Digital Terrorism and Information Warfare 21 In fact, the Internet is a critical tool for political and social movements of all types around the world. Groups have employed a range of tactics depending on the severity of the perceived injustice or wrong that has been performed. Often, these vir- tual efforts develop in tandem with real-world protests and demonstrations. For example, the native peoples, called Zapatistas, in Chiapas, Mexico, used the Internet to post information and mobilize supporters for their cause against governmental repres- sion. 1 Politically driven groups have also employed hacking techniques to engage in more serious strikes against governments and political organizations. 2 Members of a hacktivist group called the Electronic Disturbance Theater developed an attack tool called FloodNet that overloaded Web servers and kept others from being able to access their services. FloodNet was used against the Pentagon as well as other government and business targets as a means of protest against their activities and policies. 3 E v e n more historical organized terrorist groups like Sri Lanka’s Tamil Tigers have engaged in acts of cyberterrorism to disrupt or damage government computer networks. 4 A n d more recently in 2012 and 2013, radical Islamic groups such as the “Cutting Sword of Justice,” “al-Qassam Cyber Fighters,” and the “Syrian Electronic Army” have attacked private banks (Citibank, JP Morgan, Regions Bank, Bank of America, and Wells Fargo); businesses (Saudi Aramco, the BBC, al-Jazeera, and CBS); and governments (Saudi Arabia, Bahrain, and Qatar) throughout the Middle East. 5 Indeed, the attack on Saudi Aramco in August 2012 by the “Cutting Sword of Justice” destroyed over 30,000 computers and may well have been “the most destructive attack that the private sector has seen to date.” 6 Few among the American population have considered a situation involving an attack on our infrastructure. However, this type of attack became a frightening possibil- ity when the lights went out across the northeastern United States on Friday, August 15, 2003. During the initial hours of the blackout, which affected New York City, parts of Connecticut, Vermont, Ohio, and Canada, confusion reigned, and many newscasters covering the outage speculated that it could be a terrorist act. By evening, that scenario had been ruled out and the outage was eventually traced to a power grid failure in Ohio. Regardless, the American public had now seen a glimpse of the very real conse- quences of such an attack—The cities affected had ground to a virtual halt, oil prices began to rise almost instantly, and panic among the population was evident, especially in the first hours after the outage. Today, attacks against U.S. businesses and govern- ments are commonplace, with an estimated 100 million attempts each day. The Penta- gon alone reports a whopping 10 million attempts each day! The numbers have virtually quadrupled in the last two to three years. 7 Which of these attempts might be success- ful? Which might be the next cyber Pearl Harbor or 9/11? The sheer scale of the prob- lem has produced significant demand to counter the threat. Almost all U.S. departments now have cyber security and information security experts on staff with huge resources within the U.S. Department of Homeland Security and the U.S. Department of Defense focusing on the development of cyber weapons as well as cyber defense. Indeed, Presi- dent Barak Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack from a foreign entity. New policies also govern how intelligence agencies can carry out surveillance on foreign and domestic subjects via the Internet, electronic eavesdropping, the use of drones, and satellite spying. The cyber world is “front and center” of our country’s newest arsenal on defense. The Pentagon recently announced the development of “CyberCity,” a virtual town that enables government hackers to practice attacking and defending computer ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright 22 Chapter 2 • Digital Terrorism and Information Warfare and information networks that increasingly run our world’s infrastructure (e.g., power, water, and transportation systems). 8 As one defense expert reported, “In the future, nearly all military missions will have a cyber component.” 9 DEFINING THE CONCEPTS Even though the protection of our national infrastructure is a large part of the national strategy for homeland security and defense, most individuals do not understand the jeopardy in which such entities are at risk. We take for granted that such entities are secure. Information warfare and cyberterrorism are actually very broad concepts that, depending on who is defining them, can encompass a range of activities by a variety of different people. They are also two conceptually different events: Cyberterrorism is a component of information warfare, but information warfare is not necessarily cyber- terrorism. For this reason, it is necessary to define these topics as separate entities.

Buzzwords: Information Warfare, Cyberterrorism, and Cybercrime Information warfare is an overarching concept that actually encompasses cyberterror- ism. Essentially, information warfare is the gathering or use of information to gain an advantage over another party. More specifically, John Alger, the dean of the School of Information Warfare and Strategy at the National Defense University, defines informa- tion warfare as “those actions intended to protect, exploit, corrupt, deny or destroy information or information resources in order to achieve a significant advantage, objec- tive or victory over an adversary.” 10 Still another definition states that information war- fare is the “coherent and synchronized blending of physical and virtual actions to have countries, organizations, and individuals perform, or not perform, actions so that your goals and objectives are attained and maintained while simultaneously preventing competitors from doing the same to you.” 11 Information warfare consists of six components: psychological operations, elec- tronic warfare, military deception, physical destruction, security measures, and infor- mation attacks. 12 Psychological operations (or psy-ops, in popular military lingo) use information to affect the state of mind of the adversary. This could include propaganda, or the spreading of information intended to convince people to subscribe to a certain cause or doctrine. The Internet is a perfect tool for this objective. 13 Information warfare is the denial of information or accurate information to an adversary. This is a tool widely used by terrorist organizations, political hackers, and rival countries via the Internet. Military deception is an age-old attack that generally misleads an adversary about military capabilities or intentions. This type of informa- tion warfare does not require that the Internet even exist—it can be carried out by more traditional media. 14 Physical information warfare involves a physical attack on an information system. Security measures are the methods of protecting an information system so that an adversary cannot breach it. Finally, an information attack is the direct corruption of information without actually changing the physical structure in which it is located. 15 This should make it clear, then, that information warfare is not limited to those things that can be done with computers. In fact, information warfare is the exploitation or strategic protection of a number of things: telephones, radio signals, radar, electronic devices—anything that can be manipulated in order to control or influence the actions of a decision maker. A more practical definition is that information warfare is any sort ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright Chapter 2 • Digital Terrorism and Information Warfare 23 of strike or protective measure against an information system, whatever the means. Implanting a virus into a military computer is an information warfare tactic. On the other end of the spectrum, blowing up a cellular phone tower could also be considered information warfare. In contrast, terrorism is defined as the actual or threatened use of violence by an individual or group motivated by ideological or political objectives. The goal of terror- ism is to intimidate or coerce a government or its people. 16 Cyberterrorism or digital terrorism , however, cannot be as concretely defined and has spurred significant debate over exactly what it means. The fact is that the word “cyberterrorism” has been misrep- resented in both academic circles and the media at large. A panel of experts on cyber- terrorism stated, “Dropping ATM networks and shutting down e-mail is not terrorism.

If I can’t get to my e-mail for a few days, I am not terrorized.” 17 This illustrates the com- mon misperception that a network disruption is an act of cyberterrorism. This would be considered more of an act of information warfare. Cyberterrorism is also not defined by the group perpetrating it. Terrorist groups, such as al Qaeda or another radical Islamic group, may use the Internet to further their propaganda, hide their secrets, or recruit new members. However, none of this is con- sidered to be inherently terroristic and, again, may be considered more of an act of information warfare. 18 According to one definition, “terrorism is defined by the nature of the act, not by the identity of the perpetrators or the nature of their cause.” 19 Cyberterrorism is specifically a premeditated, politically, or ideologically moti- vated attack or threat of attack against information, computer systems, computer pro- grams, and data that can result in violence against civilian targets. 20 According to Barry Collin of the Institute for Security and Intelligence, cyberterrorism is “hacking with a body count.” 21 An early assessment by RAND’s National Research Defense Institute con- cluded that cyberterrorism may also include attacks motivated by political or ideological objectives that can cause serious harm, such as a prolonged loss of infrastructure, like electricity or water. 22 A similarly broad definition of cyberterrorism was developed and presented by the National Institute of Justice, recognizing any “premeditated, politically motivated attack against information systems, computer programs and data . . . to dis- rupt the political, social, or physical infrastructure of the target.” 23 Yet another definition includes severe economic loss as a qualifier for cyberterrorism: If economic loss is harsh enough, a destabilization may occur that can result in serious harm to a society. 24 T o muddy the waters even more, a less significant activity designed to protest, “spread the truth,” or otherwise emphasize a particular belief or political bent without intentional harm to human life is called “hacktivism.” In these cases, mostly involving Web site defacement, the criminal actor is involved much more in vandalism and chaos versus economic gain and destruction—terrorism without the body count. Cybercrime or digital crime , on the other hand, can be loosely defined simply as the commission of a crime with the use of a computer and a network (e.g., the Inter- net). Cybercrime has facilitated the expansion of almost every traditional crime, includ- ing drug trafficking, black market commerce, money laundering, theft, piracy, stalking, fraud, and espionage. Many of these cybercrimes, but specifically espionage, can now be or have been tied to cyberterrorism and information warfare as either an operational objective or a financial enabler. Through the growth and innovation of technology, crime has evolved into cybercrime, and cybercrime has since begun to enable drug cartels, organized crime rings, and terrorists to perpetrate traditional crime as a source of funding and operational reach to achieve their objectives on a global scale.

ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright 24 Chapter 2 • Digital Terrorism and Information Warfare Essentially, crime, terrorism, and warefare have evolved into their cyber states through the advent and evolution of technology. As technology continuously improved, criminals, terrorists, and rogue states keep pace with identifying new and innovative ways to incorporate them into their operations, expand their reach from regional to global through the use of the Internet, and enable themselves to grow and mature and even enable each other at a much faster pace. Because of the obvious semantic problems presented by the misuse of the terms “cybercrime,” “information warfare,” and “cyberterrorism,” it is important to keep these definitions in mind when reviewing the threats that criminals, terrorist groups, or hostile nations pose to the cyber security of the United States. Cybercrime will be discussed much more in future chapters, while this chapter focuses on cyberterrorism and information warfare. Four categories of attacks that encompass acts of cyberterrorism and/or informa- tion warfare will be discussed. These categories include infrastructure attacks, or those attacks designed to destroy a system that includes critical data; information attacks, or attacks focused on demolishing or altering the content of electronic files or computer sys- tems; technological facilitation, or the use of cyber communication to distribute and coor- dinate plans for a terrorist attack, incite an attack, or otherwise assist in the facilitation of terrorism; and promotion, which includes fundraising, solicitation, and recruitment. 25 BOX 2.1 A Short History of Warfare In a popular futuristic and thought-provoking book, The Third Wave, Alvin Toffler discusses a specific approach to the history of warfare. He describes and explains the development of warfare in three different and separate epochs or waves. The first, or agrarian, wave produced the first known effective change (or revolution) in the history of human- kind. Humans began to settle in specific areas and grow food rather than forage and roam large expanses of the land. During the agrarian wave, societies developed and the production of goods and commerce began. Tools were relatively rudimentary, and weapons were designed more for personal protection against wild animals and hunting, rather than specifically for killing people. The value of the goods and/or the rapidly increasing value of property (soil) created new conflicts among people—the first cause of war. The second, or industrial wave, marked a signifi- cant departure from the manufacturing of simple weap- ons. Industrial and technological improvement allowed the first weapons for the destruction of multiple persons and buildings (infrastructure). Indeed, this era witnessed the defeat of agrarian-based societies to more advanced industrialized people. Landowners had become industri- alized nations. Most importantly, war and defense had become a means for justifying the production of more advanced weaponry, including weapons of mass destruc- tion (e.g., nuclear, chemical, and biological). Arbitrary and loosely defined armies had become well-structured and highly mechanized forces. Nations were now capable of delivering lethal attacks against entire societies of peo- ple, leaving behind large expanses of scorched and unin- habitable land. The third wave, the information wave, reveals soci- eties based on the rapid exchange of vital and critical information. Accurate and timely communication char- acterizes successful, thriving, and global societies. War also emulates information importance and is focused on the destruction of critical infrastructure within societies, hence information warfare. High-tech weapons “invade” computer systems and networks with the aim of destroy- ing the ability of a nation to operate. Interestingly, the large sophisticated armies of the industrial period are relatively useless when communication and transporta- tion systems, logistical support, targeting systems, defense networks, and the like succumb to electronic attack. Most importantly, the third wave points to the vul- nerability of large information-based nations and suggests how a relatively small, unorganized yet knowledgeable group of individuals could wreak havoc on such a society.

Quite prophetic, considering that the book was written about 30 years ago, in 1984!

Source: T offler , A lvin. (1984). The Third Wave. New York: Bantam Books.

ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright Chapter 2 • Digital Terrorism and Information Warfare 25 RISK AND CRITICAL INFRASTRUCTURE ATTACKS Given that most parts of the world now have access to the Internet, almost any country can fall victim to some form of cyberterrorism or information warfare. In fact, Russian factions have engaged in cyber attacks with Estonia and Georgia, which caused the citizens of these countries to face significant economic harm. 26 These conflicts devel- oped from real-world events, notably the removal of a statue in Estonia and an attempted seccession in Georgia. However, the virtual attacks that ensued forced finan- cial and government Web sites offline in these countries, and the amount of Internet connectivity taken up by malicious Web traffic kept individuals from being able to access regular resources like e-mail. Thus, this chapter and discussion will emphasize events that can or have taken place in the United States, but it is important to recognize that some of the conditions we discuss can apply to many other industrialized nations in the world. The United States is at a particular risk for cyber attack, whether related to infor- mation warfare or cyberterrorism, because of several factors. The first is that the United States continues to occupy a precarious position regarding the Middle East. Several fundamentalist and radical Islamic groups (e.g., al Qaeda, Hezbollah, and HAMAS) perceive the United States to be evil. Indeed, much of their radical philosophy attacks modernity itself, characterizing complex communication systems, energy use, and computer networks as threats to fundamental Islam. To make matters worse, recent activities by the United States within the Israeli–Palestinian conflict, in Iraq since 2003, and in Afghanistan after the events of September 11, 2001, have all contributed to anti- American sentiment within the radical Muslim world. Many of these groups have sig- nificant experience in launching cyber attacks. 27 Furthermore, the progression of the government of Iran to develop and enrich nuclear material has witnessed the first major exchange of cyber attacks involving the United States.

Low-Level Cyber War In early 2009, a collaborative effort between Israel and the United States produced a computer virus known as “ Stuxnet .” The program was jointly developed under the code name, “Operation Olympic Games,” under the direction of then President George W. Bush, and expanded under President Barak Obama. 28 The purpose of the Stuxnet virus was to infect the operating system of specific command and control devices ( Siemens industrial control systems) primarily found within the pumps and gas centri- fuges used in the Natanz nuclear enrichment facilities in Iran. Shortly thereafter, in 2012, major attacks against U.S. banks by the rogue group, “al-Qassam Cyber Fighters” significantly escalated, and in August of that year, Saudi Aramco was hit by the “Cutting Sword of Justice” in one of the most destructive attacks ever witnessed. Not surprisingly, U.S. investigators linked these supposed terrorist groups operating clandestinely in the Middle East . . . to Iran. 29 Later in 2012, another highly destructive and sophistical program (malware) called “ Flame ” was observed in various countries throughout the Middle East. Most of the attacks, however, were centered on Iran. Unlike Stuxnet, which was designed to sabotage or destroy a specific command and control device, Flame was a large program that was written primarily for espionage and information gathering. The program allowed the attackers to seek and secure drawings, plans, policies, and other documents stored within a computer or computer network. With the vast majority of targets within ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright 26 Chapter 2 • Digital Terrorism and Information Warfare Iran and the collaborative development again by the United States and Israel, Flame represents one of the most complex cyber warfare programs ever developed. 30 While the U.S. government has acknowledged the existence and development of cyber weap- ons, it has officially denied responsibility for any attacks against the country of Iran. Muslim fundamental and radical groups are not the only threat to the United States’ cyber security. Anti-capitalist movements, such as those observed in Russia and North Korea, have also shown their prowess at engaging American targets in cyber attack. Either type of group could levy a great amount of damage on commercial or government interests using techniques that they have already employed in different cyber realms. 31 Indeed, our country has already suffered very sophisticated attacks from such entities. The question, of course, is whether these attacks were state sup- ported. Is it a single hacker or a group acting alone, or might they have been given some incentive by the military or government? Are they using equipment and resources that they obtained or those that have been provided by a covert military group? What resources are they attacking, and how might they benefit a nation more than an individual? In the often confusing and murky world of cyberterrorism and information warfare, the answers to these types of questions are often blurred, as might be expected when secret agencies and spy services are employed. The problem becomes even more confusing when multinational organized crime cartels join the mix. Chapter 5 attempts to address some of these same questions, with a focus on sophisticated criminal organizations. Infrastructure Reliance Another important factor that causes significant concern to the United States is the country’s significant reliance upon a national information infrastructure. Information infrastructure is composed of five essential components: communications networks, such as those used for phones, satellites, and cable networks; equipment used for the provision of information, including televisions, radios, computers, and phones; infor- mation resources, which might consist of educational or medical programs or data- bases; applications, like those used for electronic commerce or digital libraries; and people. 32 The United States, which has identified itself as the most infrastructure reliant of any nation on earth, is also possibly the most at risk for an infrastructure attack. 33 Crit- ical infrastructure is a particularly attractive target to terrorists (and foreign govern- ments), due to the large-scale economic and operational damage that would occur with any major shutdown. 34 In the late 1990s, the Clinton administration identified eight areas of infrastructure that constitute a virtual national life support system: telecom- munications, banking and finance, electrical power, oil and gas distribution and stor- age, water supply, transportation, emergency services, and government services. 35 The further developed plan presented by former president George W. Bush in his National Strategy for Homeland Security identified and characterized the need for critical infra- structure protection. 36 Many of these areas are interdependent on each other, magnify- ing the potential effects of a breach of one system. 37 President Barak Obama has laid out a similar plan arrayed along the same lines in a document referred to as the “Cyber- space Policy Review.” 38 This document also suggests a need for increased cooperation between the government and private industry in order to secure critical infrastructure from cyber attack. President Obama has taken the first steps toward this cooperation ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright Chapter 2 • Digital Terrorism and Information Warfare 27 through a White House executive order that directs U.S. intelligence agencies to share the latest information about cyber threats with private companies operating electric grids, power plants, water stations, railroads, and other vital industries to help protect them from digital and other cyber attacks. 39 Banking and financial institutions are also vulnerable to infrastructure attack, as they depend heavily on networks. If one system is breached by an attacker, then all con- necting systems can be severely impacted. However, most banking or financial net- works tend to be private, with little external access. This helps to mitigate somewhat vulnerability in this sector. At the same time, a severe attack against a resource such as the stock exchange or a military bank could cause significant harm to multiple sectors of the country’s economy. As discussed, electrical power and water supply systems rely heavily on electronic sensors that maintain safe levels and aid engineers in shutting off supplies if something were to go wrong. Manipulation of these remote sensors by network intrusion is a threat, especially by those who have legitimately gained access in the past. In fact, “malicious insiders,” or those who have been given access to a system for a valid reason, such as employment or research, are the greatest threat to infrastructure. Such an insider would have specialized knowledge of a system, as well as access. 40 However, individual and government-sponsored hackers in Russia, North Korea, Iran, and China have begun to access these systems remotely, emphasizing the threat goes far beyond that of insiders. 41 Transportation infrastructure, particularly related to civil air traffic control, is also a concern, particularly after the events of September 11, 2001. The systems used spe- cifically for civil aviation have in the past been largely custom designed, which isolates civil aviation systems from most direct attacks. Today, as more and more tasks, includ- ing aircraft maintenance, parts manufacturing, and flight management systems, are slowly being replaced by commercial-off-the-shelf software, civil aviation systems are very well protected. 42 Security for both new and old systems is generally elaborate, with layers of administrative controls that could thwart even the most technologically sophisticated intruder. Furthermore, most civil aviation technology is designed to withstand system failure or breakdown through the use of redundant systems or sepa- rate subsystems, which are designed to pick up where the main system left off. 43 The Achilles’ heel of civil aviation security is its heavy reliance on other types of infrastruc- ture. Air traffic control centers depend on electricity, communications systems, and government services, such as the Federal Aviation Administration. For example, radar operates through simple, dedicated telephone lines. If those telephone lines were to be compromised, the impact could be catastrophic. 44 The potential severity of an electronic attack against critical infrastructure has led some individuals to use the term “electronic Pearl Harbor” to refer to such an event. 45 This is a reference to the notion that the attack will take citizens and the government by surprise and devastate the population. However, there have already been attacks against the United States’ critical infrastructure involving many of these systems. Until recently in 2013 with the Mandiant report, none were directly linked to or proven to be the act of any terrorist organization or foreign country. Many are juvenile pranksters. For example, in March 1997, a teenager hacked into a telephone company computer that serviced the Worcester Airport, located in Massachusetts. Telephone service to the control tower, the airport fire department, airport security, and various other depart- ments was out for more than six hours. The attack caused a ripple effect of delayed and ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright 28 Chapter 2 • Digital Terrorism and Information Warfare cancelled flights across the country, leading to serious financial losses to the airport and several airlines. 46 In another infrastructure attack, a disgruntled former Chevron employee disabled the firm’s alert system by hacking into the company computers. The attack was not dis- covered until the system failed to notify engineers of a release of noxious chemicals into the air at a plant in Richmond, California. This event put millions of people in the west- ern United States and Canada at risk. 47 These two attacks were potentially deadly and costly, but were perpetrated by peo- ple without political or terrorist agenda. One was motivated by ego, the other by pure revenge. It is particularly disconcerting to think of what someone with a deep-rooted ideological hatred for the United States could do if a cocky teenager can shut down an airport for no specific reason. Possibilities put forth in academic literature include the most heinous visions of disaster: 48 • Penetration of an air traffic control system in order to send misleading signals to aircraft, causing midair collisions. • Taking advantage of the United States’ increasing reliance on telemedicine by intruding into hospital computers and changing prescription dosages, resulting in patient death. • Entering into computerized commuter and freight train routing systems, causing passenger trains to collide or hazardous materials to be released. • Destroying government computer systems that process tax returns. What is the risk of an attack on the U.S. critical infrastructure by a terrorist group or rival nation? Unfortunately, no one really knows how vulnerable our critical infra- structure is. Consider this April 23, 2003, testimony before the U.S. House of Represen- tatives from Michael Vatis, Director of the Institute for Security Technology Studies at Dartmouth College: 49 . . . to say that cyber networks are vulnerable does not mean that the critical infrastructures that rely on those networks—such as electrical power, grids, pipelines, telecommunications switching nodes, hospitals, etcetera—are necessarily vulnerable, or that a cyber attack would have a sufficiently long-lasting destructive impact to achieve a terrorist or nation-state’s mili- tary or political objectives. We still do not actually know the full extent of our critical infra- structure’s vulnerabilities to various types of cyber attacks and the extent of their potential impact. In her testimony before the same group in October 2001, Terry Benzel, the vice presi- dent of advanced security research for Network Associates, Inc., stated that she was unaware of any analysis of infrastructure that identified its weaknesses or even the extent to which systems are codependent. Benzel referenced a 1997 exercise designed to identify vulnerabilities against infrastructure. 50 Using only hacking tools available on the Internet, National Security Agency hackers successfully gained access to a num- ber of military and infrastructure systems. However, specific vulnerabilities were never disclosed—only the assertion that the United States is at risk on some level for such an attack. 51 Benzel recommended an in-depth study and analysis of infrastructure to the House, to culminate in suggestions and solutions to shore up vulnerabilities. 52 E v e n after the devastation of 9/11, the 2013 Mandiant report on APT1, and the identification of significant national threats, her advice has still not been fully implemented. Our gov- ernment has been slow to respond to such threats and risks; however, recent events such as low level digital warfare with Iran and the discovery of APT1 have begun to ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright Chapter 2 • Digital Terrorism and Information Warfare 29 impact traditionally slow legislators into action. Fortunately, several departments and agencies like the U.S. Department of Justice, U.S. Department of Homeland Security, and the U.S. Department of Defense have been quicker to respond by designing and planning for potential threats and risks as well as developing tactical offensive cyber weapons to be used in case of an all-out attack against the United States. INFORMATION ATTACKS Both information warfare and cyberterrorism create a host of scenarios for cyber attacks. Attacks on infrastructure have already been discussed. There are less destruc- tive forms of cyber attack that terrorist groups or adversarial nations could employ to achieve information warfare objectives. These information attacks are focused on destroying or altering content within a system, and while information may be cor- rupted and temporarily lost, physical and virtual systems are still preserved. This means that the attack is much less destructive and more disruptive in nature. However, such an attack can (and most likely would) cause major economic damage and loss. 53 The following sections present examples of these types of attack.

Web site Defacement India and Pakistan have been feuding over a relatively small strip of land known as Kashmir for over half a century. Cyber attacks are a more recent development in the history of this conflict, and the most visible of these attacks have been perpetrated by pro-Pakistan hacker groups. Since 1995, over 1,500 Web defacements on Indian sites have taken place, and all have been either political or highly visible to the public. For instance, sites representing the Indian parliament, television networks, newspapers, and academic institutions have all been defaced at some point. These Web sites have been defaced with anti-India images and slogans, with some automatically redirecting Web traffic to pro-Pakistani sites, or in some cases, to Web sites containing porno- graphic or generally offensive material. 54 This technique has also been used by both Israeli and Palestinian groups, often coinciding with specific political events in the region. 55 Domestically, the White House and the FBI Web sites have both been attacked by single-issue terrorist groups such as the Earth Liberation Front and right-wing hate groups such as the Aryan Nation. Private industry has also become a regular target for Web defacements by political or religiously motivated hackers. For example, a Danish newspaper published a cartoon featuring the prophet Muhammad with a bomb in his turban in 2005. 56 This image was deemed offensive by the Muslim community, and the newspapers’ Web site was defaced repeatedly along with any other site that featured the cartoon. Thousands of Web sites were hacked or defaced by Turkish hackers, who in turn received a great deal of atten- tion from the press for their efforts. 57 Cyberplagues: Viruses and Worms The terms “ viruses ” and “ worms ” are often used synonymously to describe malevolent computer programs that are capable of running and duplicating themselves. However, there is a subtle difference between the two. A virus is actually a piece of code that attaches itself to other instructions within a computer, like software application codes or booting systems. When the user takes an action to make these host instructions run, ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright 30 Chapter 2 • Digital Terrorism and Information Warfare the virus starts to run as well. The virus then performs a function and lets the host resume control. 58 Meanwhile, the virus has implanted itself into the memory of the computer, where it searches for new hosts. Each time it finds a new host, it inserts itself and then executes its payload, or function, which may be anything from displaying a smiley face on screen to completely wiping the files from a hard drive. 59 The ILOVEYOU virus, which affected Web development and multimedia files and was spread through Microsoft Outlook address books, hit tens of millions of computer users who opened a seemingly innocuous attachment in their e-mail entitled “Love Letter.” The total cost of that virus was over a billion dollars. 60 For more detailed information on viruses and malicious code, please refer to Chapter 7 . The ILOVEYOU virus was eventually traced to a college student, but there have been indications that foreign governments have explored viruses as a means of offen- sive information warfare. A report from the U.S. Defense Intelligence Agency warned that the Cuban military was developing a program to propagate viruses against civilian computers in the United States. And, as we have already learned, China has also devel- oped programs to spread computer viruses through APT1. 61 A worm is a program that reproduces itself over a computer network by breaking into computers much like a virtual hacker. Worms do not need the assistance of an unwitting computer user to be unleashed—rather, they find computers that they are able to penetrate, carry out their attack, and then transfer a replica of their code to the next target. 62 Worms run off of weaknesses in popular software in order to reproduce quickly and can have the results of a virus. However, they generally spread much faster, affecting tens of thousands of computers in as little as two to three hours. Estimated costs of worm attacks parallel those of many viruses, with an estimate from a recent attack (Blaster) topping a billion dollars in damage. 63 The Code Red worm in 2010 spe- cifically targeted the White House computer systems that were running on commercial off-the-shelf software. 64 Although this particular attack was not tied to any type of ter- rorism or specific information warfare agenda, others as noted were. Viruses and worms are part of a much larger term, malicious software ( malware ) composed of any program or script that attempts to disrupt normal computer opera- tions, steal private data, or illegally enter a private computer or computer system. Distributed Denial-of-Service Attacks The distributed denial-of-service (DDoS) attack is an attempt by a cyber attacker to prevent legitimate usage of service. DDoS attacks generally take the following forms:

destruction or alteration of configuration information for a system, expenditure of resources needed for legitimate operation, and the actual physical modification of net- work elements. The result of any of these three types of DDoS attacks is that a system becomes unavailable for a period of time until the system can be brought back under control. 65 One of the more common types of DDoS attack is the flood attack. In this type of action, the attacker starts the process of establishing a connection to another machine.

The connection is never completed, but data structures within the victim computer have been reserved to meet the requirements of that connection. As a result, no legiti- mate connection may be made while the victim machine is waiting to complete the original phony connection. The DDoS instigator can take over other computers and use them to establish a simultaneous attack of bogus connections of one victim ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright Chapter 2 • Digital Terrorism and Information Warfare 31 computer. 66 DDoS attacks have been used against government and defense computers, as well as in the largest attack on e-commerce ever recorded. This attack, in February 2000, shut down the giants of e-commerce, including eBay, Amazon, and Yahoo, for nearly a full day. The economic impact of this attack was astounding. 67 Once again, the attack was not related to any terror or political objectives. In 2006, however, a tool called Electronic Jihad Program was found that easily enables DoS attacks against a variety of targets. 68 The tool is linked with a forum and chat room and coordinates attacks and targets a specific site each day. Using a simple-to- use interface, this resource was used in variety of attacks against Web sites around the world. And in 2012, the attacks against Saudi Aramco by the Cutting Sword of Justice were primarily DDoS attacks that virtually shut down 30,000 computers. Even though the group, Cutting Sword of Justice, was suspected as being sponsored by Iran, little real evidence ever surfaced. The August 2012 attack represented one of the most sophisti- cated attacks claimed by a rogue group. Restoring and replacing these services exceeded hundreds of millions of dollars, but was accomplished in a relatively short period of time. Complete Saudi Aramco services were restored in two weeks. Thus, DDoS attacks are an important resource in the terrorist and information warfare community. Unauthorized Intrusions Intrusions are “any set of actions that attempt to compromise the integrity, confidenti- ality, or availability of a computer resource.” 69 Theft of classified government informa- tion is of particular interest to terror groups or adversarial nations. The consequences of such an attack could have wide-ranging implications. However, this type of attack is very difficult to identify once it has occurred. Unless data have been altered, or admin- istrators are specifically looking for an intrusion, such an attack may go undetected forever. 70 This is particularly true in advanced and sophisticated cases like those involv- ing the Stuxnet and Flame malware. Both programs were encrypted with commands that destroyed the original program and any file that suggested that the malware had ever been installed. These types of programs are particularly pernicious. A well-known attack in 1998 exemplifies the issue. A group of hackers composed of people from around the globe announced that they had stolen programs off of U.S.

Department of Defense computers that essentially ran U.S. military networks and satel- lites. The software was stolen from a Windows NT server in the Defense Information Systems Agency within the U.S. Department of Defense. The hackers claimed that the software could be used to virtually shut down U.S. military operations. The group also claimed to have penetrated National Aeronautics and Space Administration (NASA) computers, as well as Pentagon computer systems. 71 The group claimed that their attack was merely an act of public service—a kind of wake-up call for the United States to real- ize that if a group of simple hackers could gain access to sensitive information, so too could terrorist groups (or rogue nations) willing to use that information to their advan- tage. Detailed information relating to the event is difficult to acquire, which heightens anxiety and leads to paranoid visions of extreme national vulnerability. The attack was real; however, the U.S. Department of Defense had no knowledge or awareness of the attack and the subsequent loss of information and data. Similarly, a coordinated series of attacks against private intelligence industry provider, Stratfor, occurred in 2011. The loose-knit hacking movement known as “Anonymous,” claimed that it had stolen thousands of credit card numbers and other ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright 32 Chapter 2 • Digital Terrorism and Information Warfare personal data belonging to the company’s clients. Anonymous members posted some of the information on various Twitter and Facebook accounts. While the focus of the attack was unauthorized intrusion and theft of data, the attack was primarily symbolic, attacking an intelligence and security-related company. “Anonymous” is an informal group of hackers, which has become famous for attacking the companies and institu- tions that oppose anti-secrecy Web site WikiLeaks and its founder Julian Assange.

“Anonymous” had previously claimed responsibility for attacks on VISA, Inc., Master- Card, Inc, and eBay Inc.’s PayPal, and this attack was designed to embarrass Stratfor rather than develop personal gain. According to several sources, the data were not encrypted. In addition, some files were taken from the company’s e-mail system that included a list of written passwords. The failure to protect and secure client informa- tion and company e-mail systems was a major failure on the part of Stratfor, an Austin, Texas-based intelligence and security-related company. A series of carefully coordinated attacks on American computer networks and defense systems since 2003, referred to as “Titan Rain,” appeared to come from Chinese systems operated by very skilled hackers. 72 Evidence suggests they were able to steal massive amounts of files from NASA, Lockheed Martin, and Sandia National Laborato- ries in as little as 10–30 minutes, leaving no traces behind. Though little information is available, this example clearly demonstrates that intrusions are a serious and very real threat to critical infrastructure and networked systems. CYBER AND TECHNOLOGICAL FACILITATION These final categories of cyber attack are less a physical attack and more of a tactic in cyber terrorism and information warfare. Facilitation of attack can encompass such things as communication via the Internet by terrorist groups, while promotion of terror might be as simple as recruitment and propaganda.

Facilitation of Attack and Dissemination of Ideology Information technology has played a great role in the emergence of networked terrorist groups, such as al Qaeda and Jemmah Islamiyiah. Technology has allowed for reduced transmission time in communication, so that members of an organization all over the globe may coordinate their tasks. 73 Information technology has also reduced the cost of communication. In the past, terrorist networks have had to centralize their major activ- ities to reduce detection resulting from direct travel and telephone communication.

This made them more vulnerable to discovery, and their operations could effectively be wiped out with just one major raid. However, information technology has allowed these organizations to disperse throughout the world, decentralizing their operations and thereby safeguarding them. 74 A good example are the myriad of Web sites associated with al Qaeda that dis- seminate radical Islamic ideology, appeal for financial support, provide instruction in tactics and weapons, gather intelligence and information about potential targets, radi- calize and recruit new members, and support a worldwide communication venue.

According to terrorism expert, Brian M. Jenkins, “the Internet enables terrorist organi- zation to expand their reach, create virtual communities of like-minded extremists, and capture a larger universe of more-diverse talents and skills.” 75 It is the ability to attract more diverse individuals in the facilitation of an attack that is most alarming. Al Qaeda operatives can coordinate with each other relatively securely in individual chat rooms ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright Chapter 2 • Digital Terrorism and Information Warfare 33 where they not only embolden each other with rhetoric, but also plan and discuss future strategies, attacks, and tactics. The Internet provides a wealth of technical data from weapons manufacturing, arms trafficking, and bomb making (Improvised Explosive Devices—IEDs) to detailed satellite imagery of potential targets and real-time trans- portation routes for escape. Developments in information technology have also allowed for more complex information sharing among terrorist groups. Organizations now have access to com- puter conferencing, chatting, and Web sites that allow for quick and direct communica- tion. 76 Domestic right-wing groups have historically used Web sites for recruitment and advancement of their philosophies. In fact, a range of Web forums and social net- working sites exist for neo-Nazi groups and other racist organizations to connect and discuss their positions. The emergence of the Internet and cellular communications devices has also engendered the development of so-called flash mobs or smart mobs . 77 These terms refer to mass formations of individuals in one place and time, coordinated through the use of text or instant messaging, e-mails, and other Web-based communications. This technology enables protests, civil unrest, and violence with some organization. In 2010, for example, the French police were investigating a break-in at a construction site in a largely Muslim and African community, where they found several teenagers. 78 T h e teens began to run, though it is not clear if they were being chased by police, and climbed into an electrical power substation where two died as a consequence of severe electric shock. These deaths incited local tensions, leading to weeks of rioting, during which buildings and cars were burned, police assaulted, bus stations destroyed, and several killed. The youths involved in these riots are said to have used text messaging and e-mails to coordinate their attacks and avoid law enforcement. 79 Data Hiding Also known as stenography, data hiding includes an assortment of methods for secret communication that can conceal the fact that a message even exists at all. Most practi- cally, data hiding refers to the act of taking a piece of information and hiding it within another piece of data, such as an image, sound recording, or word-processing file. 80 Data hiding is based upon two main principles: The first is that files that contain digital images or recordings may be altered without losing their functionality, and second, files may be altered without the effects ever being perceived by the human eye or ear. 81 After the events of September 11, 2001, reports surfaced that revealed that al Qaeda had been transmitting hidden data over the Internet. Hidden maps of terrorist targets and instructions were posted in sports chat rooms and pornographic sites, which could be accessed by anyone with an Internet connection. 82 Data hiding is fairly easy to do, given the availability of free programs on the Internet and commercially available software, and is complex enough that it would take an impossible amount of time and energy to find hidden data in every Internet file. It is for these reasons that data hiding is such a valuable tool for terrorists or adversarial nations. Cryptography For the most part, cryptography is discussed as a methodology to secure and protect information from unwanted eyes and unauthorized use. The same technology can be used to secure communication between terrorist groups. Cryptography is generally ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright 34 Chapter 2 • Digital Terrorism and Information Warfare used in conjunction with data hiding. An encryption program scrambles information in a controlled manner through the use of a cryptographic key. Only those with access to the key can read the encoded material. Couriers for the terrorist group al Qaeda have been intercepted while carrying encrypted diskettes. Ramzi Yousef, convicted of the 1993 World Trade Center bombing, had encrypted plans to destroy 11 American airlin- ers. This was discovered only after FBI agents spent over a year decoding files found in Yousef ’s Manila apartment in 1995. 83 Similarly, a tool called Mujahedeen Secrets has circulated among Middle Eastern hacker groups as a means of encrypting e-mail com- munications with some ease. 84 This free tool was created by Ekhlass Network, Global Islamic Media Front, and allows individuals to encrypt files and messages, compress them, and securely destroy them. PROPAGANDA AND PROMOTION Terrorist organizations and adversarial nations have also used the Internet for purposes of propaganda and recruitment. The Internet is the best tool available for these purposes, mainly because it remains largely unregulated and has the potential to reach so many.

Organizations can influence public opinion and generate funding through the use of Web sites, which can offer even greater control over a message than TV or print, due to the interactive nature of the Internet and the direct link between a group and its webmaster. Recruitment and mobilization is an important part of terrorist Web presence. Individuals not directly affiliated with a terrorist group, but who support their agenda, may be tapped through the Internet to provide hacking tools, funds, or merely “spread the word.” During the al-Aqsa Intifada, Israeli and Palestinian groups each employed this technique to encourage sympathizers to download hacking tools and use them against whichever side they opposed. 85 In addition, a young hacker named Irhabi 007, who was active in a number of Web forums devoted to jihad, or holy war, against the West, hacked into an FTP site operated by the Arkansas Highway and Transportation Department in 2004. 86 He used the site to post 70 terrorist-related files, including audio and video messages encouraging war and hacking methods, and advertised the hacked site in forums across the world to encourage and spread the message of jihad. Recruiting is made easier by tracking which propaganda is accessed most on a Web site and tailoring messages to fit that particular audience. Terrorist groups can also capture information about those who peruse their Web sites and later contact them.

Chat rooms and cybercafes can also serve as forums to recruit interested members of the public, especially the young. It is no surprise, then, that nearly all terrorist groups have an official presence on the Internet. Even the Palestinian Resistance Movement (HAMAS, responsible for literally hundreds of suicide bombings in Israel) can be accessed at http://en.wikipedia.org/wiki/Hamas . Hizbollah, a Lebanese Shiite group known best for its involvement in the 1983 bombing of the U.S. marine barracks in Beirut, has a site at http://english.alahednews.com.lb/ . 87 Many of the radical Islamic groups have Web sites, but none were more successful than that of American-born cleric, Anwar al-Awlaki. He made numerous YouTube vid- eos, blogged through his own Web site, had a Facebook page, sponsored his own online al Qaeda magazine, Inspire , and focused on recruiting “homegrown” terrorists from the United States. He was very successful in developing online relationships with several radical Islamic terrorists who planned and carried out attacks against targets in the United States. Al Awlaki was in contact with several of the hijackers previous to the ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright Chapter 2 • Digital Terrorism and Information Warfare 35 9/11 attacks; he was online with Nidal Malik Hasan, just days before he went on a shooting rampage at Fort Hood, Texas in 2009; he had contact with Umar Farouk Abdulmutallab, the Nigerian Christmas Day “underwear bomber” in December 2009 who attempted to hijack Northwest Airlines Flight 253; and he had been linked to over a dozen other terrorist plots in the United Kingdom and Canada between 2005 and 2011. His death, as the result of an unmanned drone in Yemen on September 30, 2011, sparked controversy as he was the first American killed by CIA-led drone strikes in the Middle East. Interestingly, even today, his death continues to be a subject of much dis- cussion on several al Qaeda Web sites. On the domestic front, literally hundreds of sites exist for right-wing hate groups and single-issue terrorist groups. At one point in early 2012, there were over 250 sites dedicated just to the emergence and development of state militia groups.

Funding and Financing Terrorist Groups Terrorist groups are also engaging in cybercrimes and the use of the Internet as a means of funding their activities. In addition, there are four general categories of direct solici- tation, e-commerce, exploitation of online payment tools, and charitable donations.

The use of chat groups and spam e-mails to request donations is considered direct solicitation. E-commerce activities include the online sale of goods, including books and recordings that support their cause. Accepting payment through an online pay- ment platform for donations or purchased goods is another funding mechanism for terrorist groups. 88 See Figure 2.1 . To counter such activity, MoneyJihad.com is a Web site dedicated to, among other things, exposing financial institutions that support or fund terrorist organizations. The Web site lists several banks and financial institutions that maintain relationships with jihadists ( http://moneyjihad.wordpress.com/ 2013/01/07/sharia-banks-that-fund-terrorism/ ). CYBERTERRORISM AS AN ADJUNCT ATTACK As illustrated previously, not many can agree on exactly what threats cyberterror or information warfare poses to the United States. However, one common theme through- out the literature on this topic is that the threat of cyberterror is at its greatest when FIGURE 2.1 Screenshot from an Internet site soliciting terrorist funding ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright 36 Chapter 2 • Digital Terrorism and Information Warfare considered in conjunction with other terrorist actions. According to testimony of Vir- ginia Governor Jim Gilmore before the House Science Committee in October 2001, “if a cyber attack occurs simultaneously with either a conventional attack or a weapon of mass destruction attack . . . it can compound and enhance the impact of the original attack.” 89 Cyber attacks are potential force multipliers, which in military terms mean that these types of attacks can increase the impact of a terrorist action when combined with more traditional attacks. This is done without escalating the need for manpower or capital on the terrorists’ side. For example, if a terrorist organization bombed a building through conventional means, but coupled it with hacking into and disabling 911 sys- tems, the impact of the attack would be exponentially multiplied, as rescue personnel would not be able to respond effectively. 90 Al Qaeda and Information Technology Much of the current interest in cyberterrorism and information warfare has sprung from the events of September 11, 2001, and the subsequent discovery of information technology tools used to plan and coordinate those attacks. Al Qaeda, under the direc- tion of Osama bin Laden (and now, Egyptian cleric Ayman al-Zawahri), appears to have a sophisticated system of communication, surveillance, and coordination via computer networks and other information tools. It is widely agreed that members of al Qaeda pose a major threat via the Internet. Al-Zawahri is presumed to be hiding in Pakistan and has released numerous propaganda videos via the Internet since bin Laden’s death (in 2011), exhorting followers to violence and “personal jihad.” In a 2002 interview with Computerworld, Sheikh Omar Bakri Muhammed, an Islamic cleric with proven ties to bin Laden, said that al Qaeda was actively planning a “cyber jihad,” or holy war, against the United States and its allies. Bakri identified the stock market as a major target and described how the fundamentalist Islamic groups are assembling cadres of computer science students sympathetic to al Qaeda’s cause in places like Pakistan and Malaysia. 91 In late 2001, the FBI noted a series of network intrusions into emergency tele- phone and electrical generation systems, water storage facilities, nuclear power plants, and gas facilities. Each of the probes had been routed through telecommunications centers in Saudi Arabia, Pakistan, and Indonesia—all known operational centers for al Qaeda. In 2002, al Qaeda computers seized in Afghanistan contained information yielded from these probes. 92 And, on May 2, 2011, when Navy SEALS shot and killed bid Laden in his home near Abbottabad, Pakistan, one of their primary targets was the securing of computers and servers used by bid Laden to command and coordinate his organization. The intelligence information derived from these computer systems helps target other individuals as well as thwart planned attacks in the future. Indeed, the destruction of the al Qaeda communication network may not have been as symbolic as the killing of bin Laden, but nonetheless, much more important and effective in actu- ally disrupting the future of al Qaeda as a terrorist organization. In addition, U.S. officials found evidence on these computers that al Qaeda opera- tives spent considerable time on Web sites that offer software and programming instructions for the digital switches that run critical infrastructure such as transporta- tion and power grids. Because the switches are not meant for public access, they have few security safeguards built into them. An attack using these switches could yield ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright Chapter 2 • Digital Terrorism and Information Warfare 37 devastating results. When questioned, some captured al Qaeda operatives admitted that they had large-scale intentions to use that information in attacks on the United States. 93 This information is further confirmed by reports from the FBI (in 2013) that directly point to al Qaeda targeting of commuter rail and airline systems within the United States. Simple hacking tools, such as LOphtCrack, were also found on al Qaeda comput- ers. LOphtCrack allows a hacker to run combinations of characters at lightning speed in order to try and replicate a password. Other more sophisticated information tech- nology tools, such as data hiding and encryption, were also a common theme in al Qaeda caches. 94 Additionally, terrorist groups have developed hacker tools to engage in credit card theft and rootkits that would allow hackers to remotely command victim machines. These resources are available for download through a range of Web sites, including a resource titled the “al_Qaeda University for Jihad Studies.” 95 This page pro- vides access to propaganda, hacker tools, and instructional materials to train new gen- erations of hackers to continue the mission of this terror network. Al Qaeda uses this technology so effectively, partly because of the structure of the organization. Bin Laden is part of an inner circle that has reverted to using nonelec- tronic means of communication recently due to the sophistication of U.S. and allied interception. However, outside of this core group exists a loose network of operators who coordinate using the sophisticated information technology already described.

These operators are able to participate in the exchange of ideas, information, and plans related to the planning and targeting of attacks against the United States and/or its allies. It is this community of terrorists, residing all over the globe and with varying technological knowledge, that poses such a great threat to the United States. 96 PERSPECTIVES ON INFORMATION WARFARE Information warfare is the concept of using information technology to gain tactical or strategic advantage over an opponent during a conflict. This can be intelligence in the sense of knowing the enemy’s capabilities, intentions, and dispositions (deployment), or undermining their capabilities and will to fight. Propaganda, disinformation, coun- ter intelligence, deception, and disruption of information infrastructure are all aspects of information warfare. The acronym-obsessed U.S. military currently refers to these capabilities as C4ISR, or Command, Control, Communications, Computing, Intelli- gence, Surveillance and Reconnaissance. More prudent planners label all these things “information operations.” As we have discussed, information warfare is known to be a component and/or objective of cyber or digital terrorism, and the lines are often blurred as to the exact motivations of each incident and/or actor. Clearly, the three superpowers—the United States, Russia, and China—have dif- ferent and varying perspectives on information warfare. These are not rogue states attempting to gain international attention or prowess, but rather the superpowers of the world trying to keep one step ahead of the other. Indeed, the tools of information warfare— cyberweapons —may represent the most complex arms race to date. The Pentagon has created a Cyber Command, and information warfare is one of the few parts of the military budget that is expected to grow over the immediate future. 97 The Obama Administration has made it perfectly clear that the military can carry out coun- terterrorism missions in nations where the United States operates under the rules of war or where substantial U.S. interests are threatened. The use of cyberweapons and/or ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright 38 Chapter 2 • Digital Terrorism and Information Warfare other aspects of information warfare are fair play and have evolved over the last decade as a response to threats against U.S. interests from terrorists rather than specific nations.

The final authority for the use of cyberweapons by the U.S. rests with the President, and like all weapons are to be used narrowly, constituting a reasonable and proportionate force in halting or retaliating against a cyber attack. 98 The Russian Perspective Russia’s view of information warfare, “informatsionnaya voyna,” is a more holistic con- cept, carrying cyber operations implicitly alongside electronic warfare, psychological operations, and strategic communications and influence. The Russians view cyber capabilities as tools of information warfare, which combines intelligence, counterintel- ligence, disinformation, electronic warfare, debilitation of communications, degrada- tion of navigation, psychological pressure, and destruction of enemy computer capabilities. 99 From the Russian perspective, there are considerable similarities between the tac- tics employed by hacktivism, cyber aggression, and cybercrime. Furthermore, the Rus- sian cyber warrior may employ information weapons such as cybercrime to achieve the technical aspects of a mission and possibly cyberterrorism to address the objectives and motivation of an attack on enemy computer networks. 100 In other words, informa- tion weapons, as defined by Russian information warfare expert S.P. Rastorguyev, are “means directed at activating (or blocking) information systems processes in which the subject using the weapons has an interest; being any technical, biological, or social means or system that is used for the purposeful production, processing, transmitting, presenting or blocking of data and or processes that work with the data.” 101 H e n c e , employing cybercrime and cyberterrorism techniques are well within the arsenal of information warfare from the Russian perspective. The Chinese Perspective The People’s Republic of China is probably not the first threat that comes to mind when discussing information warfare or cyberterrorism. However, tensions between the United States and China remain high, and China is one of the few countries in the world eager to adopt the concept of information warfare. In fact, cyber warfare has been almost totally incorporated into the military lexicon, training, and organi- zation in China. 102 Consider this excerpt from the official Chinese military science handbook: In the near future, information warfare will control the form and future of war. We recognize this developmental trend of information warfare and see it as a driving force in the modern- ization of China’s military and combat readiness. This trend will be highly critical to achieving victory in future wars. 103 Information warfare, as a component of China’s national capabilities, is employed as necessary to support their government objectives and strategy. Programme 863, for example, is a Chinese government objective aimed at “making Chinese industry finan- cially independent of foreign technology; China sees cyberspace as a way of compen- sating for its deficiency in conventional warfare, for example by developing strategies to  cripple communication networks.” 104 As a result, the Chinese government has ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright Chapter 2 • Digital Terrorism and Information Warfare 39 assembled special hacker forces to engage the United States in online or cyber warfare and has apparently already used them. In the spring of 2001, a hack into the California power grid was traced back to the Guangdong province in China, where several mali- cious worms and Trojan horse attacks had also originated. The Department of Defense officials did not think that was a coincidence. Although no proof was ever found that directly implicated the Chinese government or military, conventional wisdom suggests that these attacks had been “ordered.” 105 Evidence also emerged in 2009 concerning repeated penetrations into American electrical grids by Chinese hackers. 106 A recent study using covert research methods also found that Chinese computers comprise the largest percentage of machines on the Internet actively scanning for electrical grid communications. 107 This information, coupled with the previously described Titan Rain incidents, suggests that the Chinese are heavily engaged in attempts to access crit- ical infrastructure in the United States. Furthermore, on April 1, 2001, an American spy plane and a Chinese fighter air- craft collided in midair, leading to the capture of the American plane by the Chinese.

The political conflict that followed was accompanied by a wave of attacks on U.S. Web sites by Chinese hacker groups. Approximately 1,200 sites, including those of the White House, the Air Force, and the Department of Energy, were targeted via defacement or DoS attacks. Again, this was never directly proven to be the work of the Chinese gov- ernment. However, the attacks were highly visible, and China took no action to sanc- tion those who perpetrated them. The attacks were at least tolerated by the Chinese government; however, given their hard-line stance on crime in China, it seems more likely that the government directly supported such action. 108 Then, in early 2013, one of the most significant and controversial security reports regarding cyberthreats to the United States emerged from Mandiant, a com- puter security consulting corporation. 109 Its report documented thousands of cyber attacks aimed primarily against entities within the United States since 2006 from China, and identified a group known as Advanced Persistent Threat One (APT1) as the primary culprit. APT1 is a single organization of individual operators working within China that has conducted one of the most aggressive and sophisticated cyber espionage campaigns ever uncovered. The sheer amount of activity along with the discovery of various sophisticated tools and tactics used by APT1 led the Mandiant to conclude that APT1 is likely a Chinese government-sponsored group with direct ties to the People’s Liberation Army (PLA), Unit 61398. Both groups have similar missions, capabilities, and resources and are located in precisely the same building in Shanghai, China. Mandiant believes that indeed APT1 is PLA Unit 61398. 110 APT1’s cyber attack infrastructure is composed of over 1,000 servers within a large organiza- tions staffed by hundreds of human operators with direct access to Shanghai com- munication systems and capabilities. The conclusion that the Chinese government was not only aware of APT1, but now actively involved in the direction and manage- ment of group designed primarily to steal digital information and attack Western enterprises, sent shockwaves through the international community. The Mandiant report represents the first conclusive evidence that foreign governments do indeed sponsor military-based, cyber activity designed specifically to steal information and disrupt American infrastructure. Awareness of this type of threat has provided the stimulus for billions of dollars dedicated to retaining cutting-edge capability in defending U.S. infrastructure. ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright 40 Chapter 2 • Digital Terrorism and Information Warfare Summary China, Russia, Iran, al Qaeda, domestic right-wing hate groups, and numerous other terrorist or nation-state entities all have access to the Internet and have the tools to perpetrate a variety of cyber attacks against the United States and/or its allies. By the very nature of these technological attacks, our critical infrastructure is most vulnerable. As a result, a great deal of attention has been focused on the topic. Scholars, government officials, and reporters alike have speculated on the vulnerabili- ties of the United States to cyber attacks, as well as to the “types” of attacks that may be implemented. As illustrated throughout this discussion, there is a great deal of confusion as to what the threats against U.S. information systems really are. Clearly, there is a tremendous range of domes- tic and international terror groups, unfriendly nations, and criminals attempting to or successfully subverting U.S. critical and economic infrastruc- ture. Such attacks could cause untold damage, though it is difficult to document the scope of the problem. It is, however, obvious that the Internet is now a critical component of information warfare and terror activities. Review Questions 1. Define the concepts of cybercrime, information war- fare, and cyberterrorism. 2. What are the six components of information warfare? 3. What are the four major categories of cyberterrorism and/or information warfare? 4. What is “Stuxnet” and “Flame,” and how do they relate to low level information warfare between the United States and Iran? 5. Define critical infrastructure, and give some specific examples of the types of systems vulnerable to cyberter- rorism and information warfare within the United States. 6. Name and describe various types of information attacks. 7. What are stenography and cryptography? 8. What has the role of China been in recent cyber attacks against the United States? Endnotes 1. C ere , R inella. (2003). “Digital Counter-Cultures and the Nature of Electronic Social and Political Movements.” In Y vonne J ewkes (ed.), Dot.cons: Crime, Deviance and Iden- tity  on the Internet. Portland, OR: Willan Publishing, pp. 147 – 163 . 2. F urnell , S teven. (2002). Cybercrime: Vandalizing the Infor- mation Society. Boston, MA: Addison Wesley. 3 . Ibid. 4. D enning , D.E. (2001). “Activism, Hacktivism, and Cyberter- rorism: The Internet as a Tool for Influencing Foreign Policy.” In J ohn A rquilla and D avid F. R onfeldt (eds.), Networks and Netwars: The Future of Terror, Crime, and Militancy. Santa Monica, CA: Rand, pp. 239 – 288 . 5. G ross , M ichael . (2013). “The Silent War”. Vanity Fair . See: http://www.vanityfair.com/culture/2013/07/new-cyberwar- victims-american-business ; Menn, Joseph (May 18, 2013).

“Cyber Attacks Against Banks more Severe than Most Real- ize,” Reuters. See http://www.reuters.com/article/2013/05/18/ us-cyber-summit-banks-idUSBRE94G0ZP20130518 6. P anetta , L eon E. (October 11, 2012). “Remarks by U.S. Secretary of Defense Leon E. Panetta on Cybersecurity to the Business Executives for National Security, New York.” News Tr a n s c r i p t . U.S. Department of Defense. See http://www. defense.gov/transcripts/transcript.aspx?transcriptID=5136 7. F ung , B rian . (March 8, 2013). “How Many Cyberattacks Hit the United States Last Year?” Nextgov.com . See http://www. nextgov.com/cybersecurity/2013/03/how-many-cyberattacks- hit-united-states-last-year/61775/ 8. O’H arrow , J r ., R obert (December 2, 2012). “Virtual Town, Virtuous Goals.” The Dallas Morning News , p. 6A. 9 . Ibid. 10. S chwarteau , W i nn. (1996). Information Warfare. New York: Thundersmouth Press, p. 12 . 11. J ones , A ndy , K ovacich , G erald L., and L uzwick , P erry G. (2002). Global Information Warfare: How Businesses, Gov- ernments and Others Achieve Objectives and Attain Competi- tive Advantages. New York: Auerbach Publication, p. 5 . For further information on definitions, refer to D enning , D orothy E. (1999). Information Warfare and Security. New York: ACM Press. 12. United States Air Force. “Cornerstones of Information War- fare.” See http://www.af.mil/lib/corner.html 13. See J o nes , K ovacich , and L uzwick , “ Global Information Wa r f a r e ,” p. 394 . 14. See United States Air Force. 15. Ibid. 16. D enning , D orothy. (1999). Information Warfare and Secu- rity. Reading, MA: Addison-Wesley, p. 68 . ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright Chapter 2 • Digital Terrorism and Information Warfare 41 17. ”Cyberterror Threat Overblown, Say Experts.” Computer- world, March 14, 2003. 18. E mbar -S eddon , A yn. (February 2002). “Cyberterrorism: Are We Under Siege?” American Behavioral Scientist 45(6): 1036. 19. T hackrah , R. (1987). “Terrorism: A Definitional Problem,” Contemporary Research on Terrorism. Aberdeen, Scotland: Aberdeen University Press, p. 1043 . 20. P ollitt , M ark. (October 25, 1997). “Cyberterrorism—Fact or Fancy?” Proceedings of the 20th National Information Sys- tems Security Conference , pp. 285 – 289 21. G rossman , M. (February 15, 1999). “Cyberterrorism.” See http://www.mgrossmanlaw.com/articles/1999.cyberterrorism.htm 22. Ibid. , p. 4 . 23. S tambaugh , H ollis , B eaupre , D avid S., I cove , D avid J., B aker , R ichard , C assady , W ayne , and W illiams , W ayne P. (2001). Electronic Crime Needs Assessment for State and Local Law Enforcement. Washington, DC: National Institute of Justice. NCJ 186276. 24. D enning , D orothy E. “Cyberterrorism.” See http://www. cs.georgetown.edu/~denning/infosec/cyberterror-GD.doc 25. B allard , J. D avid , H or nik , J oseph G., and M c K enzie , D ouglas. (February 2002). “Technological Facilitation of Terrorism.” American Behavioral Scientist 45(6): 1009. 26. L andler , M ark , and M arkoff , J ohn. (2008). “Digital Fears Emerge After Data Siege in Estonia.” The New York Times. Retrieved May 24, 2007, from www.nytimes.com/2007/05/29/ technology/29estonia.html 27. Institute for Security Technology Studies at Dartmouth Col- lege (September 22, 2001). “Cyber Attacks During the War on Terrorism: A Predictive Analysis,” pp. 1 – 9 . 28. S anger , D avid E. (June 1, 2012). “Obama Order Sped Up Wave of Cyberattacks Against Iran.” The New York Times , p. 1 . 29. G o rman , S iobhan and B arnes , J ulian E. (October 12, 2012). “Iran Blamed For Cyber-attacks,” The Wall Street Jour- nal. 30. N akashima , E llen (June 19, 2012). “U.S., Israel developed Flam Computer Virus to Slow Iranian Nuclear Efforts,” The Washington Post. 31. Ibid. 32. See J o nes , K ovacich , and L uzwick , “ Global Information Wa r f a r e ,” pp. 56 – 57 . 33. Ibid. , p. 67 . 34. Testimony of J im G ilmore , Virginia Governor, before the House Science Committee on October 17, 2001. 35. See D enning , “Cyberterrorism.” 36. See National Strategy for Homeland Security. 37. See J o nes , K ovacich , and L uzwick , “ Global Information Wa r f a r e ,” p. 71 . 38. M c C ullagh , D. (2009). “A Cybersecurity Quiz: Can You Tell Obama from Bush?” Cnet News. Retrieved May 29, 2009, from http://news.cnet.com/8301-13578_3-10252263-38.html 39. L ardner , R ichard (October 20, 2012). “Order Would Inform Industries of Cyberthreats.” Th e Dallas Morning News , p 10-A. 40. See Institute for Security Technology Studies, “Cyber Attacks During the War on Terrorism,” p. 17 . 41. G orman , S. (2009). “Electricity Grid in U.S. Penetrated by Spies.” Wall Street Journal. 42. G oodman , S eymour. (2001). “The Civil Aviation Analogy: International Cooperation to Protect Civil Aviation Against Cyber Crime and Terrorism.” In A.D. S ofaer and S.E. G oodman (eds.), Transnational Dimensions of Cyber Crime and Terror- ism. Stanford, CA: Hoover Institution Press, pp. 77 – 80 . 43. Ibid. , p. 78 . 44. Ibid. , p. 79 . 45. Ibid. , p. 2 . 46. See D enning , “Cyberterrorism.” 47. Ibid. 48. See J o nes , K ovacich , and L uzwick , “ Global Information Wa r f a r e ,” p. 112 . 49. Testimony of M ichael A. V artis , Director of Institute for Security Technology Studies at Dartmouth College, before the House Science Committee on April 8, 2003. 50. Testimony of T erry B enzel , vice president of advanced security research for Network Associates, Inc., before the House Science Committee on October 10, 2001. 51. See D enning , Information Warfare and Security, pp. 75 – 76 . 52. See Testimony of T erry B enzel. 53. Z anini , M., and E dwards , S. (2001). “The Networking of Terror in the Information Age.” In J. A rquilla and D.

R onfeldt (eds.), Networks and Netwars. Pittsburgh: RAND, p. 44 . 54. See Institute for Security Technology Studies, “Cyber Attacks During the War on Terrorism,” p. 5 . 55. Ibid. , p. 6 . 56. W ard , M. (Februar y 8, 2006). “Anti-Cartoon Protests Go  Online,” BBC News. http://news.bbc.co.uk/2/hi/ technology/4692518.stm ; D anchev , D. (August 25, 2008). “Hundreds of Dutch Web sites Hacked by Islamic hackers,” ZDNet. http://blogs.zdnet.com/security/?p=1788 57. Ibid. 58. See D enning , Information Warfare and Security, p. 270 . 59. Ibid. 60. See D enning , “Cyberterrorism.” 61. See D enning , Information Warfare and Security, p. 275 . 62. Ibid. 63. Ibid. 64. See Institute for Security Technology Studies, “Cyber Attacks During the War on Terrorism,” p. 10 . 65. See J o nes , K ovacich , and L uzwick , “ Global Information Wa r f a r e ,” p. 398 . 66. Ibid. , pp. 398 – 399 . 67. See Institute for Security Technology Studies, “Cyber Attacks During the War on Terrorism,” p. 11 . 68. D enning , D. (May 15, 2008). “The Jihadi Cyberterror Threat.” Paper presented at the UNCC Interdisciplinary Con- ference on Cybercrime. 69. Ibid. 70. Ibid. 71. See D enning , Information Warfare and Security, p. 226 . 72. T hornburg , N. (2005). “ Inside the Chinese Hack Attack.” Time . 73. See Z anini and E dwards , “The Networking of Terror in the Information Age,” p. 35 . ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright 42 Chapter 2 • Digital Terrorism and Information Warfare 74. Ibid. , p. 36 . 75. J enkins , B rian M. (2011). Is al Qaeda’s Internet Strategy Work- ing? Santa Monica, CA: The RAND Corporation. See: http:// www.rand.org/content/dam/rand/pubs/testimonies/2011/ RAND_CT371.pdf 76. Ibid. 77. C ere , R. (2007). “Digital Undergrounds: Alternative Politics and Civil Society.” In Y. J ewkes (ed.), Crime Online. Portland, OR: Willan Publishing, pp. 144 – 159 . 78. Ibid. 79. Ibid. 80. See J o nes , K ovacich , and L uzwick , “ Global Information Wa r f a r e ,” p. 389 . 81. See B allard , H or nik , and M c K enzie , “Technological Facilitation of Terrorism,” p. 996 . 82. See J o nes , K ovacich , and L uzwick , “ Global Information Wa r f a r e ,” p. 388 . 83. Ibid. , pp. 388 – 389 . 84. Ibid. , p. 60 . 85. See Z anini and E dwards , “The Networking of Terror in the Information Age,” p. 42 . 86. Ibid. , p. 60 . 87. See Z anini and E dwards , “The Networking of Terror in the Information Age,” p. 43 . 88. United Nations. (2012). The Use of the Internet for Terrorist Purposes. United Nations Office on Drugs and Crime. See:

http://www.unodc.org/documents/frontpage/Use_of_Internet_ for_Terrorist_Purposes.pdf 89. See Testimony of J im G ilmore. 90. See E mbar -S eddon , “Cyberterrori sm,” pp. 1038 – 1039 . 91. ”Al Qaeda Poses Threat to the Net.” Computerworld, November 25, 2002. 92. ”Cyber-Attacks by Al Qaeda Feared.” Washington Post, June 27, 2002. 93. Ibid. 94. Summarized from Pub lic Broadcasting Station interviews, April 24, 2003. See www.pbs.org/wgbh/pages/frontline/shows/ cyberwar/interviews/ 95. Ibid. , p. 60 . 96. Ibid. 97. S anger , D avid . E., and S hanker , T horn. (2013). “Obama to Hold Cyberauthority.” The New York Times. 98. Ibid . 99. G iles , K eir. (2011). Information Troop—a Russian Cyber Com- mand? Oxford University, UK: Conflict Studies Research Center. 100. Ibid. 101. T homas , T imothy L. (2004). Comparing US, Russian, and Chinese Information Operations Concepts. Fort Leavenworth, KS: Foreign Military Studies Office. 102. H ildreth , S. (2001). “ Cyberwarfare.” In J. B lane (ed.), Cyberwarfare: Terror at a Click. Huntington, NY: Novinka Books, p. 14 . 103. See J ones , K ovacich , and L uzwick , “ Global Information Wa r f a r e ,” p. 221 . 104. L eyden , J ohn . (2011). Hidden Dragon: The Chinese Cyber Menace — Any Decent Government Does Industrial Espio- nage. The Register. See: http://www.theregister.co. uk/2011/12/24/china_cybercrime_underground_analysis/ 105. ”Is China Ground Zero for Hackers?” ZDNET , August 28, 2001. See http://zdnet.com.com/2100-1107-504010.html 106. Ibid. , p. 33 . 107. K rebs , B rian. (2009). “Report: China, Russia Top Sources of Power Grid Probes.” The Washington Post. Retrieved May 1, 2009, from http://voices.washingtonpost.com/ securityfix/2009/04/report_china_russia_top_source.html 108. See Institute for Security Technology Studies, p. 8 . 109. M andiant. (2013). APT1: Exposing One of China’s Cyber Espio- nage Units . Alexandria, VA: Mandiant. For more information regarding Mandiant, refer to its Web site at: www.mandiant.com 110. Ibid. ISBN 1-323-00652-4 Digital Crime and Digital Terrorism , Third Edition, by Robert W. Taylor, Eric J. Fritsch, and John Liederbach. Copyright