Combating Enemies Online
By: James Jay Carafano and Richard Weitz
The Heritage Foundation | Tuesday, February 12, 2008
before the terrorist attacks of September 11, 2001, security experts
were becoming increasingly concerned about the vulnerability of U.S.
computer systems and associated infrastructure. The 9/11 attacks
amplified these concerns.
Less attention, however, has been paid
to state sponsors of illicit computer activity, which are increasingly
using the Internet to conduct espionage, deny services to domestic and
foreign audiences, and influence global opinion. In addition,
insufficient focus has been given to how terrorists exploit the
Internet as a tool for recruiting, fund raising, propaganda, and
intelligence collection and use it to plan, coordinate, and control
terrorist operations. Combating these malicious activities on the
Internet will require the cooperation of federal entities, as well as
friendly and allied countries and the private sector.
cyber initiatives show promise, but a more concerted national effort is
required, particularly in acquiring commercial capabilities and
services, managing military intelligence and information technology
programs, and developing a corps of professional national security
In recent years,
government and private information networks have increasingly come
under attack from a variety of state-sponsored and non-state actors.
A widely publicized cyber assault against Estonia in 2007 increased
suspicions that adversarial states are using online malicious activity
as a tool of national policy. The assault disrupted public and private
Estonian information networks with massive denial-of-service attacks.
Recent revelations of Chinese cyber-espionage activities against
sensitive information networks in the United States, Germany, and other
countries have further heightened concerns that the World Wide Web is
becoming just another battlefield.
Estonia attacks targeted the Web sites of banks, telecommunication
companies, media outlets, and government agencies, eventually forcing
the country to block all foreign Internet traffic.
Many Web sites were shut down by denial-of-service attacks, in which
the attacker uses thousands of hijacked computers to bombard a Web site
with useless information until it is overloaded. For one bank,
disruptions in cyberspace resulted in material losses of over $1
million after it was forced to shut down online services. At one point, telephone service for fire and rescue units was suspended for over an hour.
defense minister described the attacks as "a national security
situation.... It can effectively be compared to when your ports are
shut to the sea." The Estonia attacks vividly testify to the disruptive power of a coordinated cyber offensive.
intentions also give cause for concern. Senior defense analysts believe
that China has undertaken a sustained effort to develop information
warfare capabilities to achieve "electromagnetic dominance" over the
United States and other potential competitors.
Security experts believe that the Chinese government orchestrated a
sophisticated cyber-espionage effort known as Titan Rain, which
downloaded information from hundreds of unclassified defense and
government information systems are attacked every day from sources
within the country and around the world. Some of these intrusions have
been extremely serious, compromising security and costing millions of
dollars. Penetration of computer networks at the National Defense
University proved so pervasive that the university was forced to take
the entire computer network offline and install new information system
In 2007, Der Spiegel alleged that Chinese
programmers had placed spy software on computers at the Foreign,
Economics, and Research and Development Ministries as well as on
computers used by the Chancellery office.
Such Trojan horse programs can capture data from host computers and
transmit the information to external users. The immense scale of the
Internet espionage operations suggests that they could not have
occurred without the knowledge and at least the tacit support of an
official Chinese entity.
Shortly after the Spiegel
article was published, officials in Britain, France, the United States,
and other countries indicated that they had found similar evidence of
Chinese cyber-espionage campaigns.
This evidence includes media reports of cyber penetration of the U.S.
Department of Homeland Security (DHS) and U.S. Department of Defense
from Chinese-language Web sites.
concern is the surety of original software and computer components. In
two recent reports, the Defense Science Board has warned about the
potential vulnerability to intrusion, malicious activity, and
exploitation via malicious software and semiconductor components.
Non-State Threats. Analysts have also documented a steady increase in terrorists' use of the Internet. In addition, transnational criminal organizations routinely conduct cyber operations, including identity theft and fraud.
Internet Exploitation. One comprehensive survey has identified specific ways that terrorists employ the Internet. They use the Internet to:
- Wage psychological warfare by spreading disinformation,
delivering threats to instill fear and helplessness, and disseminating
horrific images. For example, the grisly murder of Daniel Pearl was
videotaped by his captors and posted on several terrorist Web sites.
- Create publicity and spread propaganda.
- Gather intelligence.
Details about potential targets-- such as transportation facilities,
nuclear power plants, public buildings, ports, and airports-- and even
counterterrorism measures are available online. For example, the DHS
maintains a password-protected online site called Tripwire, which
provides information on how to counter improvised explosive devices
- Fundraise. Many Islamic charitable organizations allow users to make a zakat
contribution online. Some terrorist organizations use front companies
and charitable organizations under their control to receive such
- Recruit and mobilize supporters through chat rooms, cybercafés, and bulletin boards.
- Communicate and coordinate with operatives and supporters. Two terrorist cells in Florida and Canada, which were recently disrupted, passed messages via the Internet.
- Share information, such as how to manufacture and use weapons, including bomb-making techniques.
- Plan attacks.To
preserve their anonymity, the 9/11 attackers used the public Internet
services and sent messages via free Web-based e-mail accounts.
and other transnational terrorist networks rely heavily on the
Internet to communicate with dispersed operatives. The organization's
messages appear on approximately 6,000 Web sites.
As-Sahab Institute, al-Qaeda's media component, has released a slew of
videos--about one every three days since the beginning of
2007--featuring Osama bin Laden and other terrorist leaders. Observers
have been impressed by both the quantity of these releases and the
institute's use of the latest commercial computer software and
hardware in producing and distributing them.
The Internet offers terrorists certain advantages over more traditional means of communication and operation:
- Easy access,
- Little government control,
- Potentially enormous domestic and foreign audiences,
- Anonymous communications,
- Rapid information exchanges,
- Low cost,
- Multimedia platforms, and
- The ability to influence other mass media that rely on the Internet for stories.
Internet also gives terrorists tremendous operational flexibility. When
extremist Web sites have been identified, hacked, or shut down by
Internet service providers (ISPs), the terrorists have turned to chat
rooms and message boards for communication. Their Web sites commonly
disappear from and return to the Web. Al-Qaeda operatives post their
messages and videos on Islamist forums.
Non-State Cyber Attacks.
Islamist hackers have promoted the tactic of "electronic jihad,"
attacking "enemy" Web sites to harm the enemy's morale and economic and
military infrastructure. Many Islamist Web sites host forums that
discuss how to conduct such Web-based offensives.
The Web is a target-rich environment. The Department of Defense alone
has 3.5 million computers and 35 internal networks located in 65
countries, many of which depend on commercial systems.
Propaganda and Fundraising.
One of the most troubling developments has been the use of the
Internet by Sunni insurgent groups in Iraq. These groups use the Web
to conduct media campaigns by distributing videos, online magazines,
blogs, video clips, full-length films, and online television programs.
According at an authoritative study by Radio Free Europe/Radio
Liberty's Arabic Language Service:
products are] undermining the authority of the Iraqi government,
demonizing coalition forces, fomenting sectarian strife, glorifying
terrorism, and perpetrating falsehoods that obscure accounts of
responsible journalists. Insurgent media seek to create an alternate
reality to win hearts and minds, and they are having a considerable
degree of success.
products are designed primarily for political activists who are native
Arabic speakers and have high-speed Internet connections. The majority
of downloads are in the Middle East but outside of Iraq. Insurgent
media appear to be most effective in fundraising and influencing
"opinion makers," and secondarily as a source of recruiting.
over 1 billion users on the Internet include threats to American
security. Efforts to combat them have been increased as the danger has
Federal Programs. The U.S. government took some
measures before 9/11 to enhance cybersecurity and its capacity to
combat malicious activity on the Web, including a 1987 requirement that
government personnel protect their computer data and formulation of
the first national cybersecurity strategy in 2000. However, strong
resistance from civil liberties and privacy groups as well as anemic
funding from Congress prevented the establishment of a planned
government network to detect intrusions.
After the 9/11 attacks,
Washington took additional steps to improve the safety and security of
its online information. In 2002, Congress enacted the Federal
Information Security Management Act 2002, which requires agencies to
develop policies and standards to protect the integrity,
confidentiality, and availability of Internet-based information. In
February 2003, the Administration released the National Strategy to Secure Cyberspace.
In 2003, DHS, in cooperation with Carnegie Mellon University, created
a computer emergency response team (CERT) to coordinate emergency
efforts and established an alert system for cyber threats. The US-CERT
has also sought to facilitate public-private cybersecurity
partnerships, notably by sponsoring the National Cyber Security Summit
in December 2003.7 Today, most responsibility falls under the National
Cyber Security Division.
Intelligence Operations. The
intelligence community maintains a clandestine technical collection
program. Although few operational details are publicly available,
intelligence agencies are widely believed to have some capability to
penetrate computer systems used by transnational terrorist networks.
These efforts include passively intercepting communications to identify
cells and determine their activities. Presumably, the intelligence
community also has the capacity to disrupt terrorist operations by,
for example, denying services, hacking computer programs, and altering
More is publicly known about the
intelligence community's defensive capabilities. Strengthening
cybersecurity has been a key objective of the Information Sharing
Environment (ISE), a collection of policies, procedures, and
technologies that permit the exchange of terrorism information,
including intelligence and law enforcement data. The ISE aims to
promote a culture of data sharing among its participants to ensure
that information is readily available to support their missions. The
ISE connects federal, state, local, and tribal governments. It also
envisions a critical role for private-sector and foreign actors in
sharing information to counter terrorist threats.
The military increasingly envisions cyberspace as a theater of
operations. Defense operations range from field activities to strategic
campaigns. For example, U.S. forces in Iraq have undertaken operations
to suppress insurgent propaganda networks that use the Internet
against coalition forces.
the national level, the U.S. Strategic Command (STRATCOM) has played a
role in global cyber operations since its creation in 1992. STRATCOM's
Joint Functional Component Command for Network Warfare was established
in 2005 and is responsible for working with federal agencies on
computer network defense and for planning offensive information
warfare. The Director of the Defense Information Systems Agency also
heads a Joint Task Force for Global Network Operations.
military services, particularly the Air Force, have demonstrated an
increased interest in cyber operations. The Air Force recently
announced the creation of a Cyberspace Command on par with other Air
Force major commands to develop information warfare capabilities and
Lieutenant General Robert Elder, Commander of the 8th Air Force, is
helping to set up the new command. He has emphasized the need to
"ratchet up our capability" in cyberspace to challenge China's emphasis
on information warfare.
military emphasis on cyberspace does not necessarily translate into
protection against the kinds of disruptions experienced in Estonia. The
Defense Department's policy on cyberwarfare specifically emphasizes
protecting the military information network and developing offensive
cyberwar capabilities against potential adversaries.
The attacks against Estonia, a NATO member, have reenergized
multinational cyber defense efforts. NATO information specialists
have traditionally concentrated on protecting the alliance's own
networks, especially those that might support collective military
operations. The Estonia incident led NATO to deploy some of its
information specialists to provide immediate assistance.
Estonian CERT was effective in reducing the level of disruption caused
by the attacks. By coordinating the work of foreign Internet service
providers, local law enforcement, and network managers across the
country, the CERT ensured that Estonia's information infrastructure
responded in a coordinated manner. Without an empowered and properly
funded CERT, the cyber attacks could have lasted much longer and been
Estonia's cyber disruption highlighted the need to clarify both
international and domestic responses to malicious cyber activities.
Member governments are currently studying the question of precisely
which conditions would cause such attacks to fall within the alliance's
definition of self-defense, requiring a collective NATO response under
Article 5 of the North Atlantic Treaty.
is not the only organization demonstrating renewed interest in
combating cyber threats. The United Nations, the Council of Europe, the
Shanghai Cooperation Organization, and other international bodies have
initiated programs aimed at countering information attacks through the
Internet, including attacks by terrorist groups.
In 2003, the White House issued Homeland Security Presidential
Directive 7, which emphasized that "critical infrastructure and key
resources provide the essential services that underpin American
The directive resulted in development of the National Infrastructure
Protection Plan (NIPP), which was released in 2006. The NIPP details
cooperative strategies for public-sector and private-sector
information sharing and network protection.
NIPP relies on several institutions, particularly Information Sharing
and Analysis Centers (ISACs), to facilitate the exchange of information
with critical business sectors, such as financial institutions and
energy companies. ISACs are established and funded by the private
sector, and the data handled by ISACs are provided largely by
private-sector participants. ISACs also receive information from other
entities, including law enforcement agencies and security associations.
In addition to the ISACs, critical business sectors have Sector
Coordinating Councils that develop policy recommendations in
coordination with government agencies. The NIPP and its associated centers provide the backbone of the DHS cyber effort.
addition to the strategies outlined by the NIPP, information sharing
between government and the private sector receives considerable support
from InfraGard, a program established by the FBI in 1996.
Originally developed to assist cybercrime investigations, InfraGard
facilitates collaboration with law enforcement, business, and academia
on a range of security-related issues. InfraGard chapters facilitate
information collection, analysis, and training and provide discussion
forums to share best practices. InfraGard also provides a secure
Web-based communications platform.
Private-sector companies, universities, research centers, and
nongovernmental groups have developed capabilities to combat malicious
cyber activities and to investigate or disrupt terrorist operations on
the Internet. Perhaps the best-known of these groups is the Internet
Security Alliance, a collaboration between the Electronic Industries
Alliance, a federation of trade associations, and Carnegie Mellon
University's CyLab. It was established to provide a forum for
information sharing and to generate suggestions for strengthening
Many other organizations and
private-sector companies support America's cyber defenses. The
University of Arizona has conducted a multi-year project called Dark
Web, which attempts to monitor how terrorists use the Internet. The
university's Artificial Intelligence Lab has accumulated the world's
most extensive database of terrorist-related Web sites--over 500
million pages of messages, images, and videos--and has made it
available to the U.S. military and intelligence communities. Some of
its sophisticated software exposes social linkages among radical groups
and seeks to identify and track individual authors by analyzing their
writing styles. This knowledge enables researchers to assess which
people are most susceptible to radicalization and which terrorist
recruitment messages are most effective. The university recently
received a $1.5 million federal grant to concentrate on how extremists
use the Internet to teach terrorists how to construct IEDs.
Middle East Media Research Institute (MEMRI) publicizes extremist
messages on the Internet, including terrorist Web sites, discussion
forums, and blogs. After MEMRI published a comprehensive survey of
Islamist Web sites in 2004, many them were closed down by their hosting
After 9/11, the U.S. Military Academy at West Point established a Combating Terrorism Center. Among the center's studies, The Islamic Imagery Project: Visual Motifs in Jihadi Internet Propaganda provides a ready guide to commonly used terrorist graphics, symbols, icons, and photographs.
addition to these efforts, nongovernmental organizations and private
companies provide a variety of analytical and investigative tools for
penetrating terrorist operations on the Internet. For example, the
Washington-based SITE Intelligence Group routinely monitors,
translates, and posts information from terrorist Web sites and often
shares that information with U.S. intelligence agencies.
software and hardware providers continue to respond to the needs of
the marketplace with new services and products to counter illicit
online activity, from combating unauthorized intrusions and countering
denial-of-service attacks to preventing the disruption or exploitation
of systems or data. Providing security services and products is a
Reinforcing the Cyber Arsenal
war is raging on the Internet--a contest of action and counteraction
between legitimate users and malicious actors that range from
state-sponsored hackers to terrorists and transnational criminals.
However, the perception that the United States is defenseless in the
face of illicit exploitation of computer networks is far from accurate.
Both the government and the private sector possess significant
Nevertheless, there is little room for
complacency. New computer advances create new vulnerabilities. The
surety of information systems and the capacity to deter, disrupt, or
exploit malicious Internet activity will require developing
capabilities proactively and responding in a timely manner to emerging
Washington is struggling "with understanding and
harnessing information technologies and the prospects for
cyber-warfare, but these challenges may represent merely the dawn of an
age in which military competition is defined by commercial research and
development and consumer choice." The federal government is a fairly minor customer in the multitrillion-dollar transnational information industry.
initiatives that will likely best serve the United States and its
friends and allies in the cyber conflicts of the 21st century will be
those derived from the private-sector experience, coupled with emerging
military and intelligence capabilities to conduct information warfare
and law enforcement measures to combat cybercrime. What is required is
a national framework that builds on these capabilities, encouraging
them to collaborate and reinforce one another. They should form the
cornerstone of smart strategies for fighting and winning against the
cyber threats of the future.
Several principles for cyber security and competition should guide U.S. efforts. Specifically, the U.S. should:
- Adopt best practices.
Both government agencies, such as the National Institute for Standards
and Technology, and the private sector should continue to develop best
practices and lessons learned.
These can be effective tools. Ensuring that these practices are
continuously updated and applied should be government's first priority.
Only programs that establish clear tasks, conditions, and standards
and that ensure rigorous application will keep up with determined and
willful efforts to overcome surety efforts.
- Employ risk-based approaches.
All information programs should include assessments of criticality,
threat, and vulnerability as well as measures to reduce risks
efficiently and effectively.
- Foster teamwork.
Cybersecurity is a national responsibility that requires global
cooperation. The United States must maintain effective bilateral and
multinational partnerships to combat cyber threats.
These efforts should include rigorous measures to prevent the export
of sensitive technologies to malicious actors, as well as persistent
vigilance to ensure that adversarial states and transnational terrorist
and criminal groups do not penetrate U.S. companies that provide
essential national capabilities and sensitive national security
- Exploit emergent private-sector capabilities. Critical capabilities could come from many sources, including small companies and foreign countries. The U.S. government needs to become a more agile consumer of cutting-edge commercial capabilities.
on professional development. Most government information programs
underperform because they lack clear requirements, have unrealistic
projections of the resources required to implement them, and lack
attentive senior leadership. All of these problems can be addressed by
maintaining a corps of experienced, dedicated service professionals.
National security professionals must have "familiarity with a number of
diverse security-related disciplines...and practice in interagency
operations, working with different government agencies, the private
sector, and international partners." These skills and attributes must include expertise in cyber operations, as well as in developing and managing new systems.
can do better in preparing to respond to current and future cyber
threats. Long-term commitment and sound initiatives are needed, not
massive reorganization and massive infusions of government cash. These
initiatives should push for better and faster acquisition of commercial
services; better and smarter management of military, intelligence, and
information technology programs; and better and sustained professional
development of federal, state, local, and private-sector leaders.
needs to accept that cyberwar will be an enduring feature of the long
war on terrorism--perhaps continuing even after the "long war" is won.
Thus, Washington should:
- Fund cyber initiatives for the long term.
In the past, funding and attention from Congress and the Administration
have come in "fits and starts." This practice is counterproductive and
should be ended. For example, DHS programs should be funded
consistently at about $1 billion annually in constant dollars. In
particular, Einstein, a system that monitors network gateways for
computer viruses and other malicious computer activity, should be
fully funded. Additionally, the budgets of the Departments of Defense,
Justice, and State and the intelligence community should adequately
reflect their cyber missions, including protecting U.S. infrastructure,
fighting cybercrime and network intrusions, and combating
international espionage, sabotage, and disinformation activities.
- Implement the Defense Science Board's recommendations for improving the surety of critical software and microchip components.
These recommendations include enhancing education and training for the
acquisition community on cyber issues, ensuring robust resources for
conducting risk assessments and assurance programs for mission-critical
systems, improving the quality and surety of Defense Department
software, and conducting advanced research on vulnerability detection
and mitigation for software and hardware.
- Continue to emphasize the information-sharing environment,
as well as various programs under the National Infrastructure
Protection Plan that promote effective public-private cooperation on
The Way Forward
There are no
silver bullets to ensure that Americans can roam the information
superhighway freely and safely in the 21st century. Nor are there any
guarantees that malicious actors can be kept on the sidelines. On the
other hand, consistent, adequately funded programs should give
Americans the confidence that they can outcompete any adversary in the
Peter Finn, "Cyber Assaults on Estonia Typify a New Battle Tactic," The Washington Post, May 19, 2007, p. A1, at www.washingtonpost.com/wp-dyn/content/article/2007/05/18/AR2007051802122.html (January 31, 2008), and Ian Traynor, "Russia Accused of Unleashing Cyberwar to Disable Estonia," The Guardian, May 17, 2007, at www.guardian.co.uk/russia/article/0,,2081438,00.html (January 29, 2008).
Landler and Markoff, "Digital Fears Emerge After Data Siege in Estonia."
"US and China Leaders Thursday Add Cyber Warfare to Agenda Including Trade and Global Warming," San Francisco Sentinel, September 5, 2007, at www.sanfranciscosentinel.com/?p=4759 (January 29, 2008).
"General: China Taking on U.S. in Cyber Arms Race," CNN, June 13, 2007.
Clay Wilson, "Information Operations and Cyberwar: Capabilities and Related Policy Issues," Congressional Research Service Report for Congress, updated September 14, 2006, at www.fas.org/irp/crs/RL31787.pdf (January 29, 2008).
Jim Michaels, "NATO to Study Defense Against Cyberattacks," USA Today, June 15, 2007.
Greg Jaffe, "Gates Urges NATO Ministers to Defend Against Cyber Attacks," The Wall Street Journal, June 15, 2007.
ISACs exist for 14 types of critical infrastructures. For a current
assessment of their effectiveness, see Eileen R. Larence and David A.
Powner, "Critical Infrastructure: Challenges Remain in Protecting Key
Sectors," GAO-07-626T, testimony before the Subcommittee on Homeland
Security, Committee on Appropriations, U.S. House of Representatives,
March 20, 2007, at www.gao.gov/new.items/d07626t.pdf (January 29, 2008).
U.S. Department of Homeland Security, National Infrastructure Protection Plan.
Boccara, "Islamist Websites and Their Hosts Part I: Islamist Terror
Organizations," Middle East Media Research Institute Special Report No. 31, July 16, 2004, at http://memri.org/bin/articles.cgi?Page=archives&Area=sr&ID=SR3104 (January
29, 2008), and Marie-Hélène Boccara and Alex Greenberg, "Islamist
Websites and Their Hosts Part II: Clerics," Middle East Media Research
Institute Special Report No. 35, November 11, 2004, at http://memri.org/bin/articles.cgi?Page=archives&Area=sr&ID=SR3504 (January 29, 2008).
U.S. Military Academy, Department of Social Science, Combating Terrorism Center, The Islamic Imagery Project: Visual Motifs in Jihadi Internet Propaganda, March 2006, at http://ctc.usma.edu/imagery/imagery.asp (January 29, 2008).
For example, see Mark A. Sauter and James Jay Carafano, Homeland Security: A Complete Guide to Understanding, Preventing and Surviving Terrorism (New York: McGraw-Hill, 2005), pp. 200-202.
We have implemented a new commenting system. To use it you must login/register with disqus. Registering is simple and can be done while posting this comment itself. Please contact gzenone [at] horowitzfreedomcenter.org if you have any difficulties.
blog comments powered by