Summary: Cybersecurity expert Emilio Iasiello contrasts the warnings that flood the news about cyberthreats with their mundane reality. {First of two posts today.}
Everything’s “Big” When It Comes To Cyberterrorism. It Shouldn’t Be.
By Emilio Iasiello from DarkMatters, 2 December 2015
Posted with his gracious permission.
In the aftermath of the Paris terrorist attacks, there has been increased scrutiny as to how these individuals successfully pulled off coordinated attacks without intelligence and security services picking up some indications of an impending operation. One U.S. lawmaker maintains that there are strong indicators that the suspected terrorists used encryption in order to circumvent monitoring. The implication is clear: authorities need the ability to be able to access encrypted communications in order to be able to gain advanced warning to prevent these types of attacks.
Encryption debate
While the terrorist attacks have encouraged some intelligence and security officials to start up the encryption debate once again, there is some indication that the ISIS actors were communicating in the open, and even the data on their smartphones was not encrypted. According to one French news source, police were able to track the phone’s movements and retrieve such information as SMS messaging and a detailed map of the concert hall attack site via a phone belonging to one of the terrorists.
Additionally, features of a thwarted ISIS plot in Belgium revealed that while the suspected mastermind of the Paris attacks, Abdelhamid Abaaoud, typically sidestepped surveillance, he did not leverage encryption technology. Shortly after the attack, a leading U.S. newspaper retracted an article in which it had originally cited that the terrorists had used encryption technology, after it could not be confirmed.
ISIS attacks
The discrepancies in the narrative of the ISIS attacks have led several to conclude that intelligence and security officials are taking advantage of what happened in Paris to advocate their position of requiring companies to install backdoors that they could access with a warrant. And while there is legitimate concern that even if encryption wasn’t used to support the Paris attacks, that terrorists could leverage encryption technologies in future operations.
Stories about potential use of other advanced technologies such as PlayStation 4, the Darkweb, and alternative types of privacy and security applications and services, have since surfaced indicating that the adoption of such practices may become more common.
The “Number one threat”
While terrorist activities remain a very significant concern, there is a tendency to assign hyperbolic language to all facets of terrorist activities in cyberspace. In this instance, the U.S. House of Representatives Homeland Security chairman identified terrorist use of encrypted communications as “the biggest threat” today. The content of such communications can certainly contain critical information about potential terrorist operational planning, however, the use of encryption in and of itself, does not constitute a threat.
Moreover, this new determination overshadows remarks from the national counterintelligence executive that identified a cyberattack against critical infrastructure by terrorist groups, foreign intelligence, and criminals as the number one threat.
Cyberterrorism
This is not to take away from the validity of each; only to point out that any activities ascribed to cyberterrorism is immediately raised to the apex of security concerns, regardless, if they are warranted or not. Over sensationalizing terrorist activity in cyberspace potentially creates a “sky is falling” paranoia that ultimately risks public desensitization when these extraordinary acts of cyber malfeasance do not materialize. Not understanding the threat, chances mischaracterizing it—thereby impacting strategic mitigation planning.
Much of what is known about terrorist use of the Internet has been to support their organizations—not so much to carry out actual cyberattacks that inflict real world damage. What’s more, propaganda and recruitment have, in and of themselves, proven potent factors in influencing a global audience of lone wolves to carry out some of the more violent and catastrophic events. The continued success of real world operations may keep ISIS and groups like them focused in the physical world.
Questions about scenarios
While envisioning cyber “worst case” scenarios can aid in risk management, they are better used as measurement milestones to capture significant changes in an actor’s cyber capabilities, which can update contingency planning.
Can groups like ISIS carry out a successful attack against an important critical information infrastructure? Do they have the capability? And if so, why isn’t that happening? And if they don’t have the necessary skills, how long will it take for them to obtain these skills? And once obtained, when will they be operationalized, and what are the types of precursor events likely to influence their use? Trying to answer these types of questions will better inform decision makers who must develop strategies to properly allocate budget, personnel, and material resources to counter these activities.
The views and opinions reflected in this article are my own and do not represent Norse’s positions or strategies.
————————————————–
About the Author
Emilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as a private sector companies. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals.
See his other articles on the Dark Matters website. He now posts at Dead Drop (of LookingGlass Cyber Threat Intelligence Group).
For More Information
One of an almost endless series of warnings about cyberthreats: “A former CIA chief says other governments could launch crippling computer attacks on the US“, Business Insider, 19 May 2015.
If you liked this post, like us on Facebook and follow us on Twitter. See all posts about Cyber-espionage and Cyber-war! — especially this series about Parsing Cyberwar by Marcus Ranum…
- The Battlefield.
- The Logistical Train.
- Synergies and Interference.
- The Best Defense is a Good Defense.
Any discussion of “cyberterrorism” or “cyber attacks” by government types almost immediately descends into pure FUD. Fear, uncertainty, and doubt (one of my favorite tech phrases, courtesy of the great Gene Amdahl). Like that garbage book that Ted Koppel wrote recently about infrastructure cyberattacks, “Lights Out.” He never actually interviewed *anyone* from the security community that actively performs tests and simulated attacks against SCADA and infrastructure control systems.
The encryption debate is a whole other matter. Besides the FUD, the forces like the FBI calling for backdoors, key escrow, and other ways for them to undermine encryption don’t really seem to have thought this all out very well.
The key escrow route (the gov having copies of every crypto key) would be a logistical and technical nightmare to manage. Not to mention the government’s already poor reputation for protecting information.
Using deliberately weak crypto or backdoored crypto is idiotic: any backdoor the FBI can use, a hacker could use too.
And the other thing they haven’t thought out: if the US is going to force tech companies to give them backdoors, then what stops Russia, Iran, China, etc. from asking the same?
ch1kpee,
“Any discussion of “cyberterrorism” or “cyber attacks” by government types almost immediately descends into pure FUD”
I disagree. Govt types speak of cyberterrism with fear, but little uncertainty or doubt.
“Besides the FUD, the forces like the FBI calling for backdoors, key escrow, and other ways for them to undermine encryption don’t really seem to have thought this all out very well.”
I doubt that. Considering how well they’ve increased their funding and power — despite the massive uproar over the Snowden revelations — I suggest awe at their skill is more appropriate.
the “UD” in FUD refers not to the speaker who is making this type of argument, but to how the speaker wants their audience to feel about the thing they’re trying to talk their audience out of. In this case, threat of terrorism -> opposition to widespread availability and use of information security tools.
On the last point, regarding US / Russia / China all requiring backdoors … The funny thing is that international tech businesses will probably just sell the exact same backdoor to all three.
I’ve tried to find the hidden angle that the FBI, NSA, and others are going for…how they’re going to feasibly get universal eavesdropping on encrypted comms without greatly increasing our “attack surface” or a flood of “me too” requests for escrow/backdoors from nations we aren’t exactly friendly with. And even others in the security and tech industry have scratched their heads on this. Best we can come up with is: “Yes, their leadership is that ignorant of how this technology works in the real world and perhaps the technically-skilled underlings are too meek to speak up and tell them so.”
ch1kpee,
A standard criticism of DoD is that their leaders are ignorant and or foolish. Much like the criticism of banks’ leaders and our major politican.
While their critiques in the Outer Party give these insights, these institutions grow larger and more powerful, and their leaders grow rich. Perhaps you are evaluating them by the wrong standards.
Pingback: Lifeboat News: The Blog
Pingback: Cyber Espionage Terrorism War Archive | Internet Crime Fighters Organization