«Workshop held 9-10 January 2008 in Arlington, VA Prepared for US Strategic Command Global Innovation and Strategy Center (USSTRATCOM/GISC) Prepared ...»
A final category of interaction that is germane to this discussion is the corporeal-cyber connection, which represents actions originating in the corporeal realm that affect the cyber infrastructure. Table 1 provides examples of recent actions from each of these categories.
Table 1: Examples of recent actions of VNSAs via cyber-psychological, cybercyber, cyber-corporeal, and corporeal-cyber means (Asal et al, 2008).
Deterring VNSA in Cyberspace This chapter focuses on the cyber-psychological and cyber-corporeal connections, and the following sections further elaborate on the use of cyberspace by VNSA to disseminate propaganda, recruit members, create publicity, collect and share data, network, plan, coordinate, raise funds, and wage psychological warfare (Weimann, 2004).
Terrorists wage psychological warfare in cyberspace by spreading disinformation, delivering threats, and posting horrific images of violence, such as the video of the brutal murder of kidnapped American journalist Daniel Pearl that was posted on several terrorist websites. This type of warfare can generate fear in both cyber and corporeal spaces. “Cyberfear” (Weimann,
2004) surrounds the concern over what an attack on computer infrastructures can do, such as the denial-of-service attacks on Estonia in April of 2007 that forced Internet security experts to cut off all Internet access in the country (Kirk, 2007). Threats originating in cyberspace can have a very real effect in the corporeal world as well. Since the attacks on Sept. 11, 2001, Al Qaeda has been using the Internet to create and fuel a “widespread sense of dread and insecurity throughout the world and especially in the United States” by posting announcements on their websites that allude to plans for another “large-scale attack” on the US (Weimann, 2004).
Publicity, Propaganda, and Recruitment
Before the Internet, the only means of generating publicity and disseminating information to a large audience was through traditional outlets such as television, radio, and print media, forums which have little interest in furthering the cause of known terrorists. The Internet provides these groups with unlimited time and freedom to express their ideologies as they choose, in the process shaping how the world sees them and their enemies (Weimann, 2004). According to the Weimann report (Weimann, 2004), most terrorist sites do not celebrate their group’s violent actions. Instead, the majority call attention to restrictions they feel have been placed on their freedom of expression, and invoke sympathy for comrades that are political prisoners or who have sacrificed their lives for the cause (Weimann, 2004). It is theorized that this methodology is tuned to resonate with Western audiences, who “cherish freedom of expression and frown on measures to silence political opposition” (Weimann, 2004). The majority of sites also attempt to justify their use of violence by claiming that a weak, oppressed organization, such as theirs, has no other recourse but to turn to violence. They also tend to refer to themselves as “freedom fighters,” and couch their ideologies and methods as a means of “regain[ing] the dignity of their people” from the oppressors (Weimann, 2004). Through the use of persuasive audio/video media items, the groups seek to recruit supporters, and they will troll online chat rooms and cybercafés looking for interested parties who might be willing to take a more active role in the organization.
Data Collection and Sharing
According to former Secretary of Defense Donald Rumsfeld, “an Al Qaeda training manual recovered in Afghanistan tells its readers [that by] using public sources openly and without resorting to illegal means, it is possible to gather at least 80 percent of all the information required about the enemy” (Weimann, 2004). This statement speaks to the potentially key role cyberspace plays in the investigation of targets and planning of attacks by terrorists. Information Deterring VNSA in Cyberspace about nuclear power plants, public buildings, and airports is easily accessible on the Internet, and with programs such as GoogleEarth, high definition reconnaissance images can be viewed from any computer. In terms of the technical knowledge required to create a chemical or explosive weapon, the Internet contains dozens of sites that provide homemade “recipes” for such devices, in addition to the more well-known manuals such as The Terrorist’s Handbook and The Anarchist Cookbook (Weimann, 2004).
Networking, Planning, and Coordination
Terrorist networks are becoming increasingly decentralized, and are now primarily composed of semi-independent cells that have little discernable hierarchy. The Internet provides the means by which these loosely connected groups can communicate quickly, cheaply, and anonymously, and thus it is used heavily to plan attacks. For example, the Al Qaeda members responsible for 9/11 communicated with each other via thousands of encrypted messages posted in a password protected area of a website. These messages were recovered from the computer of Abu Zubaydah, the alleged mastermind of the attacks. The operatives maintained their Internet anonymity by using public Internet cafes and e-mail sources. Steganography, an encryption method that hides messages inside graphics files, is also used to disguise instructions involving maps, photographs, directions, and technical documents (Weimann, 2004).
VNSA groups use the Internet to generate funds through legal and illegal means. Frequently they will ask for donations directly from their websites or offer an online store that sells items such as books, T-shirts, and bumper stickers supporting their causes (Conway, 2006).
Exploitation of charities is another common fundraising scheme. In several instances, fake charities have been established that purport to represent a humanitarian cause, when in reality they are fronts that funnel the donated money to terrorist organizations. In December 2001, the US government seized the assets of a Texas based charity called the Holy Land Foundation for Relief and Development when it was discovered that its funds were being diverted to Hamas (Weimann, 2004). The government also froze the assets of the Benevolence International Foundation, the Global Relief Foundation, and the Al-Haramain Foundation, three sham charities that had funneled money to Al Qaeda (Weimann, 2004).
According to Weimann, a great deal of attention has been paid to the “exaggerated threat of cyberterrorism,” overlooking “the more routine uses of the Internet” by violent non-state actor groups. He asserts that “it is imperative that security agencies continue to improve their ability to study and monitor terrorist activities on the Internet and explore measures to limit the usability of this medium by modern terrorists.” The modeling techniques discussed below attempt to address these issues by creating a picture of the emergent behavior of violent non-state actors in cyberspace through the use of state-of-the-art data collection, data analysis, and predictive modeling techniques.
Overview: Data Collection, Data Analysis, and Predictive Modeling The daunting task of modeling the emergent behavior of violent non-state actors in cyberspace requires a massive, multidisciplinary effort that combines technology and perspectives from the Deterring VNSA in Cyberspace fields of data collection, data mining and analysis, and predictive modeling. Each approach contributes a piece to the puzzle, and the integration of these techniques creates a cohesive approach to the problem. Figure 2 illustrates the relationships among these components and their place in the sequence of the overarching modeling process.
Figure 2: The integration of data collection, data analysis, and predictive modeling techniques creates a cohesive approach to the problem of modeling the emergent behavior of VNSAs in cyberspace (Asal et al, 2008).
Automated data collection techniques address the technical issues of extracting meaningful, relevant, usable information from the seemingly limitless datasets that constitute the cyberspace.
The methodology must be able to locate a “needle-in-a-haystack”, since the activity is often intentionally obscured, scattered across many sites, and frequently moved or removed. However, without the kind of content-rich datasets that automated data collection techniques can provide, modeling is cumbersome and time-consuming, if not infeasible.
Once a raw dataset is available, data mining and analysis techniques can be applied with the goal of extracting usable knowledge from the data. The results of these analyses often generate the datasets that inform predictive models. The field has been heavily researched, and consequently there are many types of data mining and analysis techniques well-suited to counter-terrorism applications and numerous studies have been conducted to evaluate their effectiveness. Some of the techniques discussed in this chapter include link and social network analysis, automated classification of Web content by machine learning techniques, and a qualitative assessment of the technical sophistication, Web interactivity, and content-richness of terrorist sites on the Internet.
Deterring VNSA in Cyberspace Predictive modeling is the final piece of the puzzle. Modeling techniques rely on the knowledge extracted by data mining techniques to identify discernible patterns of behavior that have the potential to assist analysts with situational assessment, forecasting, and deterrence strategies (Asal et al, 2008). The results of applying these techniques to the counter-terrorism domain provide analysts with information that may not have been readily apparent, potentially influencing strategic decision-making. In addition, predictive modeling can be used to simulate the impact of various counter-terrorism strategies on covert networks. The modeling techniques discussed in this chapter include the use of hidden Markov models and dynamic Bayesian networks to detect, track, and counteract terrorist networks, and agent-based techniques for assessing terrorist network destabilization strategies. An elaboration of each of the three elements described above follows.
Data Collection and the Dark Web
Researchers at the University of Arizona’s Artificial Intelligence Lab, headed by Professor Hsinchun Chen, have undertaken the task of mining the so-called ‘Dark Web,’ a moniker describing the cyberspace equivalent of clandestine back-alley meetings, recruitment efforts, and propaganda dissemination by VNSAs. Using a systematic web-mining approach, the Dark Web Project tackles the “needle-in-a-haystack” search for the covert movements and communication patterns of extremist and terrorist groups in cyberspace, providing researchers with the kind of content-rich datasets that can inform various analysis and predictive modeling techniques.
The data collection process utilizes a semi-automated Web spidering technique, which offers a significant increase in efficiency over manual collection methods (Zhou et al, 2006). The process begins with the identification of extremist groups and a seed batch of Web sites based on information provided by authoritative outside sources, such as the US State Department and the UN Security Council reports, and studies published by private terrorism research centers.
Information on these entities, such as group and leader names, and group-specific jargon are manually compiled to create a keyword lexicon that is used to query major search engines for additional content. The set of seed sites, consisting of those identified by outside sources and the manual lexicon queries, is expanded by extracting their out-links and back-links. The spider collects the complete contents of the target sites, including all Web page text, hyperlinks, multimedia content, and available attachments (Zhou et al, 2006). Currently, the Web site collection consists of the complete contents of 1,000 sites, and partial information from approximately 10,000 linked sites (Univ. of Arizona, 2008).
Additionally, the researchers collected the complete contents of forums containing extremist/ terrorist content that have been identified in the manner described above. Forums are of particular interest, since they are a public communication medium uniquely suited to the propagation of ideas in a dynamic way. The content collected from the forums can offer insight into the real-time communication patterns of NSAs in cyberspace, as well as potentially identify developing trends and sympathizers (Qin et al, 2007). Encrypted or password protected forum content is a particularly significant finding for obvious reasons. In such cases, membership to the forum as a “curious neophyte” is requested manually, giving the spider access to this content (Qin et al, 2007). Researchers collected the complete contents of 300 terrorist forums, including authors, headings, postings, threads, time-tags, and any attached media (Univ. of Arizona, 2008).
Deterring VNSA in Cyberspace The Dark Web Collection currently contains about 2 TB of extremist/terrorist related content from 500,000,000 pages, files, and postings from over 10,000 sites in Arabic, Spanish, and English. New Web-content is collected every 2 to 3 months. The researchers believe that the “Dark Web collection is the largest open-source extremist and terrorist collection in the academic world,” and are currently developing a multi-lingual knowledge management system called the ‘Dark Web Portal’ that will provide efficient access to the Dark Web Collection (Univ.
of Arizona, 2008). The Portal utilizes document summarization, categorization, and visualization techniques to allow users to quickly locate the information they seek (Zhou et al, 2005).
Data Mining and Data Analysis
A step beyond the collection of a content-rich raw dataset, exemplified by the Dark Web collection, is the extraction of useful knowledge from this data through data mining and automated data analysis techniques (Jensen, 2003). Data mining identifies predictive patterns in the raw dataset which can be used by automated data analysis applications to “find previously unknown knowledge through links, associations, and patterns” in the data (Jensen, 2003).