Rights Wire

The Human Rights Blog of the Leitner Center for International Law and Justice


Leave a comment

Exploring the links between technology, terrorism and human rights (part 1 of 2)

By Shruti Banerjee

The recent terrorist attacks in Belgium and France as well as the rise of right-wing violence in the U.S. have raised many questions about the role tech companies and internet service providers play in monitoring terrorist recruitment and activities. While some terrorists, such as Dylann Roof, who shot nine African-Americans in a South Carolina church, leave blatant manifestos online , others, such as the Islamic State in Iraq and Syria (ISIS) and right-wing groups in Europe, use the internet in more nuanced ways to recruit members and plan attacks. To effectively prevent terrorist activity we need to examine each of these methods.

This is the first in a two-part series about technology, terrorism and human rights. This post will explore how the internet has been used by terrorist groups to recruit members and plan attacks. A second post will discuss the corporate responsibility of tech companies in national security and human rights issues. It will also explore how people are using the internet to combat terrorism and how we can continue to prevent radicalization leading to attacks.

ONLINE RADICALIZATION AND RECRUITMENT

Understanding how technology has transformed the way we communicate is particularly important in an era when internet communication and mass messaging have been used as tools by militant organizations such as ISIS and domestic right-wing terrorist groups to promote their message and recruit new members.

Recruitment methods used by extremist Islamic groups are more nuanced and refined than blatant proclamations to support terrorist organizations. David Mair, a cyber-terrorism researcher at Swansea University, collaborated with the University of Massachusetts’ Center for Terrorism and Security Studies to analyze jihadist messages in online terrorist magazines. He notes there are key differences in ideology that drove messaging – most notably between the Islamic State and Al-Qaeda: while ISIS’ propaganda promotes the creation of a state governed by Sharia law, Al-Qaeda’s message typically focuses on jihad against oppressive western nations and promoting individuals to act alone in planning and executing attacks. These recruitment and attack planning methods are fundamentally different and require separate countering strategies, Mair said.

Muslim extremists have used various types of subtle propaganda to recruit members, such as promoting news stories of Western oppression and disguising extremist sites as religious sites. In an interview with the BBC, Sajid, a 16-year-old student in London whose brother was radicalized discusses how he was almost radicalized too. He opened a fake twitter account to learn more about ISIS after his brother left for Syria to join them. He told BBC over an encrypted chat application that he was surprised that no one in ISIS actually told him to support ISIS or move to Syria. The process of radicalization happened when he watched videos and encountered messages about Sunni oppression. This propaganda is used to incite anger in its viewers and create a community. Sajid said he caught himself becoming “heart-hardened” by this propaganda, but was eventually able to reject ISIS’s message. “After reading about Shia crimes against local Sunnis, I remember watching a video of an execution of an Iraqi soldier and thinking, ‘Good.’ This shocked me afterwards…I questioned my conscience, and my results were that I did not support ISIS with my heart at all,” Sajid said in the interview.

This type of subtle propaganda makes it more difficult to discern and dissuade potential recruits because actual news of attacks can be used as propaganda. Since it would pose a freedom of speech issue to censor these types of news stories, governments have a hard time cracking down on radicalization and recruitment. Monitoring and curbing extremist propaganda becomes even more complicated when it comes to religious messages aimed at recruiting young women and men. Extremists target young adults through websites posing as educational in nature, Sara Khan, Director at the anti-extremist group Inspire, explained to BBC News in an interview. Youth innocently searching for information about their faith can be unaware they have stumbled across extremist groups, Khan said. These recruitment sites often utilize religious language to convince the reader that their view is the proper interpretation of Islam. They exploit religion to recruit youth who have not learned much about their faith and cannot critically analyze the extremist interpretation.

Xenophobia in western countries and promises of a utopian state are other tools used by terrorists to recruit members from the west, Qari Asim, Senior Imam at Makkah Mosque in the United Kingdom, said in an interview with BBC. He recently visited Calais, a make-shift refugee camp in France, and met refugees who fled ISIS-controlled regions. These refugees explained that some young Muslims are leaving Britain to join ISIS because they didn’t feel like they belonged in England. According to Asim, ISIS is running a “sophisticated media strategy” to promote an anti-establishment view that appeals to many young people. He and his group are actively trying to prevent recruitment by utilizing social media strategies to engage with young people and spread truthful messages exposing the unpleasant realities of life under ISIS and combating xenophobia in the west.

Right-wing terrorist groups in Europe and the United States have used similar nuanced methods to spread their propaganda. Right-wing groups use the internet and technology to recruit members, create “virtual communities,” organize demonstrations and campaigns and promote violence. Like religious extremist organizations, these groups are targeting the youth and using the anonymity of the internet as cover. Essentially, they are trying to gain support by promoting “distorted accounts of social circumstances” on the internet, according to a report by the domestic intelligence service of Germany, Bundesamt für Verfassungsschutz (BfV). This report goes on to explain that controversial topics, such as immigration policy, are covered from an ideological point of view, making the intentions of the extremist less obvious to many readers.

Furthermore, right-wing extremist groups are often allowed to organize and disseminate their propaganda without much push-back from the government. In fact, the U.S. government has tended to focus on foreign terrorist threats, despite how domestic terrorism has killed more Americans since 9/11. Especially in the U.S., there is virtually no monitoring of right-wing extremist groups. The wide availability of this right-wing extremist propaganda and manifestos on the internet has led to radicalization and even attacks, such as Benjamin Smith’s shooting spree targeting minorities in Illinois and Indiana in 1999.

MASKING THEIR TRACKS

Extremists are cautious about internet security while using social media, blogs and video sites to recruit members and mobilize. ISIS militants avoid using high-profile communication companies, such as iMessage or WhatsApp, Peter Sommer, a digital forensics expert, told the BBC. Rather, terrorists efficiently find systems that offer its users simple ways to use encryption, a way of encoding messages so that only authorized people can read them, Sommer said. BfV reported that right-wing extremist circles have also started offering internet “security trainings” to teach others how to encrypt data.

Similarly, jihadi bulletin boards are filled with posts about free application add-ons to encrypt messages, Alan Woodward, a security expert, told the BBC. These encrypted messages pose a large hurdle for government agencies trying to monitor extremist activities and prevent attacks. The availability of encrypted systems makes the government security agencies crackdown “absolutely pointless” because terrorist are using off the record protocol, providing them end-to-end encryption, Woodward explained. This means that it is incredibly difficult for anyone, including tech companies providing these services, to intercept and decode the message.

Going after big tech firms would not entirely solve the problem, Woodward said, because even if these companies stopped providing off the record protocol, there are numerous sites providing free add-ons to encrypt messages. Since these encrypted messages are significantly harder to monitor than open manifestos, this has led to a contentious debate between tech companies who provide these services and the government who needs to stop terrorist activities about the responsibility of private companies in the fight against terrorism.

CONCLUSION

From New York to Bombay and Paris to Beirut, we can all fall victim to the devastation caused by terrorism, which poses a significant threat to security, stability and human rights. Our socioeconomic status and borders cannot protect us, leaving us all united under a common threat. The pervasiveness of this threat makes it even more important to understand how we can effectively stop it. This could mean countering the various recruitment methods used by extremist groups or urging the government and tech companies to work together to monitor terrorist activities on the internet. The second post in this series will discuss the debate between tech firms and the government over access to encrypted messages, privacy concerns and collaborative, rights-respecting solutions to some issues posed by terrorism.

Shruti Banerjee is a 2L at Fordham Law School.

The views expressed in this post remain those of the individual author and are not reflective of the official position of the Leitner Center for International Law and Justice, Fordham Law School, Fordham University or any other organization.

Photo Credit: Bernardo R/Creative Commons


Leave a comment

“How I learned to stop worrying and love the Stuxnet”: U.S. and China seek common ground in regulating cyberwarfare

By Meric Sar

“Dr. Strangelove: Of course, the whole point of a Doomsday Machine is lost, if you keep it a secret! Why didn’t you tell the world, EH?

Ambassador de Sadesky: It was to be announced at the Party Congress on Monday. As you know, the Premier loves surprises.”

Dr. Strangelove, 1964

Chinese President Xi Jingping’s recent visit to U.S. may be paving the way for the super powers to enter into a mutual arms control agreement in relation to cyberwarfare, the first of its kind. Considering cyberwarfare and its regulation have grave implications for freedom of expression, the right to privacy, net neutrality and security of persons, human rights advocates should keep a close eye on this development.

On Sept. 25, in a press conference, President Barack Obama and President Xi declared their governments’ mutual intent to establish greater cooperation in fighting cybercrime. They vowed to refrain in the future from harboring malicious cyberactivities targeting the other’s information and communication systems. Remarkably, the parties also declared their interest in exploring the prospect for an international code of conduct applicable to states in relation to cyberwarfare.

This comes after the world witnessed the rapid development of cyberwarfare methods in the last decades. The risks posed by cyberwarfare makes its disruptive potential perhaps only comparable to nuclear weapons. Indeed, the dependency on information and communication technologies at all levels of modern life—from the power grid to satellites, banking systems and medical facilities—makes a cyberapocalypse a scary possibility when governments are willing to spend vast resources on malicious technologies to gain the upper-hand in a wartime scenario.

“YOU SHALL NOT HACK YOUR NEIGHBOR!”

Although it is premature to talk about a conclusive agreement, the common agenda of the U.S. and China at the recent talks had three main points: (1) greater executive cooperation in information sharing; (2) a greater commitment in policing domestic perpetrators of cyberattacks and refraining from providing any support to these groups; (3) and developing an international code of conduct for states to follow in relation to the regulation of cyberwarfare.

Both countries are already on the way to creating an executive system for information sharing and mutual assistance in the investigation of cybercrimes concerning malicious activity identified by either side. Furthermore, they will establish a high-level joint dialogue mechanism with the involvement of the intelligence community, which will be charged with the monitoring and reviewing this system.

Moreover, both heads of state also declared their commitment to “making common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community,” and agreed to create a senior experts group to develop a framework with the July 2015 report of the U.N. Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International security in cyberspace in mind.

The U.N. experts report reflects a multilateral understanding on certain norms, the majority of which were proposed by the U.S. Some of these include that states should not knowingly damage each other’s critical infrastructure using cyberattacks, should not target each other’s cyber-emergency responders in case of an emergency, and should assist other nations investigating cyberattacks and cybercrimes launched from their territories.

THE COSTS OF CYBER-WARFARE

In its simplest form, a cyberattack is conducted for purposes of espionage with an aim to break into someone else’s IT system, most often with an aim to retrieve trade secrets and other confidential information. Although cyber-espionage may seem to be a simpler form of cyberwarfare, its asymmetrical nature makes it particularly troublesome for an economy like that of the U.S., which relies heavily on advanced technological know-how. A single act of cyber-intrusion may result in tremendous losses in the form of leaked trade secrets and intelligence. Often, the financial impact of the attack will greatly outweigh the marginal costs necessary to facilitate such an act, which can be orchestrated by few hackers with modest resources. Furthermore, using moderate technical measures, the source of a cyberespionage attack can easily be cloaked. An important characteristic of the internet in China is that telecommunications infrastructure enabling online access routes are mostly owned by the government. This makes it essential for U.S. to gain access to the monitoring capacities of the Chinese government to be able to investigate and punish cyberattacks by Chinese individuals targeting U.S.

According to the chief of the NSA, General Keith Alexander, the loss of industrial know-how and related intellectual property through cyber-espionage constitutes the “greatest transfer of wealth in history,” as U.S. companies reportedly lose about $250 billion per year through intellectual property theft, and $338 billion due to cybercrime in general. Recently, China was also identified by the F.B.I. as the chief suspect for various cyberattacks, which exposed sensitive personal information of millions of U.S. government employees. The massive scale of the economic loss and national security vulnerability associated with cyber-espionage originating from China makes it an utmost priority for Obama administration to pull China into a fair game.

“ZERO DAY” WARFARE

Although some commentators are skeptical about whether China can be trusted to honor its commitment to refrain from state-sponsored cyber-espionage, an international regime of stability with regards to cyberspace is equally indispensable for a country like China, especially considering its ever-growing reliance on information technology systems to be able to sustain its economic development. This is where “zero day” cyberwarfare, the exploitation of unpatched software vulnerabilities that cannot be defended against, poses disturbing risks for China. Thus, China may greatly benefit from stronger cooperation with U.S. authorities and their unmatched capabilities in cyberwarfare so that it can develop state-of-the-art defense mechanisms.

A “zero day” attack is a form of cyber-sabotage that exploits a previously unknown (or undisclosed) vulnerability in a computer application. Often the developer of the application may not be aware of a “zero day” vulnerability in the software or application that he or she has designed. It is known as a “zero day” vulnerability because once the flaw becomes known and exploited, the developer of the computer application has zero days to mitigate its exploitation.

Normally, when a cybersecurity expert reveals a “zero day” vulnerability in a particular software, he or she should communicate the vulnerability to the software’s developer so that the developer can devise a method to fix the vulnerability and protect its clients from abuse. Avoid doing this, and the unfixed vulnerability will render other computers installed with the same software prone to attack from criminal hackers, corporate spies and foreign intelligence agencies, who may have obtained the knowledge of the vulnerability through other means.

A cyberattack that uses “zero day” vulnerabilities of operating systems could seamlessly take down a whole factory or nuclear plant. The most famous computer virus using “zero day” exploits was discovered in 2010, and was given the name Stuxnet. Stuxnet is believed to originate from a secret collaboration between the U.S. and Israeli governments. It was designed to damage certain nuclear facilities in Iran by infiltrating the targeted computers at the facilities in an effort to curb Iran’s nuclear enrichment activities. The virus relies on previously unknown vulnerabilities of operating systems, and can spread across a computer network without notice, infecting all the computer systems it encounters. The virus stays dormant until it reaches its target computer, at which point it can be activated to disrupt the computer’s system without revealing itself to the victim. Reports claim that the concept for Stuxnet originated from the renowned cyber-strategist General James E. Cartwright, who was the head of the U.S. Strategic Command, the agency responsible for nuclear deterrence, under the Bush Administration.

“DON’T ASK, DON’T TELL!”

Disturbingly, for a long period of time the N.S.A. followed a deliberate “nobody but us” policy restricting its officers from disclosing any “zero day” software vulnerabilities they reveal in the software they are using. Under this policy, when a NSA employee uncovers a “zero day” vulnerability on a piece of software (e.g. in the current version of Microsoft Windows), he or she has to keep the information secret in order to afford U.S. authorities a security hole in the systems of its adversaries that are using similar software. This policy has given U.S. government considerable advantage in “zero day” warfare methods.

Although the U.S.’ “nobody but us” policy may sound like an effective strategy to secure the upper hand for “offensive” purposes, it is far from convincing as a policy for maintaining “security” at home. Instead of encouraging transparency and timely dissemination of information to stakeholders in public and private industries in order to tackle technological vulnerabilities in a coordinated fashion, the NSA’s strategy relies on obscurity and informational asymmetry, rendering the national security itself open to abuse by malicious insiders or hackers.

The advances of the U.S. in “zero day” cyberwarfare do not mean that the U.S. has the sole monopoly over such tools either. In fact, Stuxnet is open source technology—meaning that currently anyone can download the source code and modify it for their own purposes.

A BEHAVIORAL EQUILIBRIUM

The current state of cyber-affairs can be compared to the intense period of nuclear armament that preceded the Limited Nuclear Test Ban Treaty, the signing of which took 18 years following the Hiroshima disaster. Perhaps we are approaching a behavioral equilibrium for super-powers in a way resembling the logic of the Cold War. Considering the mounting current costs and future risks for both China and the U.S. posed by an unregulated cyberspace with irresponsible actors, there is a large incentive for establishing rules that are internationally respected.

Cyber-attacks do not only target governments and corporations. NGOs and activists are also regular targets of such attacks. However, U.S.-China discussions thus far have failed to address such non-commercial civilian concerns. An international treaty on cyberspace may be an important first step. However, without addressing important civil issues such as free speech and net neutrality, international cyberspace law will not go far from merely representing the “policing” concerns of governments and intellectual property corporations. We must be wary of such a scenario as it will likely cause the internet to lose its truly “international” character and result in the fragmentation of internet into “fiefdoms” behind national walls.

Meric Sar is a Staff Writer for Rights Wire.

The views expressed in this post remain those of the individual author and are not reflective of the official position of the Leitner Center for International Law and Justice, Fordham Law School, Fordham University or any other organization.

Photo credit: Chris Robers/Defence Images