By Catherine A. Theohary and John Rollins
This report describes the ways that international terrorists and insurgents use the Internet, strategically and tactically, in pursuit of their political agendas.1 This discussion covers terrorist information operations in cyberspace but does not discuss similar activities in other domains. The government response is also discussed in terms of information operations. Technical aspects of cybersecurity and network intrusion detection are outside the scope of this report.
Information warfare can be defined as the use of information technology and content to affect the cognition of an adversary or target audience. Information operations is defined by the Department of Defense as “the integrated employment … of information-related capabilities in concert with other lines of operations to influence, corrupt, disrupt or usurp the decision-making of adversaries and potential adversaries while protecting our own.”2 One area where these operations can take place is cyberspace, defined by the Department of Defense as “a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processes and controllers.”3 This report focuses on one particular element of the information environment: the Internet.
Terrorists make use of the Internet in a variety of ways, including what are often referred to as “jihadist websites.” Most Al Qaeda-produced ideological material reflects Al Qaeda supporters’ shared view of jihad as an individual duty to fight on behalf of Islam and Muslims, and, in some cases, to offensively attack Muslims or non-Muslims who are deemed insufficiently pious or who oppose enforcement of Islamic principles and religious law.4 Al Qaeda and other violent Islamist groups draw on the Quran and other Islamic religious texts and adapt historical events to current circumstances as a propaganda tactic. This approach is prominently displayed in jihadists’ use of the Internet for recruiting and propaganda purposes.
Why and How International Terrorists Use the Internet
The Internet is used as a prime recruiting tool for insurgents.5 Extremists use chat rooms, dedicated servers and websites, and social networking tools as propaganda machines, as a means of recruitment and organization, for training grounds, and for significant fund-raising through cybercrime. These websites and other Internet services may be run by international terrorist groups, transnational cybercrime organizations, or individual extremists. YouTube channels and Facebook pages of Taliban and Al Qaeda supporters may radicalize Western-based sympathizers, and also provide a means for communication between these “lone wolf” actors and larger organized networks of terrorists. The decentralized nature of the Internet as a medium and the associated difficulty in responding to emerging threats can match the franchised nature of terrorist organizations and operations.6 It is unclear how great a role the Internet plays in coordinating the efforts of a single group or strategy.
Many Arabic-language websites are said to contain coded plans for new attacks. Some reportedly give advice on how to build and operate weapons and how to pass through border checkpoints.7
Other news articles report that a younger generation of terrorists and extremists, such as those behind the July 2005 bombings in London, are learning new technical skills to help them avoid detection by various nations’ law enforcement computer technology.8 Cybercrime has now surpassed international drug trafficking as a terrorist financing enterprise.
Internet Ponzi schemes, identity theft, counterfeiting, and other types of computer fraud have been shown to yield high profits under a shroud of anonymity. According to press reports, Indonesian police officials believe the 2002 terrorist bombings in Bali were partially financed through online credit card fraud.9 There may be some evidence that terrorist organizations seek the ability to use the Internet itself as a weapon in an attack against critical infrastructures.10 Also, links between terrorist organizations and cybercriminals may show a desire to hone a resident offensive cyber capability in addition to serving as a means of procuring funds.
To some observers, the term “cyberterrorism” is inappropriate, because a widespread cyberattack may simply produce annoyances, not terror, as would a bomb, or other chemical, biological, radiological, or nuclear explosive (CBRN) weapon. However, others believe that the effects of a widespread computer network attack would be unpredictable and might cause enough economic disruption, fear, and civilian deaths to qualify as terrorism. At least two views exist for defining the term cyberterrorism as traditionally understood:
- Effects-based. Cyberterrorism exists when computer attacks result in effects that are disruptive enough to generate fear comparable to a traditional act of terrorism, even if done by criminals other than terrorists.
- Intent-based. Cyberterrorism exists when unlawful, politically motivated computer attacks are done to intimidate or coerce a government or people to further a political objective, or to cause grave harm or severe economic damage.11
Propaganda, Recruitment, and Training
In a July 2005 letter to Abu Musab al-Zarqawi, the late leader of Al Qaeda operations in Iraq, senior Al Qaeda leader Ayman al-Zawahiri wrote, “We are in a battle, and more than half of this battle is taking place in the battlefield of the media.”12 Terrorist organizations exploit the Internet medium to raise awareness for their cause, to spread propaganda, and to inspire potential operatives across the globe. Websites operated by terrorist groups can contain graphic images of supposed successful terrorist attacks, lists and biographies of celebrated martyrs, and forums for discussing ideology and methodology.
The Quetta Shura Taliban reportedly maintains several dedicated websites, including one with an Arabic-language online magazine, and publishes daily electronic press releases on other Arabic language jihadist forums. The As-Shahab Institute for Media Production is Al Qaeda Central’s media arm and distributes audio, video, and graphics products online through jihadist forums, blogs, and file-hosting websites.
A recent online English-language terrorist propaganda periodical called Inspire appears to have originated from the media arm of a Yemen-based Al Qaeda group and contains articles by Anwar al-Awlaki, an English-speaking, U.S.-born radical imam whose sermonizing rhetoric and calls to action make extensive use of cyberspace. Al-Awlaki has been connected to several terrorist plots, including the attempted Times Square bombing in New York City in May 2010. Al-Awlaki has also been either directly or indirectly linked to radicalizing Nidal M. Hasan, who allegedly committed the November 2009 shooting at Fort Hood, Texas, and Umar Farouk Abdulmutallab, the Nigerian suspect accused of trying to ignite explosives on Northwest/Delta Airlines Flight 253 on Christmas Day 2009. Faisal Shahzad, a naturalized U.S. citizen from Pakistan, admitted to trying to set off a car bomb in Times Square and said he was inspired by al-Awlaki’s online lectures.
Some experts question the authenticity of the periodical Inspire and its link to Al Qaeda.13 The effectiveness of violent images used to reach its mainstream target audience is debated, as the violent images may appeal only to a small, self-selected segment of the population. In the July 2005 letter discussed above, al-Zawahiri, in a reference to winning the “hearts and minds” of Muslims, noted that “the Muslim populace who love and support you will never find palatable … the scenes of slaughtering the hostages.”14
These websites can also carry step-by-step instructions on how to build and detonate weapons, including cyber weapons. One website reportedly carries a downloadable “e-jihad” application, through which a user can choose an Internet target and launch a low-level cyberattack, overwhelming the targeted website with traffic in order to deny its service. The websites may also contain instructions for building kinetic weapons, such as bombs and improvised explosive devices, as well as for conducting surveillance and target acquisition.15
The Internet can also be used to transmit information and material support for planned acts of terrorism. A recent case involving a U.S. citizen residing in Pennsylvania alleges that a woman using the nickname “JihadJane” posted messages on YouTube and used jihadist websites and chat rooms to plan and facilitate an overseas attack.16
Cybercrime and Fund-Raising
Cybercrime has increased in past years, and several recent terrorist events appear to have been funded partially through online credit card fraud. Extremist hackers have reportedly used identity theft and credit card fraud to support terrorist activities by Al Qaeda cells.17 When terrorist groups do not have the internal technical capability, they may hire organized crime syndicates and cybercriminals through underground digital chat rooms. Reports indicate that terrorists and extremists in the Middle East and South Asia may be increasingly collaborating with cybercriminals for the international movement of money and for the smuggling of arms and illegal drugs. These links with hackers and cybercriminals may be examples of the terrorists’ desire to refine their computer skills, and the relationships forged through collaborative drug trafficking efforts may also provide terrorists with access to highly skilled computer programmers.
Although terrorists have been adept at spreading propaganda and attack instructions on the web, it appears that their capacity for offensive computer network operations may be limited. The Federal Bureau of Investigation (FBI) reports that cyberattacks attributed to terrorists have largely been limited to unsophisticated efforts such as e-mail bombing of ideological foes, denial-of-service attacks, or defacing of websites. However, it says, their increasing technical competency is resulting in an emerging capability for network-based attacks. The FBI has predicted that terrorists will either develop or hire hackers for the purpose of complementing large conventional attacks with cyberattacks.18 During his testimony regarding the 2007 Annual Threat Assessment, FBI Director Robert Mueller observed that “terrorists increasingly use the Internet to communicate, conduct operational planning, proselytize, recruit, train and to obtain logistical and financial support. That is a growing and increasing concern for us.”19 In addition, continuing publicity about Internet computer security vulnerabilities may encourage terrorists’ interest in attempting a possible computer network attack, or cyberattack, against U.S. critical infrastructure.
The Internet, whether accessed by a desktop computer or by the many available handheld devices, is the medium through which a cyberattack would be delivered. However, for a targeted attack20 to be successful, the attackers usually require that the network itself remain more or less intact, unless the attackers assess that the perceived gains from shutting down the network entirely would offset the accompanying loss of their own communication. A future targeted cyberattack could be effective if directed against a portion of the U.S. critical infrastructure, and if timed to amplify the effects of a simultaneous conventional physical or chemical, biological, radiological, or nuclear (CBRN) terrorist attack. The objectives of a cyberattack may include the following four areas:
- loss of integrity, such that information could be modified improperly;
- loss of availability, where mission-critical information systems are rendered unavailable to authorized users;
- loss of confidentiality, where critical information is disclosed to unauthorized users; and
- physical destruction, where information systems create actual physical harm through commands that cause deliberate malfunctions. Publicity would also potentially be one of the primary objectives for a terrorist cyberattack.
Extensive media coverage has shown the vulnerability of the U.S. information infrastructure and the potential harm that could be caused by a cyberattack. This might lead terrorists to believe that even a marginally successful cyberattack directed at the United States would garner considerable publicity. Some suggest that were such a cyberattack by an international terrorist organization to occur and become known to the general public, regardless of the level of success of the attack, concern by many citizens and cascading effects might lead to widespread disruption of critical infrastructures. For example, reports of an attack on the international financial system’s networks could create a fiscal panic in the public that could lead to economic damage.
According to security experts, terrorist groups have not yet used their own computer hackers nor hired hackers to damage, disrupt, or destroy critical infrastructure systems. Yet reports of a recent disruptive computer worm that has spread through some government networks, including that of the National Aeronautics and Space Administration, have found a possible link to a Libyan hacker with the handle “Iraq Resistance” and his online hacker group “Brigades of Tariq ibn Ziyad,” whose stated goal is “to penetrate U.S. agencies belonging to the U.S. Army.”21 According to these reports, references to both the hacker and group have been found in the worm’s code.
However, this does not provide conclusive evidence of involvement, as e-mail addresses can be spoofed and code can be deliberately designed to implicate a target while concealing the true identity of the perpetrator.
The recent emergence of the Stuxnet worm may have implications for what potential future cyberattacks might look like. Stuxnet is thought to be the first piece of malicious software (malware) that was specifically designed to target the computer-networked industrial control systems that control utilities, in this case nuclear power plants in Iran. Although many experts contend that the level of sophistication, intelligence, and access required to develop Stuxnet all point to nation states, not only is the idea now in the public sphere for others to build upon, but the code has been released as well. An industrious group could potentially use this code as a foundation for developing a capability intended to degrade and destroy the software systems that control the U.S. power grid, to name one example.22
Catherine A. Theohary
Analyst in National Security Policy and Information Operations
Specialist in Terrorism and National Security
This article is part of a larger March 8, 2011 Congressional Research Service report Terrorist Use of the Internet: Information Operations in Cyberspace
1 Multiple definitions for “insurgency” and “terrorism” exist within the federal government. This report uses the Department of Defense doctrinal definition, which defines terrorism as “the calculated use of violence or threat of violence to inculcate fear; intended to coerce or to intimidate governments or societies in the pursuit of goals that are generally political, religious, or ideological,” and insurgency as “an organized resistance movement that uses subversion, sabotage, and armed conflict to achieve its aims. Insurgencies normally seek to overthrow the existing social order and reallocate power within the country.”
2 See Secretary of Defense Memorandum, Subject: Strategic Communication and Information Operations in the DoD, January 25, 2011. An earlier definition in Joint Publication 3/-13 defines IO as “the integrated employment of electronic warfare (EW), computer network operations (CNO), psychological operations (PSYOP), military deception (MILDEC), and operations security (OPSEC), in concert with specified supporting and related capabilities, to influence, disrupt, corrupt, or usurp adversarial human and automated decision making while protecting our own.”
3 See Deputy Secretary of Defense Memorandum, Subject: The Definition of Cyberspace, May 12, 2008. The DOD finds this definition consistent with National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD-23), which states that cyberspace is “the interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.”
4 The Arabic word jihad is derived from a verb that means “to struggle, strive, or exert oneself.” Historically, key Sunni and Shia religious texts most often referred to jihad in terms of religiously approved fighting on behalf of Islam and Muslims. Some Muslims have emphasized nonviolent social and personal means of jihad or have sought to shape the modern meaning of the term to refer to fighting only under defensive circumstances. This report uses the term “jihad” to denote violent Sunni Islamists’ understanding of the concept as a religious call to arms and uses the terms “jihadi” and “jihadist” to refer to groups and individuals whose statements indicate that they share such an understanding of jihad and who advocate or use violence against the United States or in support of transnational Islamist agendas. Alternative terms include “violent Islamist” or “militant Islamist.” The term Islamist refers to groups and individuals who support a formal political role for Islam through the implementation of Islamic law by the state, political action through a religious party, or the creation of a religious system of governance. Islamists differ in their theological views and political priorities. For more information on Islam, jihadist ideology, and Al Qaeda and its affiliates, see CRS Report RS21745, Islam: Sunnis and Shiites, by Christopher M. Blanchard; and CRS Report R41070, Al Qaeda and Affiliates: Historical Perspective, Global Presence, and Implications for U.S. Policy, coordinated by John Rollins.
5 Deputy Assistant Secretary of Defense Garry Reid, in testimony before the Senate Armed Services Subcommittee on Emerging Threats and Capabilities, hearing on U.S. government efforts to counter violent extremism, March 10, 2010.
6 For an explanation of how a terrorist group is transformed and applicable U.S. policy implications, see CRS Report R41070, Al Qaeda and Affiliates: Historical Perspective, Global Presence, and Implications for U.S. Policy, coordinated by John Rollins.
8 Michael Evans and Daniel McGrory, “Terrorists Trained in Western Methods Will Leave Few Clues,” London Times, July 12, 2005, http://www.timesonline.co.uk/tol/news/uk/article543004.ece.
9 Alan Sipress, “An Indonesian’s Prison Memoir Takes Holy War Into Cyberspace,” Washington Post, December 14, 2004, http://www.washingtonpost.com/wp-dyn/articles/A62095-2004Dec13.html.
10 For more information on critical infrastructures, see CRS Report RL30153, Critical Infrastructures: Background, Policy, and Implementation, by John D. Moteff.
11 For a more in-depth discussion of the definition of cyberterrorism, see CRS Report RL33123, Terrorist Capabilities for Cyberattack: Overview and Policy Issues, by John Rollins and Clay Wilson.
12 A copy of the letter was released by the Office of the Director of National Intelligence on October 11, 2005, and can be accessed at http://www.globalsecurity.org/security/library/report/2005/zawahiri-zarqawi-letter_9jul2005.htm.
13 One example is Max Fisher, in “Five Reasons to Doubt Al-Qaeda Magazine’s Authenticity,” The Atlantic, July 1, 2010, accessed at http://www.theatlantic.com/international/archive/2010/07/5-reasons-to-doubt-al-qaeda-magazinesauthenticity/59035/.
15 For example, the online magazine Inspire contains an article entitled, “How to make a bomb in the kitchen of your Mom.”
16 Carrie Johnson, “JihadJane, an American woman, faces terrorism charges,” Washington Post, March 10, 2010, http://www.washingtonpost.com/wp-dyn/content/article/2010/03/09/AR2010030902670.html.
17 According to FBI officials in a report issued in June 2005, Al Qaeda terrorist cells in Spain used stolen credit card information to make numerous purchases. Also, the FBI has recorded more than 9.3 million Americans as victims of identity theft in a 12-month period. Report by the Democratic Staff of the House Homeland Security Committee, Identity Theft and Terrorism, July 1, 2005, p. 10.
18 Statement of Steven Chabinsky, Deputy Assistant Director, FBI Cyber Division, before the Senate Judiciary Committee Subcommittee on Homeland Security and Terrorism, at a hearing entitled, Cybersecurity: Preventing Terrorist Attacks and Protecting Privacy Rights in Cyberspace, November 17, 2009.
19 Robert Mueller, FBI Director, testimony before the Senate Select Committee on Intelligence, January 11, 2007.
20 A targeted attack is one where the attacker is intentionally attempting to gain access to or to disrupt a specific target. This is in contrast to a random attack, where the attacker seeks access to or to disrupt any target that appears vulnerable.
21 See http://www.computerworld.com/s/article/9184718/Cyber_jihad_group_linked_to_Here_you_have_worm.
22 For more information, see CRS Report R41524, The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability, by Paul K. Kerr, John Rollins, and Catherine A. Theohary.