The Irony of High-Tech Terrorism
Lorinda Wallace Niemeyer
Issue date: 10/29/01 Section: Technology
Information asymmetries and game theory are fundamental underpinnings of the terrorism-counter terrorism game. Governments develop tools to try to catch terrorists engaging in acts that few can actually imagine or foresee. A large part of this task is intercepting and interpreting terrorist communications. Terrorists seek to develop technologies or processes to circumvent government monitoring. Who wins? It depends.
The government provides much more information to the public than do terrorist organizations. The American public has an insatiable interest in what happens at Fort Meade and Langley. As a result, often more information is provided about government technologies and processes than is operationally optimal (accountability is important, of course, but the best operational strategy is secrecy). Terrorist groups operate, as the cliché goes, “in the shadows.” Information is much more difficult to glean from these organizations, upsetting the balance of power and placing the government at a disadvantage. When the risks associated with the release of information outweigh the benefits of accountability, everyone suffers.
There is debate (interestingly, between the law enforcement and intelligence community and, well, people outside this community) about the degree to which terrorist organizations, say, like Al Qaeda, make use of technology to accomplish clandestine communications. The debate itself, insofar as it reveals agendas on each side, is quite interesting, but I won’t go into that here. I believe that terrorists do make use of such technologies. This is, at a high level, the expressed opinion of the federal law enforcement and intelligence community. And, the type and sophistication of technology employed has signal value, telegraphing how well funded or organized a group is, for example. These signals are important factors in attempting to assess the level of threat of a given group, and they provide some level of predictive power as well.
Information asymmetry is not the irony of high-tech terrorism. This is simply the structure of the game. The irony lies in the observation that one of the government’s best weapons to counter high-tech terrorism is decidedly low-tech. Examination of a few clandestine communication technologies and countermeasures reveals this irony.
Encryption
The substance of my favorite non-markets case from last year. The FBI and CIA have resisted for years the export of strong encryption products. Although these restrictions were eased as of last year, there remains an embargo on the seven “terrorist” countries. Does export restriction unfailingly keep encryption out of the hands of evildoers? No. Many of the investigations that I worked on involved encryption. But do restrictions on export help to preserve the signal value of the use of certain strong encryption products? Absolutely. The use of certain tools is a factor in profiling any activity of a terrorist group. The trick to defeating encryption is knowing which communications to monitor in the first place, getting a court order to trap these communications, then attacking the encryption by exploiting a weakness in the algorithm, or providing the proper key (generally done by providing a proper pass phrase).
Steganography
Greek for “covered writing,” steganography (“stego”) has been called the “art of hiding information in plain sight.” Steganography uses redundant information in bytes of media files—usually graphics or audio files—to embed other images or text. The technology is similar to digital watermarking, although the objectives are different. (Those who read my riveting article on digital watermarking last year will recognize this example). Digital images—say your facebook photo—are made of thousands of bytes of information that determine, among other things, color. A byte of information is comprised of eight bits in a combination of ones and zeroes. If one byte of information is 00000000, then seven bits contain all information needed to interpret this byte. The remaining bit is the “least significant bit,” and it can be changed with little impact on the byte itself, and no perceptible impact on the overall photo. This “bit stealing” process can continue until a message is effectively interspersed among many bytes in the image. If the original image (the “host”) is large enough, the impact is imperceptible to human senses. Maps or messages can be hidden in images, and these images posted on normal looking Web sites.
Stego is the digital equivalent of a “dead drop.” Members of a given terrorist organization need not interact with one another directly to communicate. The biggest obstacle in battling stego is determining if a given file has been altered. Known stego tools will leave fingerprints that can be traced, but the sheer volume of images transmitted over the Internet prohibits effective screening of all images for these fingerprints. Sophisticated groups will write their own tools, anyway. Timestamps and cryptographic checksums can help determine when a file has been altered, and frequent alterations of the same file would arouse suspicion. However, this assumes that one has access to the original image. High download frequency of a given image without associated text could also arouse suspicion if this did not fit the profile of pornography downloads so well. The key countermeasure for stego is knowing which images to look at in the first place.
Covert Channeling
Covert channeling entails the use of channels not normally used for textual data transmission. The data may be encrypted or unencrypted, but what distinguishes covert channeling from encryption is that covert channeling relies upon the obscurity of the transmission method itself, not scrambling of the data. One covert channeling tool uses ICMP packets for data transfer. ICMP is typically used as an error checking mechanism for IP, a connectionless protocol (ahhh, should bring back memories of MIA for you second years, and give the first years something to look forward to), and does not typically carry a data payload (that is usually an IP packet’s role). In this case, the data was included in a field of the ICMP packets themselves.
Because ICMP packets are ubiquitous on a network (PING, for example, sends out ICMP packets), their presence does not automatically arouse suspicion. A client tool on the receiving computer reassembles the date from the crafted ICMP packets. It is typically the client-side tool that is easier to detect initially than the transmissions themselves. However, the tool is often disguised as a normal utility, or installed with the same name as an existing file (we call such a program a “Trojan.”). Cryptographic checksums can help to detect changes to existing files, but the key to combating these tools is receiving information about their existence so that crafted packets can be “fingerprinted” and screened for by network monitoring tools.
Winning the High-Tech Terrorism Game
There is a trend in the countermeasures for all of these tools: You have to know which communications to look for. This includes knowing with some amount of certainty who the parties are, when and how they communicate generally (which usually includes several modes, from cell phones to couriers, to even e-mail and otherwise normal appearing web sites), and better yet, when and how they are planning to communicate on any given occasion. Without this information, the search for terrorist communications amounts to all-out monitoring, the proverbial needle in a haystack (and potentially, a civil liberties nightmare). And even the fastest supercomputer at Lawrence Livermore could not handle the volume of data transmissions at issue.
So what can help law enforcement pinpoint and decipher communications faster than the fastest supercomputer at Lawrence Livermore? A decidedly low-tech tool, the informant. The fink. Informants know who the players are, how they communicate, and when certain activities are on the horizon. Informants also know passwords. Although the term has been a bit overused in recent weeks, the key to the battle is human intelligence.
Most often, informants are people within organizations that we recruit and cultivate into de facto spies. Other times, as in the case of undercover agents or operatives, they are planted there. Informants are often vile individuals who are notoriously difficult to handle, and undercover or clandestine operations are extremely dangerous. But until we are willing to spend trillions in supercomputing processing power and abandon reasonable expectations of communications privacy, no other tactic compares in effectiveness.
The irony of high-tech terrorism? Sometimes you need a knife to win a gunfight.
The government provides much more information to the public than do terrorist organizations. The American public has an insatiable interest in what happens at Fort Meade and Langley. As a result, often more information is provided about government technologies and processes than is operationally optimal (accountability is important, of course, but the best operational strategy is secrecy). Terrorist groups operate, as the cliché goes, “in the shadows.” Information is much more difficult to glean from these organizations, upsetting the balance of power and placing the government at a disadvantage. When the risks associated with the release of information outweigh the benefits of accountability, everyone suffers.
There is debate (interestingly, between the law enforcement and intelligence community and, well, people outside this community) about the degree to which terrorist organizations, say, like Al Qaeda, make use of technology to accomplish clandestine communications. The debate itself, insofar as it reveals agendas on each side, is quite interesting, but I won’t go into that here. I believe that terrorists do make use of such technologies. This is, at a high level, the expressed opinion of the federal law enforcement and intelligence community. And, the type and sophistication of technology employed has signal value, telegraphing how well funded or organized a group is, for example. These signals are important factors in attempting to assess the level of threat of a given group, and they provide some level of predictive power as well.
Information asymmetry is not the irony of high-tech terrorism. This is simply the structure of the game. The irony lies in the observation that one of the government’s best weapons to counter high-tech terrorism is decidedly low-tech. Examination of a few clandestine communication technologies and countermeasures reveals this irony.
Encryption
The substance of my favorite non-markets case from last year. The FBI and CIA have resisted for years the export of strong encryption products. Although these restrictions were eased as of last year, there remains an embargo on the seven “terrorist” countries. Does export restriction unfailingly keep encryption out of the hands of evildoers? No. Many of the investigations that I worked on involved encryption. But do restrictions on export help to preserve the signal value of the use of certain strong encryption products? Absolutely. The use of certain tools is a factor in profiling any activity of a terrorist group. The trick to defeating encryption is knowing which communications to monitor in the first place, getting a court order to trap these communications, then attacking the encryption by exploiting a weakness in the algorithm, or providing the proper key (generally done by providing a proper pass phrase).
Steganography
Greek for “covered writing,” steganography (“stego”) has been called the “art of hiding information in plain sight.” Steganography uses redundant information in bytes of media files—usually graphics or audio files—to embed other images or text. The technology is similar to digital watermarking, although the objectives are different. (Those who read my riveting article on digital watermarking last year will recognize this example). Digital images—say your facebook photo—are made of thousands of bytes of information that determine, among other things, color. A byte of information is comprised of eight bits in a combination of ones and zeroes. If one byte of information is 00000000, then seven bits contain all information needed to interpret this byte. The remaining bit is the “least significant bit,” and it can be changed with little impact on the byte itself, and no perceptible impact on the overall photo. This “bit stealing” process can continue until a message is effectively interspersed among many bytes in the image. If the original image (the “host”) is large enough, the impact is imperceptible to human senses. Maps or messages can be hidden in images, and these images posted on normal looking Web sites.
Stego is the digital equivalent of a “dead drop.” Members of a given terrorist organization need not interact with one another directly to communicate. The biggest obstacle in battling stego is determining if a given file has been altered. Known stego tools will leave fingerprints that can be traced, but the sheer volume of images transmitted over the Internet prohibits effective screening of all images for these fingerprints. Sophisticated groups will write their own tools, anyway. Timestamps and cryptographic checksums can help determine when a file has been altered, and frequent alterations of the same file would arouse suspicion. However, this assumes that one has access to the original image. High download frequency of a given image without associated text could also arouse suspicion if this did not fit the profile of pornography downloads so well. The key countermeasure for stego is knowing which images to look at in the first place.
Covert Channeling
Covert channeling entails the use of channels not normally used for textual data transmission. The data may be encrypted or unencrypted, but what distinguishes covert channeling from encryption is that covert channeling relies upon the obscurity of the transmission method itself, not scrambling of the data. One covert channeling tool uses ICMP packets for data transfer. ICMP is typically used as an error checking mechanism for IP, a connectionless protocol (ahhh, should bring back memories of MIA for you second years, and give the first years something to look forward to), and does not typically carry a data payload (that is usually an IP packet’s role). In this case, the data was included in a field of the ICMP packets themselves.
Because ICMP packets are ubiquitous on a network (PING, for example, sends out ICMP packets), their presence does not automatically arouse suspicion. A client tool on the receiving computer reassembles the date from the crafted ICMP packets. It is typically the client-side tool that is easier to detect initially than the transmissions themselves. However, the tool is often disguised as a normal utility, or installed with the same name as an existing file (we call such a program a “Trojan.”). Cryptographic checksums can help to detect changes to existing files, but the key to combating these tools is receiving information about their existence so that crafted packets can be “fingerprinted” and screened for by network monitoring tools.
Winning the High-Tech Terrorism Game
There is a trend in the countermeasures for all of these tools: You have to know which communications to look for. This includes knowing with some amount of certainty who the parties are, when and how they communicate generally (which usually includes several modes, from cell phones to couriers, to even e-mail and otherwise normal appearing web sites), and better yet, when and how they are planning to communicate on any given occasion. Without this information, the search for terrorist communications amounts to all-out monitoring, the proverbial needle in a haystack (and potentially, a civil liberties nightmare). And even the fastest supercomputer at Lawrence Livermore could not handle the volume of data transmissions at issue.
So what can help law enforcement pinpoint and decipher communications faster than the fastest supercomputer at Lawrence Livermore? A decidedly low-tech tool, the informant. The fink. Informants know who the players are, how they communicate, and when certain activities are on the horizon. Informants also know passwords. Although the term has been a bit overused in recent weeks, the key to the battle is human intelligence.
Most often, informants are people within organizations that we recruit and cultivate into de facto spies. Other times, as in the case of undercover agents or operatives, they are planted there. Informants are often vile individuals who are notoriously difficult to handle, and undercover or clandestine operations are extremely dangerous. But until we are willing to spend trillions in supercomputing processing power and abandon reasonable expectations of communications privacy, no other tactic compares in effectiveness.
The irony of high-tech terrorism? Sometimes you need a knife to win a gunfight.