As we’ve made clear, technology is an equal-opportunity enabler, providing powerful tools for people to use for their own ends—sometimes wonderfully constructive ends, but sometimes unimaginably destructive ones. The unavoidable truth is that connectivity benefits terrorists and violent extremists too; as it spreads, so will the risks. Future terrorist activity will include physical and virtual aspects, from recruitment to implementation. Terrorist groups will continue to kill thousands annually, by bombs or other means. This is all very bad news for the broader public, states that already have enough trouble protecting their homeland in the physical world, and companies that will be increasingly vulnerable.
And of course there remains the terrifying possibility that one of these groups will acquire a nuclear, chemical or biological weapon. Because of the developed world’s increasing dependence on its own connectedness—nearly every system we have is tied to a virtual network in some way—
we’re acutely vulnerable to cyber
terrorism in its various forms. That applies, of course, even in less-connected places, where the majority of terrorist attacks occur today. The technical skills of violent extremists will grow as they develop strategies for recruitment, training and execution in the virtual world, with the full understanding that their attacks will be more visible than ever before thanks to the increasing reach of global social-media networks.
But despite those gains,
communication technologies also make terrorists far more vulnerable than they are today. For all the advantages that living in the virtual world give terrorists (small cells all over the world, destructive activities that are harder to trace), they still have to live physically (eat, be sheltered, be in a physical space from which they use their phones and computers), and that’s precisely what makes them more vulnerable in the new digital age. Here we will explore how terrorists will split their time between the physical and virtual worlds and why despite some advantages gained, they will ultimately make more mistakes and implicate more people, making their violent business far more difficult.
New Reach, New Risks
That the Internet provides dangerous information for potential criminals and extremists is well known; less understood is how this access will evolve on a global scale in the future. Many of the populations coming online in the next decade are very young and live in restive areas, with limited economic opportunities and long histories of internal and external strife. It follows, then, that in some places, the advent of the new digital age will also mean an increase in violent activity fueled by the greater availability of technology. A strong indication that that process is under way will be the proliferation of sophisticated homemade explosive devices.
While traveling in Iraq in 2009, we were struck by the notion that it was far too easy to be a terrorist. An Army captain told us that one of the greatest shared fears among American troops on patrol was the hidden roadside IED (improvised explosive device). In the war’s early days,
IEDs were expensive to produce and required special materials, but with time, bomb-making tools and accessible instructions were widely available to any potential insurgent. The IED of 2009 was cheaper and more innovative, designed to evade now-understood countermeasures with simple adaptations. A bomb with its trigger taped to a mobile phone set on “vibrate” could be detonated remotely by calling that number. (The Americans soon responded to this tactic by introducing jamming systems to cut off mobile communication, with limited success.) What was once a sophisticated and lucrative violent activity (earning insurgents thousands of dollars) had become routine, an option for anyone with a bit of initiative willing to be paid in cigarettes.
If an insurgent’s mobile-phone-triggered IED is now the equivalent of a high school science project, what does that tell us about the future? These “projects” are an unfortunate consequence of what the
Andy Rubin describes as the “
maker phenomenon” in technology, which outside the terrorism context is often applauded. “Citizens will more easily become their own manufacturers by piecing together versions of today’s products to make something that had previously been too hard for an ordinary citizen to build,” Rubin told us. The emerging “maker culture” around the world is producing an untold number of ingenious creations today—
3-D printers are just the beginning—but as with most technology movements, there is a darker side to innovation.
The future homemade terror device will likely be a combination of “everyman”
drones and mobile IEDs. Such drones could be purchased online or at a toy store; indeed, simple remote-control helicopters are already available. The
AR.Drone quadricopter, built by
Parrot, was one of the top-selling toys of the 2011–2012 Christmas season. These toys are already equipped with a camera and can be piloted by a smart phone. Imagine a more complicated version that uses a Wi-Fi connection it generates itself and that is fitted with a homemade bomb on its undercarriage, producing a whole new level of domestic terror that is just around the corner. The knowledge, resources and technical skills necessary to produce such a drone will certainly be available practically everywhere in the near future. The autonomous navigation capability we discussed previously will become generally available and embeddable on a chip, which will make it easier for terrorists and criminals to stage a drone-based attack without intervention. Improved destructive capacity in physical attacks is just one way the spread of technology will affect global terrorism. Cyber terrorism, of course, is another—the term itself dates back to the 1980s—and the threat will grow only graver. For our purposes, we’ll define cyber terrorism as politically or ideologically motivated attacks on information, user data or computer systems intended to result in violent outcomes. (There is some overlap in tactics between cyber terrorism and criminal
hacking, but generally the motivations distinguish the two.)
It’s hard to imagine extremist groups operating out of caves in Tora Bora constituting a cyber threat, but as connectivity spreads throughout the world, even remote places will have reasonable network access and sophisticated mobile handsets. We have to assume that these groups will also acquire the technical skills necessary to launch cyber attacks. Those changes, and the fact that our own connectedness presents an endless number of potential targets for extremists, are not promising developments.
Consider some straightforward possibilities. If cyber terrorists successfully compromise the network security of a large bank, all of its customers’ data and money will be at risk. (Even calling in a threat, in the proper circumstances, could cause a run on the bank.) If cyber terrorists target a city’s transportation system, police data, stock market or electricity grid, they could bring the daily mechanics of the city to a halt.
The security shields of some institutions and cities will prevent this, but not everyone will have such protection.
Nigeria, which struggles with domestic terrorism and weak institutions, is already a world leader in online scams. As the connectivity of the cities of
Abuja extends to the more restive and rural north (where violent extremism is most prevalent), many would-be scammers could easily be attracted to the cause of a violent Islamist group like
Boko Haram (Nigeria’s version of the Taliban). Only a handful of new recruits could transform Boko Haram from West Africa’s most dangerous terrorist organization into its most powerful cyber-terrorist one.
Cyber-terrorist attacks need not be limited to system interference, either.
Narco-terrorists, cartels and criminals in Latin America lead the world in
kidnappings, but in the future, traditional kidnapping will be riskier, given trends like
precision geo-location in mobile phones. (Even if kidnappers destroy a captive’s phone, its last known location will have been recorded somewhere in the cloud. Security-conscious individuals in countries where kidnapping is widespread will likely also have some form of wearable technology, something the size of a pin, which would continuously transmit their location in real time. And some who are most at risk may even have variations of those physical augmentations we wrote about earlier.)
Virtual kidnappings, on the other hand—stealing the online identities of wealthy people, anything from their bank details to public social-network profiles, and ransoming the information for real money—will be common. Rather than keep and maintain captives in the jungle, guerrillas in the
FARC or similar groups will prefer the reduced risk and responsibility of virtual hostages.
There are clear advantages to
cyber attacks for extremist groups: little to no risk of personal bodily harm, minimal resource commitment, and opportunities to inflict a massive amount of damage. These attacks will be incredibly disorienting for their victims, due to the difficulty of tracing the origins of virtual attacks,
as we noted earlier, and they will induce fear among the enormous pool of potential victims (which includes nearly everyone whose world relies on being connected). We believe terrorists will increasingly shift their operations into the virtual space, in combination with physical-world attacks. While the dominant fear will remain
weapons of mass destruction (the porousness of borders making it far too easy to smuggle a suitcase-sized bomb into a country), a future 9/11 might not involve coordinated bombings or hijackings, but coordinated physical and virtual-world attacks of catastrophic proportions, each designed to exploit specific weaknesses in our systems.
An attack on America could begin with a diversion on the virtual side, perhaps a large-scale hacking into the air-traffic-control system that would direct a large number of planes to fly at incorrect altitudes or on collision paths. As panic sets in, another cyber attack could bring down the communication capabilities of many airport control towers, turning all attention to the skies and compounding the fear that this is the “big one” we’ve been fearing. Meanwhile, the real attack could then come from the ground—three powerful bombs, smuggled in through Canada, that detonate simultaneously in New York, Chicago and San Francisco. The rest of the country would watch as the first responders scrambled to react and assess damage, but a subsequent barrage of cyber attacks could cripple the police, the fire department and emergency-information systems in those cities. If that’s not terrifying enough, while urban emergency efforts slow to a crawl amid massive physical destruction and loss of life, a sophisticated computer virus could attack the industrial control systems around the country that maintain critical infrastructure like water, power and oil and gas pipelines. Commandeering these systems, called supervisory control and data acquisition (SCADA) systems, would enable terrorists to do all manner of things: shut down power grids, reverse waste-water treatment plants, disable the heat-monitoring systems at nuclear power plants. (When the Stuxnet worm attacked Iranian nuclear facilities in 2012, it operated by compromising the industrial control processes in nuclear centrifuge operations.) Rest assured that it would be incredibly, almost unthinkably difficult to pull off this level of attack—commandeering one SCADA system alone would require detailed knowledge of the internal architecture, months of coding and precision timing. But some kind of coordinated physical and cyber attack is inevitable.
terror groups will possess the level of skill or the determination to carry out attacks on this scale in the coming decades. Indeed, because of the vulnerabilities that technology introduces for them, there will be fewer terrorist masterminds altogether. But those that do exist will be even more dangerous. What gives terror groups in the future an edge may not be their members’ willingness to die for the cause; it might be how good their command of technology is.
Various platforms will aid extremist groups in planning, mobilization, execution and, more important, as we’ve already pointed out, recruitment. There may not be many caves online, but those blind spots where all manner of nefarious dealings occur, including child pornography and terrorist
chat rooms, will continue to exist in the virtual world. Looking ahead, future terror groups will develop their own sophisticated and secure social platforms, which could ultimately serve as digital training camps as well. These sites will expand their reach to potential new recruits, enable information-sharing among disparate cells and serve as an online community for like-minded individuals. These virtual safe houses will be invaluable to extremists, provided that there are no double agents and that the digital encryption is strong enough.
Antiterrorism units, law enforcement and independent activists will try to shut down or infiltrate these sites but will be unable to. It’s just too easy to relocate or change the encryption keys in boundless virtual space and keep the platform alive.
Media savvy will be among the most important attributes for future transnational terrorists; recruitment, among other things, will rely on it. Most terrorist organizations have already dipped a toe into the media marketing business, and what once seemed farcical—
al-Qaeda’s website heavy with special effects,
al-Shabaab insurgent group on
Twitter—has given way to a strange new reality. The infamous case of Anwar al-Awlaki, the late American-born extremist cleric affiliated with al-Qaeda in
Yemen, provides a compelling example. His high profile was largely a result of his own self-promotion—he used viral videos and social networks to disseminate his charismatic sermons internationally. As the first major terrorist YouTube sensation, Awlaki’s influence is undeniable—
several successful and would-be terrorists cited him as an inspiration—and his prominence earned him a spot on the U.S. government’s list of high-value targets. He was killed by a drone strike in September 2011.
Awlaki’s social media mastery impressed the billionaire investor and reformist
Saudi prince Alwaleed bin Talal al-Saud, who sees this as part of a broad trend across the region. “
Even the most anti-Western religious figures in Saudi Arabia are now almost all using technology,” he told us, adding that “a number of them are even using mobile devices and increasingly social networks to issue fatwas”—Islamic edicts. As Middle East observers know, this is a profound change, particularly in Saudi Arabia, where the clerical establishment is notoriously slow to accept technology. The trend will only continue.
Given the importance of digital marketing for future terrorists, we anticipate that they will increasingly look to infiltrate mobile and Internet companies. Some Islamist groups have already tried to do this.
Maajid Nawaz, a former leader in
Hizb ut-Tahrir (HT)—a global extremist group that seeks the overthrow of Muslim-majority governments through military coups and the creation of a worldwide Islamist superstate—told us his organization had a policy of recruiting from mobile-phone companies. “
We pitched propaganda stalls outside the
Motorola offices in
Pakistan, then we recruited some Motorola staff, who proceeded to leak the numbers of Pakistan’s national newspaper editors,” he said. Members of HT would bombard these editors with text messages full of propaganda, talking points and even threats. The recruited Motorola staff further helped HT, according to Nawaz, by concealing its members’ identities when they signed up for phone service, allowing them to operate undetected.
If extremist groups don’t target the mobile companies themselves, they will find other ways to wield influence on these powerful platforms. Groups like
Hezbollah tend to gain community support by providing services that the state is unwilling or unable to deliver adequately. Services, support and entertainment all serve to strengthen the credibility of the group and the loyalty of its base. Hamas could develop a family of apps for the cheap
smart phones everyone uses, offering everything from health-care information to mobile money exchanges to games for children. This infinitely valuable platform would be built and serviced by Hamas members and sympathizers. Even if the
Apple store blocked their applications under order of the U.S. government, or the
U.N. took similar action, it would be possible to build apps without any official tie to Hamas and then promote them through word of mouth. The impact this could have on a young generation would be immense.
As global connectivity renders extremist groups more dangerous and more capable, traditional solutions will appear increasingly ineffective. In many parts of the world, simply imprisoning terrorists will have little effect on their network or their ability to influence it. Smuggled handsets will enable extremists to run command-and-control centers from inside prison walls, and the task of confiscating or otherwise limiting the power of these devices will only get harder as the basic components of smart phones—the
SIM cards (memory cards used in mobile phones that can carry data from one phone to another) and the rest—get smaller and more powerful.
Such practices have already begun, sometimes in farcical fashion. In 2011,
Colombian prison officials stopped an eleven-year-old girl en route to visiting an incarcerated relative in Medellín because of the odd shape of her sweater; they found seventy-four mobile phones and a revolver taped to her back. In
Brazil, inmates trained carrier pigeons to fly in phone components, and at least one local gang hired a teenager to launch phones over the prison walls with a bow and arrow. (The boy was caught when one of his arrows struck an officer.)
This is not just taking place in the developing world. A former member of a
South Central Los Angeles gang told us that the going rate for a contraband smart phone hovers around $1,000 in American prisons today. Even tablets can be obtained for the right price. He further described how these devices enable well-connected inmates to maintain their illicit business ties from behind bars through popular social-network platforms. In 2010, when inmates in at least six prisons in the U.S. state of
Georgia simultaneously went on strike to protest their conditions, their protest was organized almost entirely through a network of illicit mobile phones.
The most compelling (and successful) example of prison activities comes from
Afghanistan, a country with one of the lowest rates of connectivity in the world. The Pul-e-Charkhi prison on the outskirts of Kabul is the country’s largest prison and among its most notorious. Commissioned in the 1970s and completed during the Soviet occupation, in its initial years tens of thousands of political prisoners were killed there annually and many more were tortured for anti-Communist sentiments. The prison earned a new distinction during the American occupation as a terrorist nerve center. Following a violent riot in 2008 in the prison’s Cell Block Three, Afghan authorities discovered a fully operational terror cell—in both senses of the word—that had been used by inmates to coordinate deadly attacks outside the prison walls. The back door to the cell block was covered in live electrical wires, woven through the bars like vines and emitting a soft red glow in the corridor, and the walls were painted with swords and verses from the Koran. Cell Block Three had been taken over by its Taliban and al-Qaeda inmates years earlier, and through a combination of effective smuggling of phones and radios, savvy recruitment within the prison population and threats to the guards and their families, these radicalized inmates had transformed their environment into a prison without walls—a secure perch (safe from aerial drones and other dangers) from which they could expand their organization, run extortion schemes and coordinate terrorist attacks in a city twenty miles away. They recruited petty thieves, heroin addicts and Christians (inmates whose pariah status in Afghan society made them ripe for radicalization) with money or the threat of violence.
After the 2008 riot, relocation of these inmates to different cell blocks was thought to have ended their terror network, or at least severely curtailed its functionality. Yet two years later, following a string of attacks in Kabul, prison officials admitted publicly that the terror cells had re-formed within Pul-e-Charkhi almost immediately, and authorities’ attempts to limit their operational capacity by sporadic jamming (to render their contraband
mobile phones useless) had largely failed. Pul-e-Charkhi housed many of Afghanistan’s high-value inmates, and it was run by the Afghan military with American advisors, yet no one seemed capable of controlling the mobile networks. When Jared accompanied the late special envoy to Afghanistan
Richard Holbrooke on a trip to Kabul, he visited the prison and met with one of the incarcerated former ringleaders of Cell Block Three, an extremist leader named
Mullah Akbar Agie, to assess how conditions in the prison had changed after the post-riot crackdown. Agie responded to a joking request for his phone number by reaching into his robe and pulling out a late-model feature phone. He proudly jotted down his name and phone number on a slip of paper: 070-703-1073.
The experience at Pul-e-Charkhi suggests the danger of mixing gangs, religious extremists, drug traffickers and criminals in the prisons during the digital age. Outside prison walls, these different networks at times overlap and use the same technological platforms, but when they are put in close proximity inside prisons, with the help of contraband devices they can become dangerous, united nodes. A band of
narco-traffickers from a Mexican cartel might share valuable information about
cross-border weapon-smuggling networks with an Islamist extremist in exchange for money or a foothold in a new market for the cartel. When both parties reach a mutually beneficial arrangement, each could use his mobile phone to inform his organization of the new collaboration. Deals struck in prison and then followed through in open society will be difficult to intercept, because short of placing all inmates in isolation cells (unrealistic) or shutting down the mobile contraband trade (equally unlikely, despite enormous effort), prison authorities will have limited success in preventing cases like these from materializing.
So if we take it as a given that prison contraband networks will generally outsmart the officials charged with shutting them down, and that mobile phones will remain in high demand for inmates, what options remain to thwart the Pul-e-Charkhi scenario from playing out elsewhere? The most obvious solution is simply cutting off access, jamming the networks so that inmates’ illicit phones become little more than expensive platforms for playing Tetris. But it stands to reason that someone could figure out a way to get over that hurdle. Perhaps live pigeons won’t work, but small drones designed to look like pigeons and act as mobile Wi-Fi hot spots might.
Monitoring and tapping the mobile activity among prisoners is another option for law enforcement. The intelligence gathered from listening in could, among other things, shed light on how illicit networks operate. A more subversive solution could be to intentionally co-opt the contraband networks by getting devices into prisoners’ hands that are actually filled with traps to inadvertently give up information. Loaded with
malware that will allow activity on each phone to be traced, these phones would be designed to give up secrets easily without inmates’ knowledge. This may ultimately prove more effective than human informants, and safer, too.
Some societies will ensure that a prisoner disappears from the Internet entirely while behind bars. By court order his virtual identity would be frozen, laws would prevent anyone from trying to contact, interact with or even advertise to his frozen profile, and once he was released, he would be required to provide his probation officer with access rights to his online accounts. The digital-age equivalent of an ankle bracelet will be government-imposed software that tracks and restricts online activity, not just for the obvious cases like child molesters (whose Internet activity is sometimes restricted as a condition of probation) but for all convicted criminals for the duration of their probation.
Someone found guilty of insider trading could be temporarily barred from all forms of
e-commerce: no trading, online banking or buying things on the Internet. Or someone subjected to a
restraining order would be restricted from visiting the social-networking profiles of the targeted person and his or her friends, or even searching for his or her name online.
Alas, many of these solutions will be circumvented in the age of cyber terrorism, as more and more criminals operate invisibly.
The Rise of Terrorist
How serious someone considers the threat of
cyber terrorism likely depends on that person’s view of
hacking. For some, the image of a basement-dwelling teenager commandeering phone systems for a joyride endures, but hacking has developed considerably in the past decade, transformed from a hobby into a controversial mainstream activity. The emergence of “
hacktivists” (politically or socially motivated hackers) and groups like the hacking collective
Anonymous signals a maturation of message and method and hints at what we can expect in the coming years. Increasingly, hackers will find ways to organize themselves around common causes. They will conduct sophisticated attacks on whomever they deem a proper target and then publicize their successes widely. These groups will continue to demand attention from the governments and institutions they attack, and their threats may come to be taken more seriously than one might expect judging from today’s activities, which mostly seem like stunts. The story of
WikiLeaks, the secrets-publishing website we discussed earlier, and its sympathetic hacker allies is an illustrative example.
The arrest of WikiLeaks’ cofounder
Julian Assange in December 2010 sparked flurries of outrage around the world, particularly among the many activists, hackers and computer experts who believed his indictment on sexual-assault charges was politically motivated. Shortly thereafter, a series of cyber attacks crippled, among others, the websites for Amazon, which had revoked WikiLeaks’ use of its servers, and
PayPal, which had both stopped processing donations for WikiLeaks.
This campaign, officially titled
Operation Avenge Assange, was coordinated by Anonymous, a loosely knit collective of hackers and activists already responsible for a string of prominent DDoS attacks against the
Church of Scientology and other targets. During Operation Avenge Assange, the group vowed to take revenge on any organization that lined up against WikiLeaks: “While we don’t have much of an affiliation with WikiLeaks, we fight for the same reasons. We want transparency and we counter censorship. The attempts to silence WikiLeaks are long strides closer to a world where we cannot say what we think and are unable to express our opinions and ideas. We cannot let this happen.… This is why we intend to utilize our resources to raise awareness, attack those against and support those who are helping lead our world to freedom and democracy.” The corporate websites were back online within several hours, but their disabling was very public and could have affected millions of customers. Most of those customers had no idea the websites were vulnerable in the first place. In other words, the hacktivists made their point. A string of global investigations followed, leading to the arrest of dozens of suspected participants in the
United States, Spain and
Switzerland, among other states.
Neither WikiLeaks nor groups like Anonymous are terrorist organizations, although some might claim that hackers who engage in activities like stealing and publishing personal and classified information online might as well be. The information released on WikiLeaks put lives at risk and inflicted serious diplomatic damage.
And that’s the point: Whatever lines existed between the harmless hackers and the dangerous ones (or between hackers and cyber terrorists, for that matter) have become increasingly blurred in the post-9/11 era. Decentralized collectives like Anonymous demonstrate clearly that a collection of determined people who don’t know each other, and without having met in person, can organize themselves and have a real impact in virtual space. In fact, no critical mass is necessary—an individual with technical prowess (computer-engineering skill, for example) can commandeer thousands of machines to do his bidding. What will happen in the future when there are more of these groups? Will they all fight on the side of free speech? Recent examples suggest we should begin preparing for other possibilities.
In 2011, the world met a twenty-one-year-old Iranian software engineer, apparently working in
Tehran, who called himself
Comodohacker. He was unusual compared to other hacktivists, who generally combat government control over the Internet, because as he told The NewYorkTimes via e-mail, he believed his country “should have control over Google, Skype,
Yahoo!, etc.” He made it clear that he was intentionally working to thwart antigovernment dissidents within Iran. “I’m breaking all encryption algorithms,” he said, “and giving power to my country to control all of them.”
Boasting aside, Comodohacker was able to forge more than five hundred Internet security certificates, which allowed him to thwart “trusted website” verification and elicit confidential or personal information from unwitting targets. It was estimated that his efforts compromised the communications of as many as three hundred thousand unsuspecting Iranians over the course of the summer. He targeted companies whose products were known to be used by dissident Iranians (
Skype), or those with special symbolic significance. He said he attacked a Dutch company,
DigiNotar, because Dutch peacekeepers failed to protect
Bosnian Muslims in Srebrenica in 1995.
Just months after Comodohacker’s high-profile campaign, another ideological hacktivist from the Middle East emerged. He called himself
OxOmar, claimed to live in Riyadh, Saudi Arabia, and declared that he was “one of the strongest haters of Israel” who would “finish Israel electronically.” In January 2012, he hacked into a well-known Israeli sports website and redirected visitors to a site where they could download a file that contained four hundred thousand credit-card numbers (
most of these were duplicates, and the total number of compromised cardholders was closer to 20,000). He claimed to represent a group of Wahhabi hackers, Group-XP, who wrote in a statement, “
It will be so fun to see 400,000 Israelis stand in line outside banks and offices of credit card companies … [and] see that Israeli cards are not accepted around the world, like Nigerian cards.” Weeks later, when the websites of Israel’s
El Al Airlines and its stock exchange were brought down with
DoS attacks, OxOmar told a reporter that he had teamed up with a pro-Palestinian hacker group called
Nightmare and that the attacks would be reduced if Israel apologized for its “genocide” against Palestinians. Israel’s deputy minister of foreign affairs,
Danny Ayalon, said he considered it a “
badge of honor that I have been personally targeted by cyber-terrorists.” He later confirmed the attacks on his
Facebook page but added that hackers “will not silence us on the Internet or in any forum.” Was Comodohacker really a young Iranian engineer? Did OxOmar really coordinate with another group to launch his attacks? Were these hackers individuals, or actually groups? Could either or both of these figures just be constructs of states looking to project their digital power? Any number of scenarios could be true, and therein lies the challenge of cyber terrorism in the future. Because it is very difficult to confirm the origins of cyber attacks, the target’s ability to respond appropriately is compromised, regardless of who claims responsibility. This obfuscation adds a whole new dimension to misinformation campaigns, and no doubt states and individuals alike will take advantage of it. In the future, it will be harder to know who or what we are dealing with.
Sudden access to technology does not in and of itself enable radicalized individuals to become cyber terrorists. There is a technical skills barrier that, to date, has forestalled an explosion of terrorist-hackers. But we anticipate that this barrier will become less significant as the spread of connectivity and low-cost devices reaches remote places like the
Pakistan border region, the
African Sahel and
Latin America’s tri-border area (
Brazil). Hackers in developed countries are typically self-taught, and because we can assume that the distribution of young people with technical aptitude is equivalent everywhere, this means that with time and connectivity, potential hackers will acquire the necessary information to hone their skills. One outcome will be an emergent class of virtual soldiers ripe for recruitment.
Whereas today we hear of middle-class Muslims living in Europe going to Afghanistan for terror-camp training, we may see the reverse in the future. Afghans and Pakistanis will go to Europe to learn how to be cyber terrorists. Unlike training camps with rifle ranges, monkey bars and obstacle courses, engineering boot camps could be as nondescript as a few rooms with some laptops, run by a set of technically skilled and disaffected graduate students in London or Paris. Terrorist training camps today can often be identified by satellite; cyber boot camps would be indistinguishable from Internet cafés.
Terrorist groups and governments alike will try to recruit engineers and hackers to fight for their side. Recognizing how a cadre of technically skilled strategists enhances their destructive capacity, they will increasingly target engineers, students, programmers and computer scientists at universities and companies, building out the next generation of cyber jihadists. It is hard to persuade someone to become a terrorist, given the physical and legal consequences, so surely ideology, money and blackmail will continue to play a large role in the recruitment process. Unlike governments, terrorist groups can play the antiestablishment card, which may strengthen their case among some young and disaffected hacker types. Of course, the decision to become a cyber terrorist is almost always less consequential to one’s personal health than signing up for suicide martyrdom.
Culture will play an important role in where these pockets of cyber terrorism develop in the world. Deeply religious populations with distinct radicalized elements have traditionally been the most fertile ground for terrorist recruitment, and that will hold true for cyber-terrorist recruitment as well, especially as the largely disconnected parts of the world come online. To a large extent, the web experience of users is highly determined by their existing networks and immediate environment. We do not expect radical social change simply from the advent of connectivity. What we’ll see instead are more communication channels, more participation and more rogue identities developing online.
And, of course, there are state sponsors of terrorism who will seek to conduct untraceable attacks. Today,
Iran is one of the world’s most notorious sponsors of terror groups, funneling weapons, money and supplies to groups like
Palestinian Islamic Jihad, the
al-Aqsa Martyrs Brigades and various militant groups in Iraq. But as cyber-terrorist efforts begin to look more fruitful, Iran will work to develop the virtual capacity of its proxies in equal measure. This means sending computer and network equipment, security packages and relevant software, but it also could mean in-person training. Iran’s technical universities may well begin hosting Lebanese Shia programmers with the specific aim of integrating them into Hezbollah’s emergent cyber army. Perhaps they will send them the most expensive encryption tools and hardware. Or Iran could fund technical madrassas in Hezbollah strongholds like Dahieh, Baalbek and the south of
Lebanon, creating incubators where promising engineers are trained to launch cyber attacks against Israel. Perhaps instead of giving cash to Shia businessmen in
Brazil to start businesses (a known tactic of the Iranian government), the regime will provide them with tablets and mobile devices carrying specialized software.
But any regime or terrorist group that recruits these hackers will assume a certain risk. While not all recruits will be young, a decent percentage will be, and not just for demographic reasons: Social scientists have long believed that certain developmental factors make
young people uniquely susceptible to radicalization. (There is considerable discussion about what, precisely, those factors are, however; some believe it has to do with brain chemistry, while others argue that sociological elements in society are the driving cause.) So not only will recruiters be faced with organizing hackers, who thus far have shown a distinct resistance to formal organization, but they’ll also have to deal with teenagers. As we’ll discuss below, participation in a virtual-terrorism network will require inordinate discipline, not the trait most frequently associated with teenagers. Most young people are attracted to and tempted by the same things—attention, adventure, affirmation, belonging and status. Yet one mistake, or one casual boast online from a teenager hacker (or someone he knows), could unravel his entire terrorist network.
counterterrorism operations today depend on intelligence sharing and military cooperation—such as that between the United States and its allies in South Asia—in the future, that bilateral support will necessarily include a virtual component. Given that many of the most radicalized countries will be among the latest arrivals to the Internet, they will need foreign support to learn how to track down terrorists online and how to use the tools newly available to them. Today, large contractors make a fortune benefiting from foreign military assistance; as bilateral efforts increasingly come to include cyber-security elements, a range of new and established computer-security firms will benefit accordingly.
Military policies too will change in response to the threat cyber terrorists pose. Today, most of the terrorists the military chases down are in failed states or ungoverned regions. In the future, these physical safe havens will also be connected, allowing terrorists to engage in nefarious virtual acts without any fear of law enforcement. When intelligence reveals known cyber terrorists planning something dangerous, extreme measures like drone strikes will come under consideration.
Western governments will try to attract skilled hackers to their side as well. In fact, hackers and government agencies in the United States work together already, at least in matters of cybersecurity. For years, agencies like the Pentagon’s
Defense Advanced Research Projects Agency (DARPA) and the
National Security Agency (NSA) have recruited talented individuals at venues like the computer-security conference series
Cyber Fast Track (CFT), created by a former hacker turned DARPA project manager, which aimed to accelerate and streamline the cooperation between these communities. Through CFT, DARPA began awarding short-term contracts to individuals and small companies to focus on targeted network-security projects. This initiative was distinguished by its focus on smaller players and lone actors rather than big companies, and its ability to green-light grants quickly. DARPA approved eight contracts in the first two months of the program—in other words, at lightning speed compared with the normal pace of government contracting. This process allowed groups with considerable skill who would otherwise not work with or for the government to contribute to the important work of improving cybersecurity, easily and in a time frame that reflects the immediate nature of the work. CFT was part of a shift in the agency toward “
democratized, crowd-sourced innovation” championed by
We asked Dugan about the motivation behind this unconventional approach to problem-solving—after all, inviting hackers into the tent to handle sensitive security matters raises more than a few eyebrows. “
There is a sense among many that hackers and
Anonymous are just evildoers,” she said. “What we recognized and tried to get others to embrace was that ‘hacker’ is a description of a talent set. Those who were declared (self-declared or otherwise) ‘hackers’ had something rather significant to contribute to the issue of cybersecurity, with respect to how they approach problems, the timelines on which they approach problems and their ability to execute and challenge.” The success of Cyber Fast Track, she added, was a signal of the viability of that model. “I don’t think that should be the only model we use,” she said, “but it should absolutely be part of our approach.”
More outreach to hackers and other independent computer experts should be a priority in the coming years, and we expect that Western governments will continue to try to include them, either overtly, through programs like CFT, or covertly, through the channels of intelligence agencies. Governments will push hard to acquire virtual counterparts in foreign countries to complement their undercover operators and assets active in the physical world, recruiting hackers and other technically savvy individuals to become sources and dealing with them remotely over secure online channels. There are implicit challenges associated with virtual assets, however. Despite their usefulness, there would be an absence of in-person interactions, which intelligence operatives have relied on for centuries to determine the credibility of a source. A video chat is hardly the same thing, so agencies will have to figure out how they can vet new participants effectively. Trusting virtual assets may in fact be harder than turning them.
The Terrorists’ Achilles’ Heel
Terrorists in the future will find that technology is necessary but high-risk. The death of
Osama bin Laden, in 2011, effectively ended the era of the cave-dwelling terrorist isolated from the modern technological ecosystem. For at least five years, bin Laden hid in his mansion in
Pakistan, without access to the Internet or mobile phones. He had to stay off-line to stay safe. This drastically reduced his reach and influence through an
al-Qaeda network that relied, at least in part, on connectivity to operate. Ironically, it was his lack of Internet access in a large urban home that helped identify him, once his courier pointed intelligence operatives in the right direction.
And while bin Laden may have evaded capture by staying off-line, even he used flash drives, hard drives and DVDs to stay informed. These tools enabled him to keep track of al-Qaeda’s operations internationally and provided an efficient way for his couriers to move large amounts of data between him and various terror cells elsewhere. As long as he was at large, the information on these devices was secure, impossible to access. But when
Navy SEAL Team Six raided his home, they seized his devices, getting not just the world’s most wanted man but also critical information about everyone he had been in contact with.
The more likely terrorist scenario continuing into the new digital age will resemble the
Mumbai attacks in 2008, when ten masked men held the city hostage in a three-day siege in which 174 people were killed and more than 300 wounded. The gunmen relied on basic consumer technologies—
Google Earth and
VoIP—to coordinate and conduct the attacks, communicating at a command center in Pakistan with leaders who watched live coverage of the events on satellite television and monitored the news to provide real-time tactical direction. Technology made these attacks much more deadly than they could have been otherwise, but once the last (and only surviving) gunman was captured, the information he and, critically, the leftover devices of his comrades, provided allowed investigators to follow an electronic trail to significant people and places in Pakistan that might not have otherwise been known for months, if ever.
The silver lining of cyber terrorism is that, in almost every way, its practitioners will have less room for error. Most of us have no reason to think about how differently we might interact with technology if our freedom or lives depended on erasing the tracks we leave when we go online. Cyber terrorists possess an unusually high technical awareness, but what about their friends? What about the relatives they correspond with? It is unrealistic to expect perfectly disciplined behavior from every terrorist online. Consider the nonterrorist example of
John McAfee, the millionaire antivirus software pioneer who became an international fugitive after fleeing from the authorities who wanted to question him in connection with the murder of his neighbor in his adopted home country, Belize. After inviting journalists from Vice, an online magazine, to interview him at his secret hideout, McAfee posed for a picture with Vice’s editor in chief, taken with an iPhone 4S. What he—and his Vice interviewer—didn’t know was that publishing that photo also gave away McAfee’s location, since many
smart phones (including the iPhone 4S) embed metadata about GPS coordinates into camera shots. All it took was one
Twitter user to notice the metadata and suddenly the authorities, and the world, knew McAfee was in Guatemala, near a swimming pool at the Ranchon Mary restaurant. Vice should have known better (we’ve known about location metadata for years), but as smart phones become ever more complicated, the number of small details to keep track of compounds.
As social, professional and personal lives move increasingly to cyberspace, the interconnectedness of all digital activity increases dramatically. Computers are very good at recognizing patterns and solving needle-in-the-haystack problems, so with more data, computer algorithms can compute more precise predictions and correlations—faster and with more accuracy than any human could. Imagine a Moroccan extremist in France who has done everything possible to anonymize his smart phone from its mobile network. He has turned off geo-location, opted out of all data sharing and removes his
SIM card periodically in case anyone tries to track it. He has even adopted the habit of taking the battery out of his phone as a final safeguard, knowing that when a phone is turned off, a battery retains the power to send and receive signals. His phone number is simply one of thousands, impossible to pinpoint or link to him or his location. Yet law enforcement knows he has a fondness for betting on horse races, and they know there are four off-track betting locations in his town. Using that data, they can narrow down the potential pool of numbers from thousands to the hundred or so that frequent those places. And let’s say a few of his known acquaintances are not as careful with their data tracks as he is; law enforcement can then cross-reference that off-track-betting pool with the various locations of his friends. That could be all they need to do to identify his number. This type of big-data investigation was once unthinkable, but it’s easy today—yet another example of humans and computers splitting duties according to their strengths. Off-line or online, our activities (and those of our friends, families and our demographic) provide intelligent computer systems with more than enough information to identify us.
It takes only one mistake or weak link to compromise an entire network. A
Navy SEAL Team Six member we talked with described a top
al-Qaeda commander who was exceptionally cautious around technology, always swapping phones and rarely speaking for very long. But while he was careful with his professional life, he was careless with his social one. At one point, he called a cousin in
Afghanistan to say he planned to attend a wedding. That one misstep gave authorities enough information to find and capture him. Unless a terrorist is acting completely alone (which is rare), and with perfect online discipline (even rarer), there is a very good chance that somewhere in the chain of events leading up to a planned attack, he will compromise himself in some way. There are simply too many ways to reveal oneself, or be revealed, and this is very encouraging in contemplating the future of counterterrorism.
Of course, amid all of the smart and savvy cyber terrorists there will be dumb ones, too. In the trial-and-error period of connectivity growth, there will be plenty of demonstrations of inexperience that might seem laughable to those of us who grew up with the Internet. Three years after the Canadian journalist
Amanda Lindhout was kidnapped in
Somalia—she was held for fifteen months by al-Shabaab extremists and finally released for a hefty ransom—
her former captors contacted her on
Facebook, issuing threats and inquiring about more money. Some were dummy accounts, set up with the sole purpose of harassing her further, but others appeared to be genuine personal Facebook accounts. It seems unlikely that the terrorists understood the degree to which they’d exposed themselves—not just their names and profiles, but everyone they were connected to, everything they’d written on their own and others’ Facebook pages, what websites they’d “liked,” and so on. Each such exposure, of course, will represent a teachable moment for other extremists, enabling them to avoid the same errors in the future.
It is estimated that more than 90 percent of people worldwide who have
mobile phones keep them within three feet of themselves twenty-four hours a day. There is no reason to believe this won’t be true for extremists. They might adopt new routines that help protect them—like periodically removing the battery from their phones—but they won’t stop using them altogether. This means that counterterrorist raids by militaries and law enforcement will result in better outcomes: capture the terrorist, capture his network. Interrogations post-capture will remain important, but each device used by a terrorist—mobile phones, storage drives, laptops and cameras—will be a potential gold mine. Commandeering a captured terrorist’s devices with the rest of his network unaware will lead his cohorts to unwittingly disclose sensitive information or locations. Additionally, the devices might contain content that can be used to expose hypocrisy in a terrorist’s public persona, as American officials did when they revealed that the computer files taken from
Osama bin Laden’s compound contained a large stash of pornographic videos. Of course, once this vulnerability becomes apparent, more sophisticated terrorists will combat it by having an abundance of technology with misleading information on it. Deliberately storing personal details about rivals or enemies on devices that find their way into the hands of law enforcement will be a useful form of sabotage.
No Hidden People Allowed
As terrorists develop new methods,
counterterrorism strategists will adapt accordingly. Imprisonment may not be enough to contain a terror network. Governments may determine, for example, that it is too risky to have citizens “off the grid,” detached from the technological ecosystem. To be sure, in the future, as now, there will be people who resist adopting and using technology, people who want nothing to do with virtual profiles, online data systems or smart phones. Yet a government might suspect that people who opt out completely have something to hide and thus are more likely to break laws, and as a counterterrorism measure, that government will build the kind of “hidden people” registry we described earlier. If you don’t have any registered social-networking profiles or mobile subscriptions, and on-line references to you are unusually hard to find, you might be considered a candidate for such a registry. You might also be subjected to a strict set of new regulations that includes rigorous airport screening or even travel restrictions.
In a post-9/11 world, we can already see signs that even countries with strong civil-liberties foundations jettison citizen protections in favor of a system that enhances homeland surveillance and
security. That will only accelerate. After some cyber-terrorist successes, it will be easier to persuade people that the sacrifices involved—essentially, a heightened level of governmental monitoring of online activity—are worth the peace of mind they will bring. The collateral damage in this scenario, besides the persecution of a small number of harmless hermits, of course, is the danger of the occasional abuse or poor judgment by government stewards. This is yet another reason it will be so important to fight for
privacy and security in the future.
The push-pull between privacy and security in the digital age will become even more prominent in the coming years. The authorities responsible for locating, monitoring and capturing dangerous individuals will require massive, highly sophisticated data-management systems to do so. Despite everything individuals, corporations and dedicated nonprofit groups are doing to protect privacy, these systems will inevitably include volumes of data about non-terrorist citizens—the questions are how much and where. Currently, most of the information that governments collect on people—their addresses, ID numbers, police records, mobile-phone data—is siloed in separate places (or is not even digitized yet in some countries). Its separation ensures a degree of privacy for citizens but creates large-scale inefficiencies for investigators.
This is the
“big data” challenge that government bodies and other institutions around the world are facing: How can intelligence agencies, military divisions and law enforcement integrate all of their digital databases into a centralized structure so that the right dots can be connected without violating citizens’ privacy? In the United States, for example, the
CIA and other government agencies all use different systems. We know computers can find patterns, anomalies and other relevant signifiers much more efficiently than human analysts can, yet bringing together disparate information systems (passport information, fingerprint scans, bank withdrawals, wiretaps, travel records) and building algorithms that can efficiently cross-reference them, eliminate redundancy and recognize red flags in the data is an incredibly difficult and time-consuming task.
Difficult does not mean impossible, however, and all signs point toward these comprehensive integrated information systems’ becoming the standard for modern, wealthy states in the near future. We had the opportunity to tour the command center for
Mexico’s impressive national crime database and perhaps the best model of an integrated data system operating today. Housed in an underground bunker in the Secretariat of Public Security compound in Mexico City, this large database integrates intelligence, crime reports and real-time data from surveillance cameras and other inputs from agencies and states across the country. Specialized algorithms can extract patterns, project social graphs and monitor restive areas for violence and crime as well as for natural disasters and other civilian emergencies. The level of surveillance and technological sophistication of Plataforma México that we saw is extraordinary—but then, so are the security challenges that Mexican authorities face. Therein lies the challenge looking ahead: Mexico is the ideal location for a pilot project like this because of its entrenched security problems, but once the model has been proven, what is to stop other states with less justifiable motivations from building something similar? Surely other governments can play the security card and insist that such a sophisticated platform is necessary; what might stop them?
In the early 2000s, following the
September 11 terrorist attacks, something similar was proposed in the United States. The
Defense Department set up the
Information Awareness Office and green-lit the development of a program called
Total Information Awareness (TIA). Pitched as the ultimate
security apparatus to detect terrorist activity, TIA was designed and funded to aggregate all “transactional” data—including bank records, credit-card purchases and medical records—along with other bits of personal information to create a centralized and searchable index for law enforcement and counterterrorist agencies. Sophisticated data-mining technologies would be built to detect patterns and associations, and the “signatures” that dangerous people left behind would reveal them in time to prevent another attack.
As details of the TIA program leaked out to the public, a range of vocal critics emerged from both the right and the left, warning about the potential costs to civil liberties,
privacy and long-term security. They zeroed in on the possibilities of abuse of such a massive information system, branding the program “Orwellian” in scope. Eventually, a congressional campaign to shut TIA down resulted in a provision to deny all funds for the program in the Senate’s 2004 defense appropriations bill. The Information Awareness Office was shuttered permanently, though some of its projects later found shelter in other intelligence agencies in the government’s sprawling homeland-security sector.
Fighting for privacy is going to be a long, important struggle. We may have won some early battles, but the war is far from over. Generally, the logic of security will always trump privacy concerns. Political hawks merely need to wait for some serious public incident to find the political will and support to push their demands through, steamrolling over the considerations voiced by the doves, after which the lack of privacy becomes normal. With integrated information platforms like these, adequate safeguards for citizens and civil liberties must be firmly in place from the onset, because once a serious security threat appears, it is far too easy to overstep. (The information is already there for the taking.) Governments operating surveillance platforms will surely violate restrictions placed on them (by legislation or legal ruling) eventually, but in democratic states with properly functioning legal systems and active civil societies, those errors will be corrected, whether that means penalties for perpetrators or new safeguards put into place.
Serious questions remain for responsible states. The potential for misuse of this power is terrifyingly high, to say nothing of the dangers introduced by human error, data-driven false positives and simple curiosity. Perhaps a fully integrated information system, with all manner of data inputs, software that can interpret and predict behavior and humans at the controls is simply too powerful for anyone to handle responsibly. Moreover, once built, such a system will never be dismantled. Even if a dire security situation were to improve, what government would willingly give up such a powerful law-enforcement tool? And the next government in charge might not exhibit the same caution or responsibility with its information as the preceding one. Such totally integrated information systems are in their infancy now, and to be sure they are hampered by various challenges (like consistent data-gathering) that impose limits on their effectiveness. But these platforms will improve, and there is an air of inevitability around their proliferation in the future. The only remedies for potential digital tyranny are to strengthen legal institutions and to encourage civil society to remain active and wise to potential abuses of this power.
A final note on digital content as we discuss its uses in the future: As online data proliferates and everyone becomes capable of producing, uploading and broadcasting an endless amount of unique content,
verification will be the real challenge. In the past few years, major news broadcasters have shifted from using only professional video footage to including
user-generated content, like videos posted to
YouTube. These broadcasters typically add a disclaimer that the video cannot be independently verified, but the act of airing it is, in essence, an implicit verification of its content. Dissenting voices may claim that the video has been doctored, or is somehow misleading, but those claims when registered get a fraction of the attention and are often ignored. The trend toward trusting unverified content will eventually spur a movement toward more rigorous, technically sound verification.
Verification, in fact, will become more important in every aspect of life. We explored earlier how the need for verification will come to shape our online experiences, requiring better protections against identity theft, with biometric data changing the security landscape. Verification will also play an important role in determining which terrorist threats are actually valid. To avoid identification, most extremists will use multiple
SIM cards, multiple online identities and a range of obfuscating tools to cover their tracks. The challenge for law enforcement will be finding ways to handle this information deluge without wasting man-hours on red herrings. Having “hidden people” registries in place will reduce this problem for authorities but will not solve it.
Because the general public will come to prefer, trust, depend on or insist on verified identities online, terrorists will make sure to use their own verified channels when making claims. And there will be many more ways to verify the videos, photos and phone calls that extremist groups use to communicate. Sharing a photograph of hostages with fresh daily newspapers will become an
antiquated practice—the photo itself is the proof of when it was taken. Through digital forensic techniques like checking the digital watermarks, IT experts can verify not only when, but where and how.
This emphasis on verified content, however, will require terrorists to make good on their threats. If a known terrorist does not do so, the subsequent loss of credibility will hurt his and his group’s reputation. If
al-Qaeda were to release an audio recording proving that one of its commanders survived a
drone attack, but forensic computer experts using
voice-recognition software determined that someone else’s voice was on the tape, it would weaken al-Qaeda’s position and embolden its critics. Each verification challenge would chip away at the grandiose image that many extremist groups rely on to raise funds, recruit and instill fear in others. Verification can therefore be a tremendous tool in the fight against violent extremism.
The Battle for Hearts and Minds Comes Online
While it’s true that effective hackers and computer experts will enhance terror groups’ capabilities, the broad foundation of recruits will, like today, be basic foot soldiers. They’ll be young and undereducated, and they’ll have grievances that extremists exploit to their own advantage. We believe that the most pivotal shift in
counterterrorism strategy in the future will not concern raids or mobile monitoring, but instead will focus on chipping away at the vulnerability of these at-risk populations through technological engagement.
An estimated 52 percent of the world’s population is under the age of thirty, and the vast majority are what we could call
“socioeconomically at risk,” living in urban slums or poorly integrated immigrant communities, in places with unreliable rule of law and limited economic opportunity.
humiliation, lack of opportunity and mobility, and just simple boredom make these young populations highly susceptible to the influence of others. Set against a backdrop of repression and in a subculture that promotes extremism, their grievances foster their radicalization. This is as true for the undereducated slum kid as it is for university students who see no opportunities awaiting them on the other side of their degree.
Google Ideas, we’ve studied radicalization around the world, particularly with an eye toward the role that communication technologies can play.
It turns out that the radicalization process for terrorists is not very different from what we see with inner-city gangs or other violent groups, like white supremacists. At our
Summit Against Violent Extremism in June 2011, we brought together more than eighty former extremists to discuss why individuals join violent organizations, and why they leave them. Through open dialogue with the participants, who, between them, represented religious extremists, violent nationalists, urban gangs, far-right fascists and jihadist organizations, we learned that similar motivations exist across all these groups, and that religion and ideology play less of a role than most people think. The reasons people join extremist groups are complex, often having to do more with the absence of a support network, the desire to belong to a group, to rebel, to seek protection or to chase danger and adventure.
There are far too many young people who share these sentiments. What’s new is that large numbers of them will air their grievances online in ways that advertently or inadvertently advertise themselves to terrorist recruiters. What radicalized youth seek through virtual connections grows out of their experience in the physical world—abandonment, rejection, isolation, loneliness and abuse. We can figure out a great deal about them in the virtual world, but in the end, real de-radicalization requires group meetings and a lot of support, therapy and meaningful alternatives in the physical world.
Words and speeches against violent extremism will not be enough in the battle for young hearts and minds. Military force will not do the job, either. Governments have been largely successful at capturing and killing existing terrorists but less effective at stemming the flow of recruits. As General
Stanley McChrystal, the former U.S. and
NATO commander in Afghanistan, told DerSpiegel in 2010, “
What defeats terrorism is really two things. It’s rule of law and then it’s opportunity for people. So if you have governance that allows you to have rule of law, you have an environment in which it is difficult to pursue terrorism. And if you have an opportunity for people in life, which includes education and the chance to have a job, then you take away the biggest cause of terrorism. So really, the way to defeat terrorism is not military strikes, it’s going after the basic conditions.”
McChrystal’s insight spotlights an opportunity for technology enthusiasts and companies alike, because what better way is there to improve a population’s quality of life than boosting its connectivity? The gains that communication technologies produce for communities—economic opportunity, entertainment, freedom of information, greater transparency and accountability—all contribute to the antiradicalization mission. Once a large segment of a population is online, it will be possible to mobilize the local virtual community to reject terrorism and demand accountability and action from its leaders. There will be more voices speaking out against extremism than for it, and while technology may extend the reach of fanatics, it will be impossible to preach one way of thinking without encountering some interference. All of the things that come with an active virtual sphere—more discussion, more points of view, more counternarratives—can introduce doubt and promote independent thinking among these young, malleable populations. Of course, all of this would fall on more receptive ears if connectivity led to job creation.
The most potent antiradicalization strategy will focus on the new virtual space, providing young people with content-rich alternatives and distractions that keep them from pursuing extremism as a last resort. This effort should be large and involve stakeholders from every background—the public sector, private companies, partnerships between local actors and activists abroad. Mobile technology, particularly, will play the dominant role in this campaign, since the majority of people coming online will do so through their handsets. Phones are personalized and powerful platforms, status symbols that their users rely on and value deeply. Reaching disaffected youth through their mobile phones is the best possible goal we can have.
Western companies and governments will not be the ones to develop the bulk of the new content. The best solutions will be hyper-local, designed and supported by people with intimate knowledge of the immediate environment. Building platforms that we merely hope alienated youth will like and use is the equivalent of dropping propaganda flyers from an airplane.
Outsiders don’t have to develop the content; they just need to create the space. Wire up the city, give people basic tools and they’ll do most of the work themselves. A number of technology companies have developed start-up kits for people to build applications on top of their platforms;
Amazon Web Services and
Google App Engine are two examples, and there will be many others. Creating space for others to build the businesses, games, platforms and organizations they envision is a brilliant corporate maneuver, because it ensures that a company’s products are used (boosting brand loyalty, too) while the users actually build and operate what they want.
Somalis will build
apps that are effective antiradicalization tools to reach other Somalis;
Pakistanis will do the same for other Pakistanis. There will be more opportunities for local people to build small businesses and create outlets for youth at the same time. The key is to simply enable people to adapt products in ways that fit their needs and don’t require complex technological expertise.
Public-private partnerships with local activists and people of influence will drive this process. Companies should also look to partnering with local groups to develop content. Ideally, what emerges is a range of content, platforms and applications that speak to each community distinctly yet share technological or structural components enabling them to be mimicked in other places. If the causes of radicalization are similar everywhere, the remedies can be, too.
Technology companies are uniquely positioned to lead this effort internationally. Many of the most prominent ones have all the values of a democratic society with none of the baggage of being a government—they can go where governments can’t, speak to people off the diplomatic radar and operate in the neutral, universal language of technology. Moreover, this is the industry that produces
social networks and mobile phones—it has perhaps the best understanding of how to distract young people of any sector, and kids are the very demographic being recruited by terror groups. The companies may not understand the nuances of radicalization or the differences between specific populations in key theaters like Yemen, Iraq and Somalia, but they do understand young people and the toys they like to play with. Only when we have their attention can we hope to win their hearts and minds.
Moreover, due to technology companies’ involvement in security threats—their products are being used by terrorists—the public will eventually demand that they do more in the fight against extremism. This means not only improving their products and protecting users with strict policies regarding content and security, but also taking a public stand. Just as the capitulation of
MasterCard and PayPal to political pressure in the
WikiLeaks saga convinced many activists that the companies took sides, inaction on the part of technology companies will be considered indefensible to some. Fairly or otherwise, companies will be held responsible for destructive uses of their products. Companies will reveal their personalities and core values according to how they rise to meet these challenges. Empty words will not pacify an informed public.
We can already see early steps in this direction, as some companies make clear statements in policy or procedure. At
YouTube, there is the challenge of content volume. With more than four billion videos viewed daily (and sixty hours of video uploaded each minute), it is impossible for the company to screen that content for what is considered inappropriate material, like advocating terrorism. Instead YouTube relies on a process in which users flag content they consider inappropriate; the video in question goes to a YouTube team for review, and it is taken down if it violates company policies. Eventually, we will see the emergence of industry-wide standards. All digital platforms will forge a common policy with respect to dangerous extremist videos online, just as they have coalesced in establishing policies governing child pornography. There is a fine line between
censorship and security, and we must create safeguards accordingly. The industry
will work as a whole to develop software that more effectively identifies videos with terrorist content. Some in the industry may even go so far as employing speech-recognition software that registers strings of keywords, or facial-recognition software that identifies known terrorists.
Terrorism, of course, will never disappear, and it will continue to have a destructive impact. But as the terrorists of the future are forced to live in both the physical and the virtual world, their model of secrecy and discretion will suffer. There will be more digital eyes watching, more recorded interactions, and, as careful as even the most sophisticated terrorists are, even they cannot completely hide online. If they are online, they can be found. And if they can be found, so can their entire network of helpers.
In this chapter we have explored the darkest ways that individuals will seek to violently disrupt our future world, but given that conflict and war are as much a part of human history as society itself, how will states and political movements engage in these activities to achieve their aims? We’ll now explore this question by imagining how conflict, combat and intervention are affected in a world where almost everyone is online.
Cyber attackers cover their tracks by routing data through intermediary computers between themselves and their victims. Such “proxy” computers—which could include hacked computers in homes or businesses around the globe—appear to victims and outsiders as the sources of the attack, and it can be quite challenging to trace through many intermediary layers back to the true sources of cyber attacks. Making matters worse, an attacker can launch a
Tor router on the compromised host, spewing obfuscating traffic throughout the compromised network and masking the attacker’s intentional activities.
This will still prove difficult to achieve, depending on the nature of the crime.
Kevin Mitnick, who was an infamous computer hacker, was convicted, spent five years in prison and then, as part of his probation, was forbidden to use the Internet or a cell phone. He eventually fought the restriction through the legal system and won.
At a minimum, platforms like WikiLeaks and hacker collectives that traffic in stolen classified material from governments enable or encourage espionage.
Google, like many other companies, builds free tools that anyone can use. Because of this, the company is continuously working to understand how to mitigate the risks that hostile individuals and entities will use these tools to cause harm.