When he walked out of Lompoc Federal Correctional Institution in California five years ago, Kevin Mitnick, the most notorious hacker in the United States, faced a peculiar probation requirement. For three years following his release, he was obliged not to touch a computer keyboard or use a cellular phone. Mitnick himself attributed this novel constraint to the fact that the judge in his case had bought into “the myth of Kevin Mitnick—that I could launch nuclear missiles by whistling into a phone.” But the desire to physically isolate him from any type of computer was also a frank admission of failure on the part of the authorities: The FBI was so inept and Mitnick so adept with communications technologies that they regarded him as a practitioner of a kind of black magic. In a broader sense, the episode illustrates a digital divide between those who have mastered the capabilities of networked technologies and those who have not. This divide has traditionally been exploited by identity thieves, pornographers, spammers, and copyright pirates. But in the last several years, terrorists have increasingly exploited it as well.
Paul Wolfowitz announced recently that American authorities will pursue Al Qaeda in “cyber sanctuaries,” signaling a new theater in the ever evolving war on terrorism: the Internet. The American campaign in Afghanistan had a noticeable impact on the infrastructure of Al Qaeda, but rather than “smoke” the terrorists out, as President Bush declared it would, the war on terror has simply driven them further underground, decentralizing the leadership, atomizing the threat, and increasingly pushing terrorists onto the Web. If American forces are unaccustomed to pursuing adversaries through the caves of Afghanistan or the streets of Baghdad, they will have even more trouble tracking
Al Qaeda online, because Internet technology favors the fugitive criminal and the migrant threat, and because terrorists know how to turn the new digital divide to their advantage. In this evasive game they have at their disposal a most unusual accomplice: unwitting Americans with personal computers and Internet connections.
It emerged last year that Fortress ITX, a Clifton, New Jersey, Internet company, inadvertently hosted an Arabic-language website that urged attacks on America and Israel and supplied instructional pamphlets on kidnapping and urban guerrilla warfare. The emergence of this “virtual terrorism” should not be surprising, nor should the fact that Fortress ITX was unaware of it. Despite their wish to turn back the clock on various advances of the modern era, the followers of Osama bin Laden have proved surprisingly capable with the tools of the Internet. In addition to the use of explosives and automatic weapons, Al Qaeda trainees are instructed in computer encryption. Bin Laden associates employ cutting-edge steganography, which involves implanting a text message into a single image or letter on a website. Last July Pakistani authorities captured Muhammad Naeem Noor Khan, a kind of one-man IT department, who helped bin Laden maintain his network by sending encrypted messages to e-mail addresses in places like Turkey and Nigeria. Sites like the one discovered in New Jersey are now the preferred means of communication for Al Qaeda and its affiliates. Seven years ago, there were only a dozen websites associated with terrorist groups; today there are over 4,000.
What’s more unsettling is that American computer users may assist in this growth phase for Al Qaeda. The appeal of the Internet for those engaged in any sort of crime is twofold. First, it’s possible to conduct business in near complete anonymity provided you can divert pursuers by routing your activity through neutral networks and computers to cover your tracks. And second, most people running those networks and using those PCs are so completely naive about this technology that for the sophisticated criminal, hijacking the hardware is child’s play.
The average American computer user comprehends only a minor fraction of what his or her machine can do. Word processing, Web surfing, and burning the odd CD hardly exhaust a computer’s capabilities, and consumers who shell out $2,000 every couple of years to purchase a new computer for these purposes are a little like the bourgeois urbanites who use a Viking range to boil water and reheat takeout. But a computer is connected to the outside world—and that makes the naive owner of a networked PC vulnerable. A few years ago a computer-savvy New York identity theft ring stole the credit histories of more than 30,000 people, and used them to empty bank accounts, take out false loans, and run up credit card bills. In 2003 over a thousand people had them hijacked by a group of hackers representing porn sites, who secretly used the computers as portals through which to transmit material onto the Web. The programs didn’t harm the computers, and wouldn’t show up unless users were looking for them. “Here people are sort of involved in the porno business and don’t even know it,” said Richard M. Smith, the computer researcher who first noticed the problem. Another security analyst believed the ring could be traced to the Mafia-connected computer underground in Russia—but couldn’t say for sure.
Terrorists have become experts at identifying unguarded server space from which to upload material. Jihad videos were recently discovered on the servers of George Washington University and the Arkansas State Highway and Transportation Department. Some of the more sophisticated terrorist sites migrate from one server to another, often several times a day, in order to evade the authorities. “Reverse proxy servers” allow a user to cloak his identity behind a “front” computer, by transmitting material through that computer onto the Internet while making it appear that the front computer is in fact the server.
It’s not only civilians who are vulnerable to the menaces of the Web. In the late ’90s a group of analysts at the National Security Agency launched a war game called Eligible Receiver, in which they downloaded easily accessible software from hacker websites to see what kind of damage they could do. They determined that it would be possible to shut down the U.S. electrical power grid and disable the command-and-control elements of the U.S. Pacific Command. Not only could the FBI and the Pentagon not foil the simulated attacks, the chain of proxy servers was such that they couldn’t even identify where all but one of the attacks were coming from. When Congress’s General Accounting Office released its annual Computer Security Report Card for 2003, the Department of Defense received a D. Homeland Security got an F.
If a sort of arms race between the good guys and the bad guys has developed with respect to Internet technology, it’s clear that the bad guys have a decisive head start. Big bureaucracies are uniquely ill equipped to keep up with rapidly evolving technologies. Stubborn institutional culture, clogged channels of communication, and the sheer number of employees in American law enforcement and intelligence agencies make it difficult to shift with the technological sands. Last month it emerged that the FBI had undertaken a $170 million overhaul of its antiquated computer systems—which will likely be abandoned because of technical problems.
In 2002 four Microsoft engineers published a paper in which they coined the term the “darknet.” This was essentially an extensive and opaque Internet black market, “not a separate physical network but an application and protocol layer riding on existing networks,” in which peer-to-peer sharing and other forms of piracy succeeded in flouting copyright laws and distributing material that was effectively contraband. Today it is obvious that the dark side of the Internet is much more extensive—and much more dangerous—than this initial interpretation suggested. Terrorists have strong incentives to master new technologies and exploit this country’s 159 million Internet users in a virtual game of hide-and-seek.
What is most extraordinary and ironic about this predicament is that developments that throughout the 1990s we tended to think of as unequivocally good—the free flow of information and ideas, the exponential acceleration of communications, the “borderless” quality of the Internet—now appear to cut both ways, to have a dramatic downside. The dark regions of the Internet have allowed Al Qaeda to reconstitute itself as a virtual terrorist group, one that is beginning, through its masterful distribution of propaganda, to resemble not so much an organization as a movement, and one that has used America’s accelerated rate of technological growth to its own advantage. The only option for law enforcement and intelligence agencies is to become more skilled with network security technologies—or to hire those who already are. Three years after his release, Kevin Mitnick was allowed to use the Internet. He set up a computer security consultancy. Perhaps the Department of Homeland Security should look him up.
Patrick Radden Keefe is the author of Chatter: Dispatches From the Secret World of Global Eavesdropping (Random House). He is a student at Yale Law School.