Officials Study Cybersecurity Manual Popular Among Islamic State Supporters

Sean Dempsey/PA Wire URN:20459827 (Press Association via AP Images)
Sean Dempsey/PA Wire URN:20459827 (Press Association via AP Images)

The magazine Wired has published a document purported to be the operational security manual for the Islamic State: a 34-page PDF file uncovered by the Combating Terrorism Center at the West Point military academy and somewhat loosely translated from Arabic.

Much of the advice contained in the guide is common-sense information harvested from public sources, such as avoiding services like Google and Facebook that are known to have privacy issues, relying instead upon more obscure, secretive products like the Tor web browser and Telegram chat service. There are tips for setting up private networks and avoiding common security blunders, such as clicking on mysterious links or downloading software from third-party sources.

The guide also issues warnings about supposedly secure services from American providers who might be secretly cooperating with the government, with the exception of Apple’s encrypted iMessage service, which is endorsed as “impervious to both spying from government intelligence agencies and Apple itself.”

On the other hand, the encryption service WhatsApp gets a thumbs-down, even though U.S. officials frequently name it as a favorite of Islamic State militants, because there are thought to be vulnerabilities in its secure communications software.

Another much-discussed communication system not recommended by the opsec guide is the Sony PlayStation game network, rumored by Belgian officials to have been employed by ISIS.

There is, for the record, some advice from Edward Snowden included in the opsec guide, such as staying away from the file-sharing service called Dropbox.

Several problems with drawing conclusions from this file are immediately apparent. As Wired notes, it was not written for ISIS; it was created by a Kuwaiti security firm to “advise journalists and political activists in Gaza on how to protect their identities, the identity of their sources and the integrity of information they report.”

One of the West Point researchers described the guide as containing essentially the same advice he gives to “human rights activists and journalists to avoid state surveillance in other countries.” Wired likewise judges there are “no surprises among the documents.” It appears to be one of many resources ISIS supporters are passing around in forums, with no solid indication that any of its advice has been used as written.

It is, however, a useful indication that ISIS and its supporters are making an effort to keep up on the security debate, and they clearly take the online efforts of counterterrorism experts seriously. The popularity of a privacy guide written for journalists and human-rights advocates to help them avoid the censorship of oppressive regimes with savage terrorists and their supporters also illustrates the fundamental issue of the privacy debate: if decent people are given invincible privacy tools, bloodthirsty monsters will use them, too.

“The technology lets ISIS hatch plots in secret, but it’s also the key to protecting pro-democracy protests and other vital forms of free speech,” Engadget observes. “And since there’s no such thing as an encryption backdoor that’s only available to the ‘right’ people (anyone can use those vulnerabilities), cracking down on these tools could hurt privacy and security across the board.”

Intelligence officials have complained that private use of sophisticated encryption technology makes it difficult for them to monitor criminals and intercept terrorist plots. After the Paris terrorist attack, accusations were leveled at NSA leaker Edward Snowden for teaching ISIS and other terror groups how to neutralize effective electronic surveillance techniques.

Former CIA director James Woolsey went so far as saying Snowden had “the blood of a lot of these French young people” on his hands, and recommended his execution – preferably by having him “hanged by the neck until he’s dead, rather than merely electrocuted.”

Critics of the case against encryption say that terrorists rarely seem to bother with the sophisticated precautions intelligence officials are complaining about, and there has been little evidence such secrecy tools were employed in the Paris terror attack. For example, Wired notes that one of the terrorists dropped a relatively unsecure cell phone in a trash can outside the Bataclan concert hall, allowing the authorities to locate and destroy an ISIS cell by simply tracing the phone’s movements around Paris, thwarting what could have been another brutal attack this week.

“Other reports indicate that a previous ISIS terrorist plot targeting police in Belgium was disrupted in that country last January because Abdelhamid Abaaoud – suspected mastermind of both that plot and the Paris attacks – had failed to use encryption,” adds Wired. “He also carelessly left behind a cellphone in Syria, which contained unencrypted pictures and videos, including one now-infamous video showing him smiling from a truck as he dragged bodies of victims through a street.”

This could be taken as evidence terrorists are much sloppier than the intel community portrays them, and have not carefully studied material such as Snowden’s stolen documents. Instead, they rely on the sheer volume of message traffic to hide their activities, gambling that overwhelmed counterintelligence agencies lack the resources to pinpoint and intercept vital terrorist communications. On the other hand, some might conclude masterminds like Abaaoud are learning from past mistakes, and coming to appreciate the value of good operational security.

It is dangerous to assume that terrorists will not learn from experience, especially since there exists compelling evidence they are following the privacy debate and keeping current on hacktivist techniques. It takes little tech savvy to use Telegram or iMessage. If it is not easy to make the sort of mistakes our intelligence services exploit, terrorists will be less likely to make them. Rookie blunders, such as tossing a cell phone full of useful data into a trash can outside the venue where one of history’s most brutal terrorist massacres was perpetrated, might lead us to underestimate the senior terrorist leaders who do not make that kind of error.