[iwar] Article: Cyberwarriors: Activists and Terrorists Turn To Cyberspace

From: ellisd@cs.ucsb.edu
Date: 2001-08-31 05:28:10
Next message: Fred Cohen: "[iwar] [NewsBits] August 30, 2001 (fwd)"
Previous message: Fred Cohen: "[iwar] [NewsBits] NewsBits - 08/29/01 (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: iwar@yahoogroups.com
Message-ID: <9mnvsr+u353@eGroups.com>
User-Agent: eGroups-EW/0.82
From: ellisd@cs.ucsb.edu
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Fri, 31 Aug 2001 12:28:10 -0000
Reply-To: iwar@yahoogroups.com
Subject: [iwar] Article: Cyberwarriors: Activists and Terrorists Turn To Cyberspace
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Harvard International Review, Summer 2001

Cyberwarriors: Activists And Terrorists Turn To Cyberspace 

ABSTRACT: 

Cyberspace is increasingly used as a digital battleground for rebels, 
freedom fighters, terrorists, and others who employ hacking tools to 
protest
and participate in broader conflicts. Whereas "hacktivism" is real and 
widespread, "cyberterrorism" exists only in theory. Terrorist groups 
are
using the internet, but they still prefer bombs to bytes as a means of 
inciting terror. Cyberspace is now much more than a place for 
electronic
commerce and communication. It has become a digital battleground for 
hacker warriors. 

BODY: 

As Palestinian rioters clashed with Israeli forces in the fall of 
2000, Arab and Israeli hackers took to cyberspace to participate in 
the action.
According to the Middle East Intelligence Bulletin, the cyberwar began 
in October, shortly after the Lebanese Shiite Hezbollah movement
abducted three Israeli soldiers. Pro-Israeli hackers responded by 
crippling the guerrilla movements website, which had been displaying 
videos
of Palestinians killed in recent clashes and which had called on 
Palestinians to kill as many Israelis as possible. Pro-Palestinian 
hackers
retaliated, shutting down the main Israeli government website and the 
Israeli Foreign Ministry website. From there the cyberwar escalated. 
An
Israeli hacker planted the Star of David and some Hebrew text on one 
of Hezbollah's mirror sites, while proPalestinian hackers attacked
additional Israeli sites, including those of the Bank of Israel and 
the Tel Aviv Stock Exchange. Hackers from as far away as North and 
South
America joined the fray, sabotaging over 100 websites and disrupting 
Internet service in the Middle East and elsewhere. 

The Israeli-Palestinian cyberwar illustrates a growing trend. 
Cyberspace is increasingly used as a digital battleground for rebels, 
freedom
fighters, terrorists, and others who employ hacking tools to protest 
and participate in broader conflicts. The term "hacktivism," a fusion 
of
hacking with activism, is often used to describe this activity. A 
related term, "cyberterrorism," refers to activity of a terrorist 
nature. However,
whereas hacktivism is real and widespread, cyberterrorism exists only 
in theory. Terrorist groups are using the Internet, but they still 
prefer
bombs to bytes as a means of inciting terror. 

Hacktivists see cyberspace as a means for nonstate actors to enter 
arenas of conflict, and to do so across international borders. They 
believe
that nation-states are not the only actors with the authority to 
engage in war and aggression. And unlike nation-states, hacker 
warriors are not
constrained by the "law of war" or the Charter of the United Nations. 
They often initiate the use of aggression and needlessly attack 
civilian
systems. 

Hacktivism is a relatively recent phenomenon. One early incident took 
place in October 1989, when antinuclear hackers released a computer
worm into the US National Aeronautics and Space Administration SPAN 
network. The worm carried the message, "Worms Against Nuclear
Killers.... Your System Has Been Officically [sic] WANKed.... You talk 
of times of peace for all, and then prepare for war." At the time of 
the
attack, anti-nuclear protesters were trying (unsuccessfully) to stop 
the launch of the shuttle that carried the plutonium-fueled Galileo 
probe on
its initial leg to Jupiter. The source of the attack was never 
identified, but some evidence suggested that it might have come from 
hackers in
Australia. 

In recent years, hacktivism has become a common occurrence worldwide. 
It accounts for a substantial fraction of all cyberspace attacks, 
which
are also motivated by fun, curiosity, profit, and personal revenge. 
Hacktivism is likely to become even more popular as the Internet 
continues to
grow and spread throughout the world. It is easy to carry out and 
offers many advantages over physical forms of protest and attack. 

The Attraction of Hacktivism 

For activists, hacktivism has several attractive features, not the 
least of which is global visibility. By altering the content on 
popular websites,
hacktivists can spread their messages and names to large audiences. 
Even ofter the sites are restored, mirrors of the hacked pages are 
archived
on sites such as Attrition.org, where they can be viewed by anyone at 
any time and from anywhere. Also, the news media are fascinated by
cyberattacks and are quick to report them. Once the news stories hit 
the Internet, they spread quickly around the globe, drawing attention 
to the
hackers as well as to the broader conflict. 

Activists are also attracted to the low costs of hacktivism. There are 
few expenses beyond those of a computer and an Internet connection.
Hacking tools can be downloaded for free from numerous websites all 
over the world. It costs nothing to use them and many require little 
or no
expertise. 

Moreover, hacktivism has the benefit of being unconstrained by 
geography and distance. Unlike street protesters, hackers do not have 
to be
physically present to fight a digital war. In a "sit-in" on the 
website of the Mexican Embassy in the United Kingdom, the Electronic 
Disturbance
Theater (EDT) gathered over 18,000 participants from 46 countries. 
Hacktivists could join the battle simply by visiting the EDT's 
website. 

Hacktivism is thus well-suited to "swarming," a strategy in which 
hackers attack a given target from many directions at once. Because 
the
Internet is global, it is relatively easy to assemble a large group of 
digital warriors in a coordinated attack. The United Kingdom-based
Electrohippies Collective estimated that 452,000 people participated 
in their sit-in on the website of the World Trade Organization (WTO). 
The
cyberattack was conducted in conjunction with street protests during 
the WTO's Seattle meetings in late 1999. 

Another attraction of hacktivism is the ability to operate anonymously 
on the Internet. Cyberwarriors can participate in attacks with little 
risk of
being identified, let alone prosecuted. Further, participating in a 
cyberbattle is not life-threatening or even dangerous: hacktivists 
cannot be
gunned down in cyberspace. 

Many hacktivists, however, reject anonymity. They prefer that their 
actions be open and attributable. EDT and Electrohippies espouse this
philosophy. Their events are announced in advance and the main players 
use their real names. 

Web Defacement and Hijacking 

Web defacement is perhaps the most common form of attack. 
Attrition.org, which collects mirrors and statistics of hacked 
websites, recorded
over 5,000 defacements in the year 2000 alone, up from about 3,700 in 
1999. Although the majority of these defacements may have been
motivated more by thrills and bragging rights than by some higher 
cause, many were also casualties of a digital battle. 

Web hacks were common during the Kosovo conflict in 1999. The US 
hacking group called Team Sp10it broke into government sites and 
posted
statements such as, "Tell your governments to stop the war." The 
Kosovo Hackers Group, a coalition of European and Albanian hackers,
replaced at least five sites with black and red "Free Kosovo" banners. 

In the wake of the accidental bombing of China's Belgrade embassy by 
the North Atlantic Treaty Organization (NATO), angry Chinese citizens
allegedly hacked several US government sites. The slogan "Down with 
Barbarians" was placed in Chinese on the web page of the US Embassy
in Beijing, while the US Department of Interior website showed images 
of the three journalists killed during the bombing, and crowds 
protesting
the attack in Beijing. The US Department of Energy's home page read: 

"Protest USA's Nazi action!.. We are Chinese hackers who take no cares 
about politics. But we can not stand by seeing our Chinese reporters
been killed which you might have know [sic]... NATO led by USA must 
take absolute responsibility... We won't stop attacking until the war
stops!" 

Web defacements were also popular in a cyberwar that erupted between 
hackers in China and Taiwan in August 1999. Chinese hackers defaced
several Taiwanese and government websites with pro-China messages 
saying Taiwan was and always would be an inseparable part of China.
"Only one China exists and only one China is needed," read a message 
posted on the website of Taiwan's highest watchdog agency. Taiwanese
hackers retaliated and planted a red and blue Taiwanese national flag 
and an anti-Communist slogan, "Reconquer, Reconquer, Reconquer the
Mainland," on a Chinese high-tech Internet site. The cyberwar followed 
an angry exchange between China and Taiwan in response to then--
Taiwanese President Lee Teng-hui's statement that China must deal with 
Taiwan on a "state-to-state" basis. 

Many of the attacks during the Israeli-Palestinian cyberwar were web 
defacements. The hacking group GForce Pakistan, which joined the
proPalestinian forces, posted heartwrenching images of badly mutilated 
children on numerous Israeli websites. The Borah Torah site also
contained the message, "Jews, Israelis, you have crossed your limits, 
is that what Torah teaches? To kill small innocent children in that 
manner?
You Jews must die!" along with a warning of additional attacks. 

Hacktivists have also hijacked websites by tampering with the Domain 
Name Service so that the site's domain name resolves to the IP address
of some other site. When users point their browsers to the target 
site, they are redirected to the alternative site. 

In what might have been one of the largest mass website takeovers, the 
antinuclear MilwOrm hackers joined with the Ashtray Lumberjacks
hackers in an attack that affected more than 300 websites in July 
1998. According to reports, the hackers broke into the British 
Internet service
provider (ISP) EasySpace, which hosted the sites. They altered the 
ISP's database so that users attempting to access the sites were 
redirected to
a MilwOrm site, where they were greeted by a message protesting the 
nuclear arms race. The message concluded with "Use your power to keep
the world in a state of PEACE and put a stop to this nuclear 
bullshit." 

Web Sit-ins 

Web sit-ins are another popular form of attack. Thousands of Internet 
users simultaneously visit a target website and attempt to generate
sufficient traffic to disrupt normal service. A group calling itself 
Strano Network conducted what was probably the first such 
demonstration as a
protest against the French government's policies on nuclear and social 
issues. On December 21, 1995, they launched a one-hour Net'Strike
attack against the websites operated by various government agencies. 
At the appointed hour, participants from all over the world pointed 
their
browsers to the government websites. According to reports, at least 
some of the sites were effectively knocked out for the period. 

In 1998, EDT took the concept a step further and automated the 
attacks. They organized a series of sit-ins, first against Mexican 
President
Ernesto Zedillo's website and later against US President Bill 
Clinton's White House website, the Pentagon, the US Army School of the 
Americas,
the Frankfurt Stock Exchange, and the Mexican Stock Exchange. The 
purpose was to demonstrate solidarity with the Mexican Zapatistas.
According to EDT's Brett Stalbaum, the Pentagon was chosen because "we 
believe that the US military trained the soldiers carrying out the
human-rights abuses." For a similar reason, the US Army School of the 
Americas was selected. The Frankfurt Stock Exchange was targeted,
Stalbaum said, "Because it represented capitalism's role in 
globalization utilizing the techniques of genocide and ethnic 
cleansing, which is at
the root of the Chiapas' problems. The people of Chiapas should play a 
key role in determining their own fate, instead of having it pushed on
them through their forced relocation.. which is currently financed by 
Western capital." 

To facilitate the strikes, the organizers set up special websites with 
automated software. All that was required of would-be participants was 
to
visit one of the FloodNet sites. When they did, their browser would 
download the software (a Java Applet), which would access the target 
site
every few seconds. In addition, the software let protesters leave a 
personal statement on the targeted server's error log. For example, if 
they
pointed their browsers to a nonexistent file such as "human rights" on 
the target server, the server would log the message, "human_rights not
found on this server." 

When the Pentagon's server sensed the attack from the FloodNet 
servers, it launched a counteroffensive against the users' browsers,
redirecting them to a page with an Applet program called 
"HostileApplet." Once there, the new applet was downloaded to their 
browsers, where
it endlessly tied up their machines trying to reload a document until 
the machines were rebooted. The Frankfurt Stock Exchange reported that
they were aware of the protest but believed it had not affected their 
services. Overall, EDT considered the attacks a success. "Our interest 
is to
help the people of Chiapas to keep receiving the international 
recognition that they need to keep them alive," said Stalbaum. 

Since the time of the strikes, FloodNet and similar software have been 
used in numerous sit-ins sponsored by EDT, the Electrohippies, and
others. There were reports of FloodNet activity during the 
Israeli-Palestinian cyberwar. Pro-Israel hackers created a website 
called Wizel.com,
which offered FloodNet software and other tools before it was shut 
down. Pro-Palestinian hackers put up similar sites. 

The Electrohippies have been criticized for denying their targets' 
right to speech when conducting a sit-in. Their response has been that 
a sit-in
is acceptable if it substitutes the deficit of speech by one group 
with a broad debate on policy issues and if the event used to justify 
the sit-in
provides a focus for the debate. The Electrohippies also demand broad 
support for their actions. An operation protesting genetically 
modified
foods was aborted when the majority of visitors to their site did not 
vote for the operation. 

Denial-of-Service Attacks 

Whereas a web sit-in requires participation by tens of thousands of 
people to have even a slight impact, the socalled denial-of-service 
(DoS)
and distributed denial-of-service (DDoS) tools allow lone 
cyberwarriors to shut down websites and e-mail servers. With a DoS 
attack, a hacker
uses a software tool that bombards a server with network messages. The 
messages either crash the server or disrupt service so badly that
legitimate traffic slows to a crawl. DDoS is similar except that the 
hacker first penetrates numerous Internet servers (called "zombies") 
and
installs software on them to conduct the attack. The hacker then uses 
a tool that directs the zombies to attack the target all at once. 

During the Kosovo conflict, Belgrade hackers were credited with DoS 
attacks against NATO servers. They bombarded NATO's web server with
"ping" commands, which test whether a server is running and connected 
to the Internet. The attacks caused line saturation of the targeted
servers. 

Similar attacks took place during the Israeli-Palestinian cyberwar. 
ProPalestinian hackers used DoS tools to attack Netvision, Israel's 
largest ISP.
While initial attacks crippled the ISP, Netvision succeeded in fending 
off later assaults by strengthening its security. 

Automated e-mail bombings represent another way of disrupting service. 
In what some US intelligence authorities characterize as the first
known attack by terrorists against a country's computer systems, 
ethnic Tamil guerrillas swamped Sri Lankan embassies with thousands of
e-mail messages. The messages read, "We are the Internet Black Tigers 
and we're doing this to disrupt your communications." An offshoot of
the Liberation Tigers of Tamil Eelam, which had been fighting for an 
independent homeland for minority Tamils, was credited with the 1998
incident. 

The e-mail bombing consisted of about 800 e-mails a day for about two 
weeks. William Church, managing director of the Centre for
Infrastructural Warfare Studies (CIWARS), observed that "the 
Liberation Tigers of Tamil are desperate for publicity and they got 
exactly what
they wanted.... Considering the routinely deadly attacks committed by 
the Tigers, if this type of activity distracts them from bombing and 
killing,
then CIWARS would like to encourage them, in the name of peace, to do 
more of this type of 'terrorist' activity." 

Future Prospects 

As the Internet continues to grow, its popularity as a digital 
battleground for hacker warriors is likely to increase. There will be 
more targets to
attack and more people to attack them. Many regions of conflict in the 
world have only recently joined the Internet. When they have, the
conflict has followed them online. It seems likely that every major 
conflict in the physical world will have a parallel operation in 
cyberspace.
Further, there may be cyberspace battles with no corresponding 
physical operations. 

Cyberdefenses will improve, but they are unlikely to fend off all 
attacks. New vulnerabilities are continually uncovered at a faster 
rate than ever
before. Security lags behind. Cyberwarriors, therefore, will have 
little difficulty finding weak systems to attack. Hacking tools will 
become more
powerful and easier to use. 

Although hacktivism is certain to be a part of the picture, it is 
harder to predict the extent to which terrorists might engage in 
attacks with
potentially lethal or catastrophic consequences. While many hackers 
have the knowledge, skills, and tools to attack computer systems, they
generally lack the motivation to cause violence or severe economic or 
social harm. Conversely, terrorists who are motivated to cause 
violence
seem to lack the capability or motivation to cause that degree of 
damage in cyberspace. 

In August 1999, the Center for the Study of Terrorism and Irregular 
Warfare at the Naval Postgraduate School in Monterey, California, 
issued a
report entitled "Cyberterror: Prospects and Implications." Their 
objective was to articulate the demand side of terrorism. 
Specifically, they
assessed the prospects of terrorist organizations pursuing 
cyberterrorism. They concluded that the barrier to entry for anything 
beyond
annoying hacks is quite high and that terrorists generally lack the 
wherewithal and human capital needed to mount a meaningful operation.
Cyberterrorism, they argued, was a thing of the future, although it 
might be pursued as an ancillary tool. 

The Monterey team defined three levels of cyberterror capability. The 
first level is simple-unstructured: the capability to conduct basic 
hacks
against individual systems using tools created by someone else. The 
organization possesses little target analysis, command and control, or
learning capability. 

The second is advanced-structured: the capability to conduct more 
sophisticated attacks against multiple systems or networks, and 
possibly to
modify or create basic hacking tools. The organization possesses 
elementary target analysis, command and control, and learning 
capabilities. 

The third is complex-coordinated: the capability to coordinate attacks 
capable of causing mass disruption against integrated, heterogeneous
defenses (including cryptography). The organization has the ability to 
create sophisticated hacking tools. They possess a highly capable 
target
analysis, command and control, and organizational learning capability. 

The Monterey team estimated that it would take a group starting from 
scratch two to four years to reach the advanced-structured level and 
six
to ten years to reach the complex-coordinated level, although some 
groups may get there in just a few years or turn to outsourcing or
sponsorship to extend their capabilities more rapidly. 

The study examined five types of terrorist groups: religious, New Age, 
ethno-nationalist separatist, revolutionary, and far-right extremist. 
The
authors determined that only the religious groups are likely to seek 
the most damaging capability level, as it is consistent with their
indiscriminate application of violence. New Age or single-issue 
terrorists, such as the Animal Liberation Front, pose the most 
immediate threat.
However, such groups are likely to accept disruption as a substitute 
for destruction. Both the revolutionary and ethno-nationalist 
separatists
are likely to seek an advanced-structured capability. The far-right 
extremists are likely to settle for a simple-unstructured capability, 
as
cyberterror offers neither the intimacy nor the cathartic effects that 
are central to the psychology of far-right terror. The study also 
determined
that hacker groups are psychologically and organizationally illsuited 
to cyberterrorism, and that it would be against their interests to 
cause mass
disruption of the information infrastructure. 

For a terrorist, digital battles have other drawbacks. Systems are 
complex, so controlling an attack and achieving a desired level of 
damage may
be harder than using physical weapons. Unless people are injured, 
there is also less drama and emotional appeal. Further, terrorists may 
be less
inclined to try new methods unless they see their old ones as 
inadequate, particularly when the new methods require considerable 
knowledge
and skill to use effectively. Terrorists generally stick with tried 
and true methods. Novelty and sophistication of attack may be much 
less
important than the assurance that a mission will be operationally 
successful. Indeed, the risk of operational failure could be a 
deterrent to
terrorists. For now, the truck bomb poses a much greater threat than 
the logic bomb. 

The next generation of terrorists will grow up in a digital world, 
with ever more powerful and easy-to-use hacking tools at their 
disposal. They
might see greater potential for cyberterrorism than do the terrorists 
of today, and their level of knowledge and skill relating to backing 
will be
greater. Hackers and insiders might be recruited by terrorists or 
become self-recruiting cyberterrorists, the Timothy McVeighs of 
cyberspace.
Some might be moved to action by cyberpolicy issues, making cyberspace 
an attractive venue for carrying out an attack. Cyberterrorism could
also become more attractive as the real and virtual worlds become more 
closely coupled, with a greater number of physical devices attached to
the Internet. Some of these may be remotely controlled. Unless these 
systems are carefully secured, conducting an operation that physically
harms someone may be as easy as penetrating a website is today. 

Although cyberterrorism is likely to be at least a few years into the 
future, hacktivism is here today and likely to stay. Cyberspace is now 
much
more than a place for electronic commerce and communication. It has 
become a digital battleground for hacker warriors. 

SIDEBAR: 

Whereas hacktivism is real and widespread, cyberterrorism exists only 
in theory.Terrorist groups are using the Internet, but they still 
prefer
bombs to bytes as a means of inciting terror. 

It seems likely that every major conflict in the physical world will 
have a parallel operation in cyberspace. Further, there may be 
cyberspace
battles with no corresponding physical operations. (back to home)


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Speak up and rate leading IT and computer Web sites
Get a $10 AMAZON.COM Gift Certificate
http://us.click.yahoo.com/IjDtZD/Gd6CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [NewsBits] August 30, 2001 (fwd)"
Previous message: Fred Cohen: "[iwar] [NewsBits] NewsBits - 08/29/01 (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:40 PDT