Lesson Slides
The Analyst's Environmentq
"Any sources and methods of intelligence will remain guarded and secret. My administration will not talk about how we gather intelligence, if we gather intelligence, and what the intelligence says. That's for the protection of the American people." - President George W. Bush, following the terrorists.' catastrophic surprise attacks on the New York World Trade Center and the Pentagon, 13 September 2001 What is intelligence really all about? Answer: The pursuit-of truth. An inspirational quotation from the New Testament is chiseled in the marble wall inside the main entrance of CIA Headquarters in Langley Virginia: "And ye shall know the truth, and the truth shall make you free." Congress has passed some laws in recent years dealing with truth-Truth in Lending, for example, and Truth in Advertising.
Extraordinary Renditions
"Extraordinary rendition" is the practice of transporting suspected foreign terrorists or other individuals suspected for crimes, to third countries for interrogation and imprisonment Covert extraordinary renditions began in the 1990s Its increasing use for terrorism suspects since the 9/11 attacks has put it into public view Extraordinary renditions are controversial for several reasons They are, by nature, extraterritorial (can be viewed as infringing on the sovereignty of other nations) They may involve the transfer of suspected terrorists to third countries, whose legal standards about custody, civil rights and interrogation techniques may be different than those in the U.S.
Covert Action Issues
ASSASSINATIONS: Since 1975, the U.S. has formally banned the use of assassination, either directly or through a third party The policy has generated controversy Opponents insist it is morally wrong for a state to target specific individuals (except where a state of war exists) Proponents argue that assassination could be the best option in certain cases & might be morally acceptable, depending on the target
What do Cyberattacks do?
An attack against computers may: (1) disrupt equipment and hardware reliability, (2) change processing logic, or (3) steal or corrupt data
Counterterrorism Strategies
Broad, "philosophical" categories of ways to deal with the challenge of terrorism Descriptive of overall goals rather than of concrete counterterrorism measures Note possible overlap among the specific aims and policy instruments associated with each strategy Most governments' counterterrorism policies combine elements of more than one strategy
CHAPTER 11
Counterterrorism • Drone Warfare • Guantánamo • Enhanced Interrogation • Military Commissions • Surveillance • Racial Profiling • Immigration • Social Media
The National Intelligence Strategy of the United States of America
Counterterrorism: Identify, understand, monitor, and disrupt state and non-state actors engaged in terrorism and related activities to defeat threats to the United States, our people, interests, and partners
What Is Covert Action?
Covert Action (also referred to as Clandestine Operations, Black Ops, and Black Operations) is any of several types of operations aimed at influencing events/developments in target countries or areas or combatting terrorist and other criminal groups Covert Action must be deniable must not be attributable to the government that authorized it
Important Distinctions
Cyber-espionage is unauthorized probing to test a target computer's configuration or evaluate its system defenses, or the unauthorized viewing and copying of data files -Many different foreign intelligence organizations regularly attempt to hack into the computer systems of U.S. government agencies and U.S. companies Cybercrime is crime that is enabled by, or that targets computers: Can involve theft (including identity theft or theft of intellectual property) or extortion (ransomware, etc.) May also includes attacks against computers to deliberately disrupt processing A cyberattack may be crime or terrorism -- distinction in the intent of the attacker; possible to be both
The Importance of Cyberspace
Cyberspace is the "nervous system" of the modern world's critical infrastructures, governmental and commercial institutions Cyberspace is composed of hundreds of thousands of interconnected computers, servers, routers, switches, and fiber optic cables that allow our infrastructures and institutions -- our society -- to work Cyberspace provides a fulcrum for leveraging physical attacks by disrupting communications, hindering retaliatory actions or delaying essential emergency responders to an attack The Cyber Threat to the Homeland: Cyber threats to the Homeland from both nation-states and non-state actors will remain acute. U.S. critical infrastructure faces advanced threats of disruptive or destructive cyberattacks. Federal, state, local, tribal and territorial governments, as well as the private sector, will experience an array of cyber-enabled threats designed to access sensitive information, steal money, and force ransom payments. OPPORTUNITY FOR CYBER ACTORS TO EXPLOIT COVID-19: Both cybercriminals and nation-state cyber actors—motivated by profit, espionage, or disruption—will exploit the COVID-19 pandemic by targeting the U.S. healthcare and public health sector; government response entities, such as the U.S. Department of Health and Human Services and the Federal Emergency Management Agency; and the broader emergency services sector.
LS 2: SRA 211 CYBERTERRORISM
Defining Cyberterrorism • Information Warfare/Cyber Jihad • Methods of Cyber Attack • The Appeal of Cyberterrorism for Terrorists • Examples of "Cyber Warfare" • SCADA • U.S. Strategy
Specific Policy Instruments Used
Diplomacy/Negotiations Public Diplomacy Foreign Aid & Economic Sanctions Intelligence-Gathering Military Force & Covert Operations Legal/Law Enforcement Measures Homeland Security & Defensive Measures
Policy Instruments
Diplomacy/Negotiations: Bilateral or multilateral channels of communication with terrorist groups or their sponsors Primary policy instrument where strategy is engagement Often carried out outside of public view May be more effective in dealing with state-sponsored terrorism or with terrorist groups that also have a "political" wing Examples: Libya, IRA (Sinn Fein), PLO (Fatah) Diplomacy/Negotiations Multilateral efforts most effective against state sponsors of terrorism Coalition-building essential Unilateral efforts usually buttressed by other policy instruments, such as public diplomacy or economic sanctions Even if not usually effective overall, may be used in specific hostage-taking and other situations BUT -- Many hard-core terrorist organizations not interested in dialogue or negotiations Public Diplomacy: Effort to win "hearts and minds" of terrorists or their sponsors & supporters Presupposes that terrorism is rooted in misunderstanding of a government's policies Aims at disseminating a positive image of a government's values, culture (and policies) Often used in conjunction with traditional diplomacy Mechanisms include academic & cultural exchanges, public affairs programming aimed at target groups NOTE problem of "compartmentalization:" positive (or at least neutral) feelings about the "enemy's" culture & society but rejection of its government & policies Foreign Aid: Usually only applies to states that sponsor terrorism Assistance can be "carrot" or "stick" by rewarding states that cooperate in counterterrorism or punishing those who support terrorists Some governments have programs aimed at strengthening counterterrorism capabilities in less developed countries BUT note criticism that withholding foreign assistance often impacts innocents Economic Sanctions: Likewise only applies to states that sponsor terrorism Can include trade embargoes/boycotts, tariffs & other trade restrictions and import/export duties & quotas Also include freezing of assets & bank accounts or target country (nationally or internationally) Track-record of effectiveness is mixed; also criticized as impacting innocent civilian population rather than target government or its leadership Perhaps most effective in disrupting terrorists' sources of financing (in conjunction with other law enforcement measures) Intelligence-Collection/Analysis: Articulation of intelligence requirements & the collection, analysis and dissemination of information from multiple sources employing various methods Focus on capabilities, activities and intentions of terrorist groups Ideally provides insights into terrorists' motivations and thought processes NOTE: Articulation of intelligence requirements, collection, analysis & dissemination (information-sharing) are interlocking parts of effective intelligence operations Military Force: Can be very effective means of retaliation in response to terrorist attack or means of deterring such attacks Advantages: May succeed in removing immediate terrorist threat Can degrade terrorists' long-term capabilities Use as example to discourage others from terrorism Disadvantages: Substantial costs in resources expended, lives lost, destruction caused ("free-rider" problem) May erode attacker's political/moral standing & create sympathy for terrorists and their cause Forst: Trains terrorists in asymmetric warfare Covert Operations: Clandestine operations that also seek to conceal identity of sponsor Various Types & Methods: Use of force (targeted assassinations/kidnappings, secret pre-emptive strikes/commando attacks) Nonviolent (infiltration/subversion of terrorist group, disinformation, information/cyberwarfare) Advantages: Minimize collateral damage, exposure and traceability Disadvantages: Issues of morality, legality and ethics Usually small-scale (or else hard to keep "covert")
Thoughts to Ponder
Discuss the purpose of the Department of Homeland Security and the various agencies that constitute the Department of Homeland Security. Does it make sense to have created such a large bureaucratic organization to combat terrorism and other threats? Sketch the historical response in the United States to what are viewed as internal domestic threats. Are there lessons from the past in terms of how to respond to domestic threat
Dissemination
Dissemination of Intelligence: - Amount of intelligence collected & extent of analysis performed virtually useless if finished product not transmitted to those who need it
The "Intelligence Cycle"
Dissemination-Policy-level Intelligence Requirements-Collection-Processing & Exploitation-Analysis
DRONE WARFARE
Drones, or remote targeted aerial vehicles, are a central component of the war on terrorism. These unmanned, armed vehicles are equipped with cameras and are used to track terrorists. Images are sent back to operators stationed outside the battlefield who control the guidance and targeting of the armed drones. Low Cost / No Boots on the Ground / Out of Sight, Out of Mind Vietnam
Overarching Counterterrorism Strategies
Engagement Deterrence Pre-emption Homeland Defense
Counterterrorism Strategies 2
Engagement: Focus on diplomacy and projection of "soft power;" seeks dialogue with terrorists; willingness to enter negotiations. May include both sticks and carrots. Focus is often on addressing the underlying sources/causes of terrorism Advantage: Usually less costly in terms of resources used and lives lost compared to military/law enforcement interventions Disadvantage: Does not work with most terrorist groups Traditionally more European than U.S. approach Deterrence: Broad strategy category that may include defensive measures to deter attacks (target-hardening, homeland security) as well as the threat (or use) of active measures, including offensive military operations, intelligence-gathering, legal and law enforcement measures Key concept is to establish a credible threat of disproportionate responses to terrorist attacks Pre-emption: Active and aggressive measures aimed at attacking terrorists at their home bases, disrupting their organizations and operations and closing down their sources of funding and support Primary policy instrument is military force Intelligence-gathering, imposition of economic sanctions, law enforcement and active diplomacy may also play role Pre-emption strategy double-edged sword: Can be very effective in preventing attacks, but Can erode international support for "pre-emptor" (due to collateral damage, charges of "unilateralism," etc.) Homeland Defense: Focus on deterring, preventing and responding to terrorist attacks in own country Usually combined with other strategies focusing on defeating terrorists before they reach homeland
Sources of Foreign Knowledge
Espionage Unauthorized Disclosures Leaks Business Intelligence Intelligence Sharing Internet Demarche Declassifications
The Cybersecurity Act of 2015
Establishes a voluntary framework for the sharing of cybersecurity threat information between and among the federal government, state governments, and private entities Also establishes the "National Cybersecurity and Communications Integration Center" The Center's functions are "sharing cyber threat indicators, defensive measures, and other information related to cybersecurity risks and incidents with Federal and non-Federal entities," engaging with international partners to collaborate on cybersecurity information
CHAPTER SUMMARY 10
Following the 9/11 attacks President George W. Bush issued an Executive Order establishing the Department of Homeland Security (DHS). The purpose of the DHS is to coordinate the detection, preparation, prevention, response to, and recovery from terrorist attacks within the United States. The FBI and a number of federal agencies are primarily responsible for the domestic investigation of terrorism and prosecutions are carried out by the Department of Justice. Other agencies are responsible for the collection and analysis of foreign intelligence. The international community has entered into a number of agreements to coordinate efforts on airline safety, the protection of international diplomats, combating the taking of hostages, and the financing of terrorism. The United States has a history of taking strong action against internal threats that impinge on the rights and liberties of Americans.
GUANTÁNAMO
Following the 9/11 attacks, the Bush administration reportedly wanted to house detainees outside the geographical boundaries of the United States at a prison con-structed at Guantánamo Bay, thinking that American courts lacked the jurisdiction to review the legality of the detentions and of the treatment of detainees held at the offshore facility. Al Qaeda and Taliban detainees were considered unlawful combatants who should not receive the legal protections accorded to prisoners of war under the law of war, which is adhered to by virtually every country in the world. Guantánamo Bay detention camp was opened in January 2002 and since opening, it has housed 780 detainees. The island is leased by the United States from Cuba for a fee of $2,000 a year. The fee is based on a 1903 agreement between the two countries following the Spanish-American War. It has been termed the "most expensive prison on earth" and costs roughly $445 million per year to run—roughly $10 million for each detainee
The Reality of Cyberterrorism
In 2012, cyber terrorists used a deadly virus to attack the information network of Aramco, the Saudi oil company, and annihilated all of the data on 35,000 desktop computers The screens of the infected computers were left with the vision of a burning American flag A group called the Cutting Sword of Justice claimed credit for the attack
Today's Cyberterrorism Reality
In 2013, computer hackers hacked the Twitter account of The Associated Press and sent a tweet stating that there had been two explosions at the White House and that President Barack Obama was injured • Within two minutes, the stock market dropped by 143 points • The Syrian Electronic Army later claimed credit for the attack
Cyber-Espionage
In 2015, the records of 21.5 million people were compromised in a colossal breach of government computer systems that resulted in the theft of a vast quantity of personal information, including Social Security numbers and some fingerprints*** Virtually every individual given a government background check for the last 15 years was likely affected • Hackers stole "sensitive information," including addresses, health and financial history, and other private details, from 19.7 million people who had been subjected to a government background check • The theft was separate from, but related to, an earlier breach in 2015 that compromised the personnel data of 4.2 million federal employees ***
Legal/Law Enforcement Measures
Include traditional criminal proceedings, renditions and extraterritorial incarceration Counterterrorism Legislation Aimed at facilitating/streamlining criminal prosecutions for terrorist-related crimes and offenses Terrorist Financing/Money-laundering Measures Many governments have enacted laws/measures to clamp down on sources of terrorist financing International Legal Measures International policing (INTERPOL, EUROPOL), extradition treaties, international courts & tribunals
The Analyst's Environment 2
Intelligence obtained by clandestine means must be evaluated against the volumes of other information that US policymakers draw upon in their decision-making processes. We know that policymakers receive their information from many diverse sources such as newspapers, journals, television, radio, the Internet, and consultations with colleagues and friends. They also read intelligence. Intelligence is never the only source of information for them, but it can be the most important source. Intelligence competes with the other sources of information for the policymakers' attention. The issue for the Intelligence Community, and for the users of its products, is: What is the value-added that intelligence brings to the policymaking process? "We believe in stories that make you say 'holy shit' when you read them, said Bill Gertz, of The Washington Times, in a flattering profile of him that appeared in the Weekly Standard . . . . Over the past couple of years, Mr. Gertz has written more stories based on classified government documents than you can shake a stick at, infuriating Clinton Administration officials and making a mockery of official classification policy." (Steven Aftergood, in Secrecy in Government Bulletin, No.64, Jan., 1997, p. 1). Indeed Foreign intelligence services fully understand what a goldmine the US press offers through disclosures. For example, former Russian military intelligence (GRU) colonel Stanislav Lunev, wrote: "I was amazed-and Moscow was very appreciative-at how many times I found very sensitive information in American newspapers. In my view, Americans tend to care more about scooping there competition than about national security, which made my job easier." (Through' the Eyes of the Enemy, Washington, D.C.: Regnery, 1998, p. 135). Al Qa'ida terrorism. Terrorists feed on leaks. Through their investigations into whether the 9/11 attacks resulted from intelligence failure, Congress and the special Commission will learn that important intelligence collection capabilities against Osama bin Laden and al-Qaida were lost in the several years preceding September 2001. With the concurrence of NSA, the White House officially released just one of these. As press spokesman Ari Fleischer explained: And let me give you a specific example why, in our democracy and in our open system, it is vital that certain information remain secret. In 1998, for example, as a result of an inappropriate leak of NSA information, it was revealed about NSA being able to listen to Osama bin Laden on his satellite phone. As a result of the disclosure, he stopped using it. As a result of the public disclosure, the United States was denied the opportunity to monitor and gain information that could have been very valuable for protecting our country. The USGs continuing failure to control leaks as a result of three key factors: A lack of political will to deal firmly and consistently with unauthorized executive branch and Congressional leakers. The use of unauthorized disclosures as a vehicle to influence policy. The difficulty of prosecuting cases under existing statutes. Notably, not one of the five efforts to obtain legislation on unauthorized disclosures from 1981 to today succeeded. Source: How Leaks of Classified Intelligence Help US Adversaries: Implications for Laws and Secrecy James B. Bruce Who has access? Unauthorized disclosure v. Espionage
World War 2.1 ???? 2008 Georgia Cyber Attacks
July 2008 Cyber-assault by "distributed denial-of-service attack" the attacks against Georgia's Internet infrastructure began as early as July 20, with coordinated barrages of millions of requests that effectively shut down Georgian servers. the Web site of the Georgian president rendered inoperable for 24 hours by multiple D.D.O.S. attacks The Georgian government blamed Russia -- Russian government denied responsibility Ultimately, there was little effect beyond inaccessibility to many government Web sites, which limited the government's ability to spread its message online
Homeland Security/Defensive Measures
Most countries threatened by terrorism have increased homeland defense measures in recent years -- measures include: Tightened border controls Including enhanced screening of airline passengers Stepped-up protection of critical infrastructure, government facilities ("target hardening") Emergency preparedness/response Including enhanced technical and other means to detect use of weapons of mass destruction in a timely manner
Intelligence Analysis
Multifaceted evaluation of processed intelligence from a variety of sources • Goal of analysis is to provide policymakers with timely, accurate and relevant information directly related to the issues they face and the decisions they must make • Analysis of Intelligence: - Connecting the dots; "separating signals from noise" - NOTE challenges of dealing with "asymmetric" threats, "non-state" adversaries • Intel Analysis includes: - Examining patterns of communications - Interpreting imagery - Assessing reliability of sources (corroboration) - Evaluating data by cross-referencing & triangulation
The U.S. National Strategy to Secure Cyberspace
Objectives: Prevent cyber attacks against critical infrastructures; Reduce national vulnerabilities to cyber attack Minimize the damage and recovery time from cyber attacks that do occur Approach: Focus on public-private engagement Government action warranted for purposes including: Forensics and attack attribution, protection of networks and systems critical to national security, indications and warnings, and protection against organized attacks capable of inflicting debilitating damage to the economy
Future of Cyberterrorism
Our reliance on cyberspace will only continue to grow in the years ahead, as will capacity and interdependent nature of computer systems Trend toward more sophistication in cyber attacks likely to continue, while relative knowledge required to conduct an attack will decline Inability of terrorist groups to overcome physical defenses to potential targets may make cyberterrorism increasingly attractive option
Types of Covert Action
PROPAGANDA & COUNTERTERRORISM: In the counterterrorism context, propaganda may be used: To spread disinformation concerning the goals and actions of terrorist groups To highlight activities of terrorists that cast them in a negative light To counter the terrorists' own propaganda messages "Information warfare" POLITICAL ACTIVITY & COUNTERTERRORISM: Political activity can be used against states that sponsor or "tolerate" terrorism May also be used to influence events in countries or areas whose population (rather than government) supports terrorism ECONOMIC ACTIVITY & COUNTERTERRORISM: As with political activity, covert economic activity can realistically only be applied to states that sponsor or tolerate terrorism NOTE: covert "economic activity" is NOT the same as economic sanctions or embargoes, which by nature are official, "overt" acts
Methods of Cyberattack
Physical attack by conventional kinetic weapons to against computers or transmission lines to disrupt the reliability of equipment. • Electromagnetic pulse (EMP), to create an electronic attack directed against computer equipment or data transmissions • Disrupts the reliability of equipment and the integrity of data by overheating circuitry or jamming communication • Malicious code, or computer network attack (CNA), directed against computer processing code, instruction logic, or data • Generates stream of malicious network packets that can disrupt data or logic by exploiting software or security weaknesses • This type of cyberattack can disrupt the reliability of equipment, the integrity of data, and the confidentiality of communications.
Risks of Covert Operations
Policymakers and intelligence officers examine at least two levels of risk before resorting to covert action Risk of Exposure Assumption is that all covert ops will eventually become public knowledge Even a long-postponed disclosure can be embarrassing or politically costly Risk of Failure Decision-makers must weigh risks against interests at stake
What Are Analysists Expected to Do?
Produce judgments, forecasts, and insights -Accurate, timely and reliable . Work with ambiguous, missing, contradictory and sometimes deceptive data. Exercise fierce objectivity and policy neutrality. Bring value-added to customers that is unavailable from other information providers. Enhance understanding and reduce uncertainty of customers (policy makers and war fighters mostly at senior levels
LS 4:
SRA 211 Lippman Chapter 10 & 11
CHAPTER SUMMARY 11
Several public policy issues in counterterrorism, some of which have yet to be fully resolved, have been discussed in this chapter. Drone warfare has proven effective in killing terrorists and in dismantling terrorist networks, although it risks endangering and alienating civilians. Current American policy is to maintain the Guantánamo Bay prison camp to detain and to isolate terrorists, although critics assert that the facility is expensive, is unnecessary, and inspires terrorism CHAPTER 11 Counterterrorism The use of enhanced interrogation is considered torture Military commissions have proven to be an inefficient method of prosecuting accused terrorists, although they are viewed by some as preferable to providing terrorists with the full due process of protections granted in civilian jury trials.
Intelligence Process
Signals Intelligence (SIGINT) is intelligence-gathering by interception of signals, whether communications between people (communications intelligence— abbreviated to COMINT) or from electronic signals not directly used in communication (electronic intelligence—abbreviated to ELINT). Signals intelligence is a subset of intelligence collection management. As sensitive information is often encrypted, signals intelligence in turn involves the use of cryptanalysis to decipher the messages. Traffic analysis—the study of who is signaling whom and in what quantity—is also used to i
FIRST LESSON SLIDES: Counterterrorism Policy:
Strategies and Instruments
The Appeal to Terrorists of Cyberterrorism
Target rich environment: Vast number of computers/networks Anonymity: Can conceal online identity; no physical barriers or borders Cheaper than traditional terrorist methods: Only need computer and online connection Less risk Conducted remotely Broader range of impact: Cyber attack could affect large numbers; generate headlines
Global Jihad as Information Warfare
Terrorist use of the Internet and computers generally to communicate, recruit, and publicize their goals and activities is not technically "cyberterrorism" • More like information warfare • Still, terrorist use of IT is a serious and growing problem
CHAPTER 10
The Legal and Historical Basis of Homeland Security Department of Homeland Security Critical Infrastructure Federal Law Enforcement Domestic and Foreign Intelligence Federal Counterterrorism Laws Identifying State Sponsors and Foreign Terrorist Organizations Checks and Balances International Counterterrorism Agreements Historical Foundation of Homeland Security Alien and Sedition Acts The Civil War The Palmer Raids The Post-Depression Red Scare The Cold War and The Red Scare World War II Internment Vietnam Protests Homeland Security and Civil Liberties
LS 3:
The Role of Intelligence in Counterterrorism
What is Cyberterrorism?
The convergence of cyberspace and terrorism Unlawful attacks and threats of attacks against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives
The major international treaties on terrorism
Tokyo Convention on Offenses and Certain Other Acts Committed Aboard Aircraft (1963). Countries agree to restore the control of aircraft to the pilot and to send the passengers and containers on their intended route. Hague Convention (1970). Signatories agree to extradite air hijackers to their country of origin or to prosecute hijackers. Montreal Convention (1971). Sabotage and attacks on airports and grounded aircraft are to be prosecuted or sent to a country that seeks their extradition. Offenders are subject to severe penalties. Protection and Punishment of Crimes Against Internationally Protected Persons Including Diplomatic Agents (1973). Violent acts against diplomats, the kidnapping of diplomats, and attacks on diplomatic premises and means of transport are to be subject to criminal penalties. International Convention Against the Taking of Hostages (1979). An inter-national agreement to punish hostage takers or to extradite hostage takers for trial abroad. International Convention for the Suppression of the Financing of Terrorism. This treaty obligates signatories to prevent and punish the financing of terrorism. International Court of Justice (ICJ). The ICJ is a body established by the United Nations to consider disputes between nations and to issue advisory opinions on various issues. International Criminal Court (ICC). The court is based on a 1988 treaty and at present 128 states have joined the court which has jurisdiction to prosecute nationals of these states for international crimes, including torture, genocide, extrajudicial executions, and war crimes
The Complete Analyst
Two categories: • SME and expert on related US policies • Research methods to organize data • Imagination and scientific rigor to generate and test hypotheses IC expects these in university-educated applicants • Understanding of unique intelligence collection methods • Self-awareness of cognitive biases and cognitive influences on analysis • Openness to contrary views and Alternative Analysis • Capacity to admit and learn from errors • Ability to work effectively in a collaborative environment IC can only expect these from experience and training
Degrade US Intelligence
US decisionmakers depend on accurate and timely intelligence to warn of threats to US security such as surprise attacks by terrorists who would maim and kill US citizens simply because they are Americans; the production of chemical, biological, or nuclear weapons, and their missile delivery systems; the plans and intentions of foreign leaders who would harm US interests. Foreign adversaries of the United States increasingly have powerful incentives to degrade US intelligence. Adversaries want to conceal diabolical schemes of terrorists, hide arms control violations, or mask weapons of mass destruction. Degrading US intelligence by any means can level the playing field for less able but more wily opponents-in some cases, it can tilt it in their favor. How do adversaries do this?
U.S Cyber Command
USCYBERCOM plans, coordinates, integrates, synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure U.S./Allied freedom of action in cyberspace and deny the same to U.S. adversaries
Thoughts to ponder: 11
What is the relationship between immigration and terrorism? Would you support restricting immigration to combat terrorism? Thoughts to ponder: Outline the development of the use of electronic surveillance against suspected terrorist
Types of cyber crimes
hacking, salami attack, malware dissemination, software policy, forgery, obscene or offensive content, pornography, cyber sex, fraud, phishing, spoofing, spam, denial of service, threatening, net extortion, cyber terrorism, drug trafficking, cyber warfare, cyber stalking, cyber defamation, IRC crime
SIGINT: The Issue of "Chatter"
• "Chatter" describes much of the intelligence (or patterns of intelligence) that relates to the activities, movements & communications of terrorist groups - Focus is on changes in observed patterns - Sudden increase (or decrease) in chatter can be indicator of looming terrorist activity • Chatter is by nature imprecise - Spike or drop in chatter levels may occur for a number of reasons
The Threat of Cyberterrorism
• A variety of "malicious actors" can and do conduct attacks against critical information infrastructures (not all are terrorists) • Primary threat is that of organized cyber attacks capable of causing debilitating disruption to critical infrastructures, economy, or national security • The required technical sophistication to carry out such an attack is high -- and partially explains the lack of a debilitating attack so far • BUT -- attack tools and methodologies are becoming widely available, and the technical capability and sophistication of users bent on causing havoc or disruption is improving
Intelligence & Warning
• Advance warning of attacks - Indications & warnings (I&W) is one of the most important roles of intelligence - Goal is to provide policymakers with advance warning signals of threats - Threats may be from nation-state adversaries or non-state actors - Most commonly carried out by military intelligence organizations, but all of the IC plays a role - While most I&W focuses on physical attacks, intelligence may also be obtained regarding planned cyber-attacks or other aspects of information warfare
National Counterterrorism Center
• Analyzing the Threat: - Primary USG organization for integrating and analyzing all intelligence pertaining to counterterrorism (except for information pertaining exclusively to domestic terrorism) • Sharing Information: - USG's central and shared knowledge bank on known and suspected terrorists and international terror groups
World War 2.0 ???? 2007 Estonia Cyber Attacks
• April 2007 -- Estonian Government removed Soviet war memorial from Tallinn • Cyber attack disabled websites of government, political parties, newspapers, banks, and companies. • Estonia is one of the most wired societies in Europe • Pioneer in the development of "e-government" • Highly dependent on computers; highly vulnerable • Cyber-assault by "distributed denial-of-service attack." • Bombarded websites with data, clogged servers • Attackers infiltrated computers around the world with bots, and banded them together in "zombie" networks
Human Intelligence
• Classic espionage • Most often involves sending clandestine intelligence officers to foreign countries - Aim is to recruit foreign nationals to conduct espionage - Intelligence officers may also engage in direct spying • Stealing documents, planting sensors, photographing installations • NOTE: in HUMINT/espionage terms, the "agent" is the foreign national spy, not the intelligence officer • HUMINT is largely the responsibility of the CIA/Military - Carried out by the Directorate of Operations (DO)
Federal agencies incorporated into the Department of Homeland Security
• Coast Guard • Customs and Border Protection (CPB) • Federal Emergency Management Agency (FEMA) • Immigration and Customs Enforcement (ICE) • Secret Service • Transportation Security Administration (TSA).
Intel Collection & Terrorism
• Collection of Intelligence: HUMINT, GEOINT, SIGINT, (OSINT and MASINT)
Foreign Liaison
• Cooperation with allied/friendly services is increasingly important - Particularly in the case of international terrorism and other transnational issues • Foreign intelligence services may have greater regional expertise, often possess greater linguistic/cultural expertise • Cooperation does, however, entail certain risks - Question of separate agendas or trustworthiness on the part of partner services, etc
Offensive/Defensive Intelligence
• Counterterrorism-related intelligence operations include both types • Defense: - Disrupting/deterring planned attacks - Requires intelligence on terrorist organizations, their planning and their mind-set • Offense: - Identifying, locating and attacking terrorists - Focus not only on collection & analysis, but on operations (covert or overt)
The Intelligence Process
• Defined as the various steps or stages in intelligence • The process is sometimes referred to as the "intelligence cycle" - There are a number of different models with differing number of steps in the process/cycle - All models include: requirements, collection, analysis & dissemination • Intelligence-Cycle - Articulation of intelligence requirements & the collection, analysis and dissemination of information from multiple sources employing various methods - Focus on capabilities, activities and intentions of terrorist groups - Ideally provides insights into terrorists' motivations and thought processes • NOTE: Articulation of intelligence requirements, collection, analysis & dissemination (information-sharing) are interlocking parts of effective intelligence operations
Terrorist Use of the Internet
• Defining a terrorist website is as contentious as defining terrorism • Pentagon analysts testifying before Congress said that they monitor well over five thousand "jihadi" websites, though they closely watch a small number of these -- less than one hundred -- that are deemed the most hostile Terrorist websites can serve as virtual training grounds, offering tutorials on building bombs, small-arms attacks, firing surface-to-air missiles, etc. Terrorist sites also host messages and propaganda videos which help to raise morale and further the expansion of recruitment and fundraising networks The greatest advantage of the Internet is stealth • Terrorists have developed sophisticated encryption tools and creative techniques that make the Internet an efficient and secure channel -These include steganography, a technique used to hide messages in graphic files, and "dead dropping:" transmitting information through saved email drafts in an online email account accessible to anyone with the password • The Internet also provides a global pool of potential recruits and donors
Establishing Requirements
• Every nation has fundamental security and foreign policy interests - Intelligence priorities should reflect policy priorities • Articulation of intelligence requirements means defining the policy issues or areas to which intelligence is expected to make a contribution - Includes decisions regarding relative priorities - Includes specifying the collection of certain types of information in specific cases Assessing Requirement Priorities - One intellectual method of assessing priorities is to consider the likelihood of an event and its relative importance to national security concerns Problems arise when there is a lack of clarity concerning likelihood or debate about importance
Geospatial Intelligence
• Focus of GEOINT is on imagery • Imagery may be: - Electro-optical (EO): produced by optical systems similar to images produced by cameras - Digital: transmitted as digital data streams that are reconstructed as images - Radar: pulses of radio waves reflected back to the sender - Infrared: image based on surface heat reflected
Geospatial Intelligence more
• GEOINT & Terrorism - Increased use of Unmanned Aerial Vehicles (UAVs) • Generate real-time imagery for use in intelligence analysis & targeting - Proliferation of space-based imagery capabilities • Other nations threatened by terrorism are also using satellites - U.S. Government has greatly expanded the use of commercial imagery • Good resolution; allows sharing without disclosing U.S. capabilities
Intelligence-Collection Methods
• Geospatial Intelligence: GEOINT - Collection of photographic or other imagery • Signals Intelligence: SIGINT - Collection of all types of wire & wireless electronic signals • Measurement and Signatures Intelligence: MASINT - Variety of technical intelligence-collection means • Human Intelligence: HUMINT - Espionage carried out in person • Open-Source Intelligence: OSINT
SCADA Vulnerabilities
• Importance of SCADA systems for controlling the critical infrastructure may make them an attractive target for terrorists • Many SCADA systems use Commercial-Off-The-Shelf (COTS) software • May be inadequately protected against cyberattack • "Securing SCADA is a U.S. national priority, as disruption of these systems can have significant consequences for public health and safety." Source: The National Strategy to Secure Cyberspace • Securing SCADA complicated by various factors: • technological limitations -- SCADA systems typically small and self-contained units with limited power supplies; security features not easily adapted to the space or power requirements. The "Slammer" Internet Computer Worm: Example of possible vulnerability of control systems when SCADA controls are interconnected with office networks August 2003, the "Slammer" corrupted for five hours the computer control systems at the DavisBesse nuclear power plant located in Ohio The computer worm penetrated systems in the control room largely because the business network for its corporate offices was found to have multiple connections to the Internet that bypassed the control room firewall
Other Types of Collection
• In addition to GEOINT, SIGINT & HUMINT, terrorist groups can be targeted by several other types of intelligence - OSINT: involves collection and analysis of public statements by terrorists, including Internet-based statements - MASINT: may be useful in cases in which terrorists are seeking to acquire WMD
Processing & Exploitation
• In contrast to most written reports from agents or foreign government services, most technical intelligence does not arrive in ready-to-use form - Some written reports do need to be translated - Imagery, signals intelligence and measurement or test data must routinely be processed from complex digital signals or other formats into viewable images and (written or audio) intercepts • Such processing & exploitation are key steps in concerting technically-collected information into usable intelligence
Intelligence Collection
• Intelligence collection has a long history • Without collection, intelligence is guesswork • The U.S. and some other nations use multiple means of collecting intelligence - Usually related to the nature of the intelligence sought • In the U.S., these means are known as intelligence collection disciplines • Also known informally as "INTS"
Measurement & Signatures Intel
• MASINT includes a variety of technical intelligence-collection means - Its focus is on weapons capabilities and industrial activities - While MASINT may be viewed as a product or sub-category of SIGINT, it is of growing importance for collection of intelligence related to proliferation & weapons of mass destruction • The prevailing view is to consider MASINT as a separate collection method
Lessons from 9/11
• Need for greater interagency information-sharing - 9/11 intelligence faulted for failing to "connect the dots" • Need for new organizational structures - Establishment of DHS and the NCTC - FBI's National Security Branch and Joint Terrorism Task Forces
Counterterrorism: A New Intelligence Priority
• One of the traditional goals of intelligence has been to provide advance warning of physical attacks - By either nation-states or terrorist groups • The September 2001 attacks led to a greatly increased U.S. emphasis on terrorism - Terrorism has become the primary national security issue
The Importance of HUMINT
• Post 9/11 conventional wisdom was that the U.S. needed to rely more on HUMINT for terrorism-related intelligence - Terrorist groups less susceptible to technical collection - HUMINT can collect terrorism-related intelligence that technical means cannot • Still, there are limits to the use of HUMINT - Hard to infiltrate some terrorist groups - New recruits often required to prove commitment & allegiance by participating in overt terrorist act
Signals Intelligence
• SIGINT is usually defined as the interception by electronic or electro-acoustic means of communications between two parties (COMINT) • The ability to intercept communications surreptitiously can provide insight into what is being said, planned and considered by an adversary - Unlike GEOINT, SIGINT can shed light on an actor's intent
Executive Order 13800
• Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure • Agency heads will be held accountable for implementing risk management measures commensurate with the risk and magnitude of the harm expected • They will also be held accountable for ensuring that cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes • Each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework)
SCADA Systems
• Supervisory Control And Data Acquisition (SCADA) systems are the computers that monitor and regulate the operations of most critical infrastructure industries • SCADA is present in almost every sector of the economy including water, transportation, chemicals, energy, and manufacturing • Increasingly SCADA systems use the Internet to transmit data rather than the closed networks used in the past • Often placed in remote locations, are frequently unmanned
Historical Context
• The IC's interest in terrorism did not begin with the 2001 attacks - There had been prior terrorist attacks on U.S. soil - U.S. officials had been familiar with terrorism historically, especially in the period beginning in the 1970s • Unlike some nation-state threats, however, the terrorism threat has been a shifting target - Terrorists have had different ideologies, motivations, modes & areas of operation
Topics & Objectives
• The Intelligence Cycle - Requirements - Collection - Processing - Analysis - Dissemination • Intelligence & Counterterrorism • The Analyst's Environment
Counterterrorism: A New Intelligence Priority 2
• The current Global War on Terrorism has forced the IC to reevaluate how it operates and the types of information that may be useful • Collecting intelligence against non-state actors such as international terrorist organizations presents a number of challenges
Communication/Traffic Analysis
• Traffic analysis (communication link analysis): - Study of external characteristics of communication to get information about the organization of the communication system - Does not focus on content of communications but on lines of communication and information flow - Seeks to identify network members, messengers, gatekeepers (and leaders)
Lessons from the Cold War
• U.S. intelligence structures and policies were shaped in part by the Cold War - Emphasis on technical collection means & quantifying the military threat from nation-state enemies • International terrorist groups are a vastly different kind of adversary - More complex - Far less predictable - Usually have much smaller footprint
Cyberterrorism & Critical Infrastructure
• U.S. policy planners deem the nation's "critical infrastructure" to be a particularly appealing target to potential cyberterrorists • Attacks on U.S. critical infrastructure could: • disrupt the functioning of government and private sector • produce cascading effects far beyond the targeted sector and physical location of the incident • produce catastrophic losses in terms of human casualties, property destruction, and economic effects • have serious impact on public morale and confidence • Attacks using components of critical infrastructure as weapons of mass destruction could have even more devastating physical and psychological consequences