Information OperationsNewsletter

Compiled by: Mr. Jeff Harley

US Army Strategic CommandG39, Information Operations Branch

Table of Contents

The articles and information appearing herein are intended for educational and non-commercial purposes to promote discussion of research in the public interest. The views, opinions, and/or findings and recommendations contained in this summary are those of the original authors and should not be construed as an official position, policy, or decision of the United States Government, U.S. Department of the Army, or U.S. Army Strategic Command.

ARSTRAT IO Page on Intelink-UARSTRAT IO Newsletter on OSS.net

Page ii

Table of ContentsVol. 8, no. 14 (9 – 25 April 2008)

1. Army to Relax Information Controls to Keep Pace with Cyberspace

2. Germany Drafts Bill to Permit Police Virus Attacks

3. New Global Olympic Event: Asymmetric Information Competition (opinion)

4. Al-Qaeda Media Nexus: The Virtual Network behind the Global Message

5. CNN Site Hit by China Attack

6. The New E-spionage Threat

7. Activist Groups under Cyber Attack

8. Recruiting for the Cyber Wars

9. Defenseless on the Net

10. The Al-Qaeda Media Machine

11. A Model Strategic Communications Plan from Where You Wouldn't Expect It

Page iii

ARSTRAT IO Page on Intelink-UARSTRAT IO Newsletter on OSS.net

Army to Relax Information Controls to Keep Pace with Cyberspace By Kristen Noel, American Forces Press Service, 9 April 2008WASHINGTON, April 9, 2008 – Cumbersome controls over information flow in the Army soon may be a thing of the past, as the service works to deliver its messages proactively in the fast-paced cyber world. Instead of worrying about controlling what soldiers are saying, the Army needs to focus on rapidly getting their messages out into cyberspace, Army Col. Wayne Parks, director of computer network operations and electronic warfare at the Combined Arms Center in Fort Leavenworth, Kan., said in a teleconference with online journalists and “bloggers” yesterday. In today’s electronic-warfare environment, Parks said, the Army needs to be able “to get the message out either before the enemy gets the message out, or be able to respond to the enemy as they’re putting the message out.” The Army has a tendency to be reactive, he said, but the service now is looking at how it engages people with information differently from in the past. Parks explained that, rather than trying to control what soldiers say, the Army is focusing on keeping the force informed with the facts. “We’re just looking to inform our folks well enough that when they say something, … they’re going to state the facts,” he said. He estimated that 80 percent of the time the information soldiers provide directly is correct. So, the 20 percent risk of inaccuracies is worthwhile to maintain a proactive approach to online messaging, he said. “As long as you’re aware of what’s being said, you can always correct the record,” Parks said, “or you can always inform people adequately to ensure that we … don’t stay on this reactive mode and don’t look at our soldiers and our leaders out there and mistrust them.” Parks also said defending against cyber attacks on computer networks and systems is another key element of electronic warfare. “There are attacks being made on our networks and our computer systems -- whether it be hardware or software -- from across the globe,” he said. The Combined Arms Center is studying lessons learned from past attacks and is building new capabilities to defend against future attacks, Parks said. Table of Contents

Germany Drafts Bill to Permit Police Virus Attacks From Expatica, 16th April 2008Germany is moving ahead with a bill to permit police virus attacks that could remotely extract evidence from a suspect's computer, an Interior Ministry spokesman, Stefan Paris, says.The legislation had been held up by a dispute within Chancellor Angela Merkel's ruling coalition over the terms. That was resolved with an agreement that the bill would not include any new authorization to physically attach monitoring devices to suspects' computers. "Police won't initially set foot in anyone's home," said Paris. The surveillance will use "white hat" virus techniques, in which flaws in computer programmes are exploited in a good cause. Police computer experts will try online to trick a suspect into inadvertently installing a bugging program that sends computerized secrets via the internet to a waiting police team. But experts say any good anti-virus program could defeat such a virus and the trick would only work on inept computer users.

Page 1

Paris said the legislation would be in line with a Constitutional Court ruling in February that attached strict conditions to such snooping, including obtaining a court order and only doing so to protect lives or public utilities. Ministers are to discuss this week whether to give police new powers to physically plant bugs near computers, Paris said.Table of Contents

New Global Olympic Event: Asymmetric Information Competition (opinion)

By Monroe Price, the Huffington Post, April 14, 2008 There's a cornucopia of reasons for the eruption of global interest in the torch relay, but I want to focus on one. Think of the Olympic torch coverage in a context beyond Tibet, beyond China, beyond the Olympics -- namely "asymmetric" information warfare. The torch coverage is an example of non-force combat -- between the super Gullivers of the world and the myriad, seemingly unaccountable Lilliputians. An example of this preoccupation is Donald Rumsfeld's speech in 2006 at the Council on Foreign Relations:

Our enemies have skillfully adapted to fighting wars in today's media age, but for the most part we, our country, our government, has not adapted. ['Terrorists']... have media relations committees that meet and talk about strategy, not with bullets but with words. They've proven to be highly successful at manipulating the opinion elites of the world. They plan and design their headline-grabbing attacks using every means of communication to intimidate and break the collective will of free people.

Rumsfeld was talking about what drove him and a number of U.S. Senators and others crazy in the Long War and what is also undoubtedly plaguing the Chinese. How is it that powerful states (democratic or authoritarian) can't deal adequately with a large set of agents who are shaping the global agenda and do so by wit and wile rather than by huge expenditure of resources? My co-editor Daniel Dayan (Owning the Olympics, Narratives of the New China, University of Michigan Press, 2008), building on work with the famous scholar, Elihu Katz, has used the word "hijack" to describe the seizure of world attention by intense groups that alter the expected and legitimated narrative of singular moments like the Olympics. I'll say more about this in future posts, but I can point to a few very interesting recent writings. One is an article in Monday's New York Times, which traces how splintered groups prepared for this month's events, while China had difficulty registering a coherent response ("Tibet Backers Show China Value of P.R.") And I would be remiss not to mention Edward Rothstein's brilliant piece, also April 14, on the creation of the torch relay as a powerful, dominating metaphor by Germany in 1936 ("The Relay of Fire Ignited by the Nazis")One other perspective, worthy of note, was spotted by Lokman Tsui, a PhD student at Annenberg and a China media scholar. The BBC has done an important curbside analysis (here and here) of reaction within China of its coverage of the torch relay, noting (unscientifically) what appears to be the gulf between domestic and international coverage and reading of the torch-relay events. Part of this comes from recognition that more people are reading the BBC online and it's become more available in China.Asymmetric information warfare occurs in the Olympics setting as the Tibet groups and others seize the extraordinary benefit of huge investments in platforms established by others, and take advantage of the fabulously structured forum, created by others, to advance their political and commercial messages. In an essay in Owning the Olympics: Narratives of the New China," I refer to this as a kind of public relations jujitsu. Small, seemingly powerless groups gain momentary attention and enduring strength by storming (literally or figuratively) a platform media event so as instantly to control the narrative (the Palestinian gunmen in the Munich Olympics).Table of Contents

Page 2

Al-Qaeda Media Nexus: The Virtual Network behind the Global Message

Source: Radio Free Europe, April 14, 2008Key Findings+ The ”original” Al-Qaeda led by Osama bin Laden accounts for a mere fraction of jihadist media production.+ Virtual media production and distribution entities (MPDEs) link varied groups under the general ideological rubric of the global jihadist movement. The same media entities that “brand” jihadist media also create virtual links between the various armed groups that fall into the general category of Al-Qaeda and affiliated movements.+ Three key entities connect Al-Qaeda and affiliated movements to the outside world through the internet. These three media entities — Fajr, the Global Islamic Media Front, and Sahab — receive materials from more than one armed group and post those materials to the internet.+ Information operations intended to disrupt or undermine the effectiveness of jihadist media can and should target the media entities that brand these media and act as the virtual connective tissue of the global movement.+ While video is an important component of jihadist media, text products comprise the bulk of the daily media flow. Within text products, periodicals focused on specific “fronts” of the jihad are an important genre that deserves more attention from researchers.+ The vast majority of jihadist media products focus on conflict zones: Iraq, Afghanistan, and Somalia.+ The priorities of the global jihadist movement, as represented by its media arm, are operations in Iraq, Afghanistan, Somalia, and North Africa.+ Jihadist media are attempting to mimic a “traditional” structure in order to boost credibility and facilitate message control. While conventional wisdom holds that jihadist media have been quick to exploit technological innovations to advance their cause, they are moving toward a more structured approach based on consistent branding and quasi-official media entities. Their reasons for doing so appear to be a desire to boost the credibility of their products and ensure message control.+ In line with this strategy, the daily flow of jihadist media that appears on the internet is consistently and systematically branded.{Editor note: You can download the document (2.2Mb) at this site: http://docs.rferl.org/en-US/AQ_Media_Nexus.pdf} Table of Contents

CNN Site Hit by China AttackBy Robert McMillan, IDG News Service, April 22, 2008 After being called off Friday, the on-again, off-again cyber attack against CNN's Web site again picked up steam early this week, according to network security analysts.At its peak, the attack has sucked up 100MB/S in bandwidth, enough to slow the news Web site for some visitors. "That's a decent-sized attack," said Jose Nazario, a senior security engineer with Arbor Networks. "Globally speaking, it's probably garden-variety."Organizers had originally called for the attack to be launched on April 19. But they soon called off their efforts with one organizer, CN-Magistrate, saying that "too many people are aware of it, and the situation is chaotic."CN-Magistrate soon disbanded his Web site devoted to these attacks and dropped out of public view.Hackers had launched some low-intensity attacks against CNN ahead of the April 19 deadline, but on Sunday, another group calling itself HackCNN picked up the attack. CNN visitors experienced a noticeable slowdown during the early hours of Sunday and Monday, researchers said. This group also managed to deface a Sports Network Web site (sports.si.cnn.com), replacing sports scores with slogans such as "Tibet was, is, and always will be a part of China!"

Page 3

Although a CNN spokeswoman said that the Web site was not taken down by the attacks, Web monitoring company Netcraft said that some of its sensors were unable to get a response from CNN servers in Phoenix, San Jose, California, London and Pennsylvania for about three hours on Sunday. On Monday, response times to CNN were as slow as two-tenths of a second, Netcraft said.CNN did slow down the rate at which network traffic from the Asia-Pacific region was able to reach its Web site, the spokeswoman said.Nazario said that a botnet network of hacked computers has now been involved in the attacks, but the hackers have mostly relied on voluntary downloads to spur their efforts.Angered by Western coverage of unrest in Tibet by CNN, organizers had hoped to knock the Web site offline using tactics similar to those seen in recent attacks on Internet servers run by the Church of Scientology and the Baltic nation of Estonia. Hackers made easy-to-use Web attacking tools available for download on hackcnn.com and then encouraged as many computers as possible to join in on the attack."People would purposely infect themselves with malware released on behalf of Chinese hacktivists to automatically utilize their Internet bandwidth for the purpose of a coordinated attack against a particular site," said Dancho Danchev, a Bulgarian security researcher, via instant message. "These guys are young. they're usually 20-25 years old, college students, they spend their life online," said Scott Henderson, a retired U.S. intelligence analyst who has been following the CNN attacks on his blog. "It is really a way of expressing themselves."Security experts said that the Estonian and CNN attacks more closely resembled a cyber riot than anything else, with no central figure in command and many different groups, loosely coordinating their activities and attacking computers in many ways.The attacks can be hard to stop at first, and they tend to garner attention to the attacker's political cause, Nazario said. "We're going to see this again because it's effective to some degree."Table of Contents

The New E-spionage ThreatBy Brian Grow, Keith Epstein and Chi-Chu Tschang, Business Week, 10 April 2008The e-mail message addressed to a Booz Allen Hamilton executive was mundane—a shopping list sent over by the Pentagon of weaponry India wanted to buy. But the missive turned out to be a brilliant fake. Lurking beneath the description of aircraft, engines, and radar equipment was an insidious piece of computer code known as "Poison Ivy" designed to suck sensitive data out of the $4 billion consulting firm's computer network. The Pentagon hadn't sent the e-mail at all. Its origin is unknown, but the message traveled through Korea on its way to Booz Allen. Its authors knew enough about the "sender" and "recipient" to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China's Yangtze River. The U.S. government, and its sprawl of defense contractors, have been the victims of an unprecedented rash of similar cyber attacks over the last two years, say current and former U.S. government officials. "It's espionage on a massive scale," says Paul B. Kurtz, a former high-ranking national security official. Government agencies reported 12,986 cyber security incidents to the U.S. Homeland Security Dept. last fiscal year, triple the number from two years earlier. Incursions on the military's networks were up 55% last year, says Lieutenant General Charles E. Croom, head of the Pentagon's Joint Task Force for Global Network Operations. Private targets like Booz Allen are just as vulnerable and pose just as much potential security risk. "They have our information on their networks. They're building our weapon systems. You wouldn't want that in enemy hands," Croom says. Cyber attackers "are not denying, disrupting, or destroying operations—yet. But that doesn't mean they don't have the capability."

Page 4

A MONSTERWhen the deluge began in 2006, officials scurried to come up with software "patches," "wraps," and other bits of triage. The effort got serious last summer when top military brass discreetly summoned the chief executives or their representatives from the 20 largest U.S. defense contractors to the Pentagon for a "threat briefing." BusinessWeek has learned the U.S. government has launched a classified operation called Byzantine Foothold to detect, track, and disarm intrusions on the government's most critical networks. And President George W. Bush on Jan. 8 quietly signed an order known as the Cyber Initiative to overhaul U.S. cyber defenses, at an eventual cost in the tens of billions of dollars, and establishing 12 distinct goals, according to people briefed on its contents. One goal in particular illustrates the urgency and scope of the problem: By June all government agencies must cut the number of communication channels, or ports, through which their networks connect to the Internet from more than 4,000 to fewer than 100. On Apr. 8, Homeland Security Dept. Secretary Michael Chertoff called the President's order a cyber security "Manhattan Project." But many security experts worry the Internet has become too unwieldy to be tamed. New exploits appear every day, each seemingly more sophisticated than the previous one. The Defense Dept., whose Advanced Research Projects Agency (DARPA) developed the Internet in the 1960s, is beginning to think it created a monster. "You don't need an Army, a Navy, an Air Force to beat the U.S.," says General William T. Lord, commander of the Air Force Cyber Command, a unit formed in November, 2006, to upgrade Air Force computer defenses. "You can be a peer force for the price of the PC on my desk." Military officials have long believed that "it's cheaper, and we kill stuff faster, when we use the Internet to enable high-tech warfare," says a top adviser to the U.S. military on the overhaul of its computer security strategy. "Now they're saying, Oh, shit.'" Adding to Washington's anxiety, current and former U.S. government officials say many of the new attackers are trained professionals backed by foreign governments. "The new breed of threat that has evolved is nation-state-sponsored stuff," says Amit Yoran, a former director of Homeland Security's National Cyber Security Div. Adds one of the nation's most senior military officers: "We've got to figure out how to get at it before our regrets exceed our ability to react." The military and intelligence communities have alleged that the People's Republic of China is the U.S.'s biggest cyber menace. "In the past year, numerous computer networks around the world, including those owned by the U.S. government, were subject to intrusions that appear to have originated within the PRC," reads the Pentagon's annual report to Congress on Chinese military power, released on Mar. 3. The preamble of Bush's Cyber Initiative focuses attention on China as well. Wang Baodong, a spokesman for the Chinese government at its embassy in Washington, says "anti-China forces" are behind the allegations. Assertions by U.S. officials and others of cyber intrusions sponsored or encouraged by China are unwarranted, he wrote in an Apr. 9 e-mail response to questions from BusinessWeek. "The Chinese government always opposes and forbids any cyber crimes including hacking' that undermine the security of computer networks," says Wang. China itself, he adds, is a victim, "frequently intruded and attacked by hackers from certain countries." Because the Web allows digital spies and thieves to mask their identities, conceal their physical locations, and bounce malicious code to and fro, it's frequently impossible to pinpoint specific attackers. Network security professionals call this digital masquerade ball "the attribution problem." A CREDIBLE MESSAGEIn written responses to questions from BusinessWeek, officials in the office of National Intelligence Director J. Michael McConnell, a leading proponent of boosting government cyber security, would not comment "on specific code-word programs" such as Byzantine Foothold, nor on "specific intrusions or possible victims." But the department says that "computer intrusions have been successful against a wide range of government and corporate networks across the critical infrastructure and defense industrial base." The White House declined to address the contents of the Cyber Initiative, citing its classified nature. The e-mail aimed at Booz Allen, obtained by BusinessWeek and traced back to an Internet address in China, paints a vivid picture of the alarming new capabilities of America's cyber enemies. On

Page 5

Sept. 5, 2007, at 08:22:21 Eastern time, an e-mail message appeared to be sent to John F. "Jack" Mulhern, vice-president for international military assistance programs at Booz Allen. In the high-tech world of weapons sales, Mulhern's specialty, the e-mail looked authentic enough. "Integrate U.S., Russian, and Indian weapons and avionics," the e-mail noted, describing the Indian government's expectations for its fighter jets. "Source code given to India for indigenous computer upgrade capability." Such lingo could easily be understood by Mulhern. The 62-year-old former U.S. Naval officer and 33-year veteran of Booz Allen's military consulting business is an expert in helping to sell U.S. weapons to foreign governments. The e-mail was more convincing because of its apparent sender: Stephen J. Moree, a civilian who works for a group that reports to the office of Air Force Secretary Michael W. Wynne. Among its duties, Moree's unit evaluates the security of selling U.S. military aircraft to other countries. There would be little reason to suspect anything seriously amiss in Moree's passing along the highly technical document with "India MRCA Request for Proposal" in the subject line. The Indian government had just released the request a week earlier, on Aug. 28, and the language in the e-mail closely tracked the request. Making the message appear more credible still: It referred to upcoming Air Force communiqués and a "Teaming Meeting" to discuss the deal. But the missive from Moree to Jack Mulhern was a fake. An analysis of the e-mail's path and attachment, conducted for BusinessWeek by three cyber security specialists, shows it was sent by an unknown attacker, bounced through an Internet address in South Korea, was relayed through a Yahoo! server in New York, and finally made its way toward Mulhern's Booz Allen in-box. The analysis also shows the code—known as "malware," for malicious software—tracks keystrokes on the computers of people who open it. A separate program disables security measures such as password protection on Microsoft Access database files, a program often used by large organizations such as the U.S. defense industry to manage big batches of data. AN E-MAIL'S JOURNEYWhile hardly the most sophisticated technique used by electronic thieves these days, "if you have any kind of sensitive documents on Access databases, this [code] is getting in there and getting them out," says a senior executive at a leading cyber security firm that analyzed the e-mail. (The person requested anonymity because his firm provides security consulting to U.S. military departments, defense contractors, and financial institutions.) Commercial computer security firms have dubbed the malicious code "Poison Ivy." But the malware attached to the fake Air Force e-mail has a more devious—and worrisome—capability. Known as a remote administration tool, or RAT, it gives the attacker control over the "host" PC, capturing screen shots and perusing files. It lurks in the background of Microsoft Internet Explorer browsers while users surf the Web. Then it phones home to its "master" at an Internet address currently registered under the name cybersyndrome.3322.org. The digital trail to cybersyndrome.3322.org, followed by analysts at BusinessWeek's request, leads to one of China's largest free domain-name-registration and e-mail services. Called 3322.org, it is registered to a company called Bentium in the city of Changzhou, an industry hub outside Shanghai. A range of security experts say that 3322.org provides names for computers and servers that act as the command and control centers for more than 10,000 pieces of malicious code launched at government and corporate networks in recent years. Many of those PCs are in China; the rest could be anywhere. The founder of 3322.org, a 37-year-old technology entrepreneur named Peng Yong, says his company merely allows users to register domain names. "As for what our users do, we cannot completely control it," says Peng. The bottom line: If Poison Ivy infected Jack Mulhern's computer at Booz Allen, any secrets inside could be seen in China. And if it spread to other computers, as malware often does, the infection opens windows on potentially sensitive information there, too. It's not clear whether Mulhern received the e-mail, but the address was accurate. Informed by BusinessWeek on Mar. 20 of the fake message, Booz Allen spokesman George Farrar says the company launched a search to find it. As of Apr. 9, says Farrar, the company had not discovered the e-mail or Poison Ivy in Booz Allen's networks. Farrar says Booz Allen computer security executives examined the PCs of Mulhern and an assistant who received his e-mail. "We take this very

Page 6

seriously," says Farrar. (Mulhern, who retired in March, did not respond to e-mailed requests for comment and declined a request, through Booz Allen, for an interview.) Air Force officials referred requests for comment to U.S. Defense Secretary Robert M. Gates' office. In an e-mailed response to BusinessWeek, Gates' office acknowledges being the target of cyber attacks from "a variety of state and non-state-sponsored organizations to gain unauthorized access to, or otherwise degrade, [Defense Dept.] information systems." But the Pentagon declined to discuss the attempted Booz Allen break-in. The Air Force, meanwhile, would not make Stephen Moree available for comment. The bogus e-mail, however, seemed to cause a stir inside the Air Force, correspondence reviewed by BusinessWeek shows. On Sept. 4, defense analyst James Mulvenon also received the message with Moree and Mulhern's names on it. Security experts believe Mulvenon's e-mail address was secretly included in the "blind copy" line of a version of the message. Mulvenon is director of the Center for Intelligence Research & Analysis and a leading consultant to U.S. defense and intelligence agencies on China's military and cyber strategy. He maintains an Excel spreadsheet of suspect e-mails, malicious code, and hacker groups and passes them along to the authorities. Suspicious of the note when he received it, Mulvenon replied to Moree the next day. Was the e-mail "India spam?" Mulvenon asked. "I apologize—this e-mail was sent in error—please delete," Moree responded a few hours later. "No worries," typed Mulvenon. "I have been getting a lot of trojaned Access databases from China lately and just wanted to make sure." "Interesting—our network folks are looking into some kind of malicious intent behind this e-mail snafu," wrote Moree. Neither the Air Force nor the Defense Dept. would confirm to BusinessWeek whether an investigation was conducted. A Pentagon spokesman says that its procedure is to refer attacks to law enforcement or counterintelligence agencies. He would not disclose which, if any, is investigating the Air Force e-mail. DIGITAL INTRUDERSBy itself, the bid to steal digital secrets from Booz Allen might not be deeply troubling. But Poison Ivy is part of a new type of digital intruder rendering traditional defenses—firewalls and updated antivirus software—virtually useless. Sophisticated hackers, say Pentagon officials, are developing new ways to creep into computer networks sometimes before those vulnerabilities are known. "The offense has a big advantage over the defense right now," says Colonel Ward E. Heinke, director of the Air Force Network Operations Center at Barksdale Air Force Base. Only 11 of the top 34 antivirus software programs identified Poison Ivy when it was first tested on behalf of BusinessWeek in February. Malware-sniffing software from several top security firms found "no virus" in the India fighter-jet e-mail, the analysis showed. Over the past two years thousands of highly customized e-mails akin to Stephen Moree's have landed in the laptops and PCs of U.S. government workers and defense contracting executives. According to sources familiar with the matter, the attacks targeted sensitive information on the networks of at least seven agencies—the Defense, State, Energy, Commerce, Health & Human Services, Agriculture, and Treasury departments—and also defense contractors Boeing, Lockheed Martin, General Electric, Raytheon, and General Dynamics, say current and former government network security experts. Laura Keehner, a spokeswoman for the Homeland Security Dept., which coordinates protection of government computers, declined to comment on specific intrusions. In written responses to questions from BusinessWeek, Keehner says: "We are aware of and have defended against malicious cyber activity directed at the U.S. Government over the past few years. We take these threats seriously and continue to remain concerned that this activity is growing more sophisticated, more targeted, and more prevalent." Spokesmen for Lockheed Martin, Boeing, Raytheon, General Dynamics, and General Electric declined to comment. Several cited policies of not discussing security-related matters. The rash of computer infections is the subject of Byzantine Foothold, the classified operation designed to root out the perpetrators and protect systems in the future, according to three people familiar with the matter. In some cases, the government's own cyber security experts are engaged in "hack-backs"—following the malicious code to peer into the hackers' own computer systems.

Page 7

BusinessWeek has learned that a classified document called an intelligence community assessment, or ICA, details the Byzantine intrusions and assigns each a unique Byzantine-related name. The ICA has circulated in recent months among selected officials at U.S. intelligence agencies, the Pentagon, and cyber security consultants acting as outside reviewers. Until December, details of the ICA's contents had not even been shared with congressional intelligence committees. Now, Senate Intelligence Committee Chairman John D. Rockefeller (D-W. Va.) is said to be discreetly informing fellow senators of the Byzantine operation, in part to win their support for needed appropriations, many of which are part of classified "black" budgets kept off official government books. Rockefeller declined to comment. In January a Senate Intelligence Committee staffer urged his boss, Missouri Republican Christopher "Kit" Bond, the committee's vice-chairman, to supplement closed-door testimony and classified documents with a viewing of the movie Die Hard 4 on a flight the senator made to New Zealand. In the film, cyber terrorists breach FBI networks, purloin financial data, and bring car traffic to a halt in Washington. Hollywood, says Bond, doesn't exaggerate as much as people might think. "I can't discuss classified matters," he cautions. "But the movie illustrates the potential impact of a cyber conflict. Except for a few things, let me just tell you: It's credible." "Phishing," one technique used in many attacks, allows cyber spies to steal information by posing as a trustworthy entity in an online communication. The term was coined in the mid-1990s when hackers began "fishing" for information (and tweaked the spelling). The e-mail attacks on government agencies and defense contractors, called "spear-phish" because they target specific individuals, are the Web version of laser-guided missiles. Spear-phish creators gather information about people's jobs and social networks, often from publicly available information and data stolen from other infected computers, and then trick them into opening an e-mail. DEVIOUS SCRIPTSpear-phish tap into a cyber espionage tactic that security experts call "Net reconnaissance." In the attempted attack on Booz Allen, attackers had plenty of information about Moree: his full name, title (Northeast Asia Branch Chief), job responsibilities, and e-mail address. Net reconnaissance can be surprisingly simple, often starting with a Google search. (A lookup of the Air Force's Pentagon e-mail address on Apr. 9, for instance, retrieved 8,680 e-mail addresses for current or former Air Force personnel and departments.) The information is woven into a fake e-mail with a link to an infected Web site or containing an attached document. All attackers have to do is hit their send button. Once the e-mail is opened, intruders are automatically ushered inside the walled perimeter of computer networks—and malicious code such as Poison Ivy can take over. By mid-2007 analysts at the National Security Agency began to discern a pattern: personalized e-mails with corrupted attachments such as PowerPoint presentations, Word documents, and Access database files had been turning up on computers connected to the networks of numerous agencies and defense contractors. A previously undisclosed breach in the autumn of 2005 at the American Enterprise Institute—a conservative think tank whose former officials and corporate executive board members are closely connected to the Bush Administration—proved so nettlesome that the White House shut off aides' access to the Web site for more than six months, says a cyber security specialist familiar with the incident. The Defense Dept. shut the door for even longer. Computer security investigators, one of whom spoke with BusinessWeek, identified the culprit: a few lines of Java script buried in AEI's home page, www.aei.org, that activated as soon as someone visited the site. The script secretly redirected the user's computer to another server that attempted to load malware. The malware, in turn, sent information from the visitor's hard drive to a server in China. But the security specialist says cyber sleuths couldn't get rid of the intruder. After each deletion, the furtive code would reappear. AEI says otherwise—except for a brief accidental recurrence caused by its own network personnel in August, 2007, the devious Java script did not return and was not difficult to eradicate. The government has yet to disclose the breaches related to Byzantine Foothold. BusinessWeek has learned that intruders managed to worm into the State Dept.'s highly sensitive Bureau of Intelligence & Research, a key channel between the work of intelligence agencies and the rest of

Page 8

the government. The breach posed a risk to CIA operatives in embassies around the globe, say several network security specialists familiar with the effort to cope with what became seen as an internal crisis. Teams worked around-the-clock in search of malware, they say, calling the White House regularly with updates. The attack began in May, 2006, when an unwitting employee in the State Dept.'s East Asia Pacific region clicked on an attachment in a seemingly authentic e-mail. Malicious code was embedded in the Word document, a congressional speech, and opened a Trojan "back door" for the code's creators to peer inside the State Dept.'s innermost networks. Soon, cyber security engineers began spotting more intrusions in State Dept. computers across the globe. The malware took advantage of previously unknown vulnerabilities in the Microsoft operating system. Unable to develop a patch quickly enough, engineers watched helplessly as streams of State Dept. data slipped through the back door and into the Internet ether. Although they were unable to fix the vulnerability, specialists came up with a temporary scheme to block further infections. They also yanked connections to the Internet. One member of the emergency team summoned to the scene recalls that each time cyber security professionals thought they had eliminated the source of a "beacon" reporting back to its master, another popped up. He compared the effort to the arcade game Whack-A-Mole. The State Dept. says it eradicated the infection, but only after sanitizing scores of infected computers and servers and changing passwords. Microsoft's own patch, meanwhile, was not deployed until August, 2006, three months after the infection. A Microsoft spokeswoman declined to comment on the episode, but said: "Microsoft has, for several years, taken a comprehensive approach to help protect people online." There is little doubt among senior U.S. officials about where the trail of the recent wave of attacks leads. "The Byzantine series tracks back to China," says Air Force Colonel Heinke. More than a dozen current and former U.S. military, cyber security, and intelligence officials interviewed by BusinessWeek say China is the biggest emerging adversary—and not just clubs of rogue or enterprising hackers who happen to be Chinese. O. Sami Saydjari, a former National Security Agency executive and now president of computer security firm Cyber Defense Agency, says the Chinese People's Liberation Army, one of the world's largest military forces, with an annual budget of $57 billion, has "tens of thousands" of trainees launching attacks on U.S. computer networks. Those figures could not be independently confirmed by BusinessWeek. Other experts provide lower estimates and note that even one hacker can do a lot of damage. Says Saydjari: "We have to look at this as equivalent to the launch of a Chinese Sputnik." China vigorously disputes the spying allegation and says its military posture is purely defensive. Hints of the perils perceived within America's corridors of power have been slipping out in recent months. In Feb. 27 testimony before the U.S. Senate Armed Services Committee, National Intelligence Director McConnell echoed the view that the threat comes from China. He told Congress he worries less about people capturing information than altering it. "If someone has the ability to enter information in systems, they can destroy data. And the destroyed data could be something like money supply, electric-power distribution, transportation sequencing, and that sort of thing." His conclusion: "The federal government is not well-protected and the private sector is not well-protected." Worries about China-sponsored Internet attacks spread last year to Germany, France, and Britain. British domestic intelligence agency MI5 had seen enough evidence of intrusion and theft of corporate secrets by allegedly state-sponsored Chinese hackers by November, 2007, that the agency's director general, Jonathan Evans, sent an unusual letter of warning to 300 corporations, accounting firms, and law firms—and a list of network security specialists to help block computer intrusions. Some recipients of the MI5 letter hired Peter Yapp, a leading security consultant with London-based Control Risks. "People treat this like it's just another hacker story, and it is almost unbelievable," says Yapp. "There's a James Bond element to it. Too many people think, It's not going to happen to me.' But it has." Identifying the thieves slipping their malware through the digital gates can be tricky. Some computer security specialists doubt China's government is involved in cyber attacks on U.S. defense targets. Peter Sommer, an information systems security specialist at the London School of

Page 9

Economics who helps companies secure networks, says: "I suspect if it's an official part of the Chinese government, you wouldn't be spotting it." A range of attacks in the past two years on U.S. and foreign government entities, defense contractors, and corporate networks have been traced to Internet addresses registered through Chinese domain name services such as 3322.org, run by Peng Yong. In late March, BusinessWeek interviewed Peng in an apartment on the 14th floor of the gray-tiled residential building that houses the five-person office for 3322.org in Changzhou. Peng says he started 3322.org in 2001 with $14,000 of his own money so the growing ranks of China's Net surfers could register Web sites and distribute data. "We felt that this business would be very popular, especially as broadband, fiber-optic cables, [data transmission technology] ADSL, these ways of getting on the Internet took off," says Peng (translated by BusinessWeek from Mandarin), who drives a black Lexus IS300 bought last year. His 3322.org has indeed become a hit. Peng says the service has registered more than 1 million domain names, charging $14 per year for "top-level" names ending in .com, .org, or .net. But cyber security experts and the Homeland Security Dept.'s U.S. Computer Emergency Readiness Team (CERT) say that 3322.org is a hit with another group: hackers. That's because 3322.org and five sister sites controlled by Peng are dynamic DNS providers. Like an Internet phone book, dynamic DNS assigns names for the digits that mark a computer's location on the Web. For example, 3322.org is the registrar for the name cybersyndrome.3322.org at Internet address 61.234.4.28, the China-based computer that was contacted by the malicious code in the attempted Booz Allen attack, according to analyses reviewed by BusinessWeek. "Hackers started using sites like 3322.org so that the malware phones home to the specific name. The reason? It is relatively difficult to have [Internet addresses] taken down in China," says Maarten van Horenbeeck, a Belgium-based intrusion analyst for the SANS Internet Storm Center, a cyber threat monitoring group. TARGET: PRIVATE SECTORPeng's 3322.org and sister sites have become a source of concern to the U.S. government and private firms. Cyber security firm Team Cymru sent a confidential report, reviewed by BusinessWeek, to clients on Mar. 7 that illustrates how 3322.org has enabled many recent attacks. In early March, the report says, Team Cymru received "a spoofed e-mail message from a U.S. military entity, and the PowerPoint attachment had a malware widget embedded in it." The e-mail was a spear-phish. The computer that controlled the malicious code in the PowerPoint? Cybersyndrome.3322.org—the same China-registered computer in the attempted attack on Booz Allen. Although the cybersyndrome Internet address may not be located in China, the top five computers communicating directly with it were—and four were registered with a large state-owned Internet service provider, according to the report. A person familiar with Team Cymru's research says the company has 10,710 distinct malware samples that communicate to masters registered through 3322.org. Other groups reporting attacks from computers hosted by 3322.org include activist group Students for a Free Tibet, the European Parliament, and U.S. Bancorp (USB), according to security reports. Team Cymru declined to comment. The U.S. government has pinpointed Peng's services as a problem, too. In a Nov. 28, 2007, confidential report from Homeland Security's U.S. CERT obtained by BusinessWeek, "Cyber Incidents Suspected of Impacting Private Sector Networks," the federal cyber watchdog warned U.S. corporate information technology staff to update security software to block Internet traffic from a dozen Web addresses after spear-phishing attacks. "The level of sophistication and scope of these cyber security incidents indicates they are coordinated and targeted at private-sector systems," says the report. Among the sites named: Peng's 3322.org, as well as his 8800.org, 9966.org, and 8866.org. Homeland Security and U.S. CERT declined to discuss the report. Peng says he has no idea hackers are using his service to send and control malicious code. "Are there a lot?" he says when asked why so many hackers use 3322.org. He says his business is not responsible for cyber attacks on U.S. computers. "It's like we have paved a road and what sort of car [users] drive on it is their own business," says Peng, who adds that he spends most of his time these days developing Internet telephony for his new software firm, Bitcomm Software Tech Co. Peng says he was not aware that several of his Web sites and Internet addresses registered through

Page 10

them were named in the U.S. CERT report. On Apr. 7, he said he planned to shut the sites down and contact the U.S. agency. Asked by BusinessWeek to check his database for the person who registered the computer at the domain name cybersyndrome.3322.org, Peng says it is registered to Gansu Railway Communications, a regional telecom subsidiary of China's Railways Ministry. Peng declined to provide the name of the registrant, citing a confidentiality agreement. "You can go through the police to find out the user information," says Peng. U.S. cyber security experts say it's doubtful that the Chinese government would allow the high volume of attacks on U.S. entities from China-based computers if it didn't want them to happen. "China has one of the best-controlled Internets in the world. Anything that happens on their Internet requires permission," says Cyber Defense Group's Saydjari. The Chinese government spokesman declined to answer specific questions from BusinessWeek about 3322.org. But Peng says he can do little if hackers exploit his goodwill—and there hasn't been much incentive from the Chinese government for him to get tough. "Normally, we take care of these problems by shutting them down," says Peng. "Because our laws do not have an extremely clear method to handle this problem, sometimes we are helpless to stop their services." And so, it seems thus far, is the U.S. government.Table of Contents

Activist Groups under Cyber AttackBy Brian Grow, Business Week, 11 April 2008When Conall Watson resigned from the board of directors at activist group Students for a Free Tibet UK in June, 2007, someone—not a friend—was watching on the Web. The 25-year-old British pharmacist, who worked for the free-Tibet movement in his spare time, had sent a mass farewell e-mail mentioning his departure and a change in his e-mail address. "I'm stepping down from the SFT UK organizing group," part of the message, reviewed by BusinessWeek, reads. Nine months later, Conall Watson's name—and parts of that same 2007 sayonara e-mail—returned to haunt the activist organization in the form of a stealthy cyber-attack the group believes was launched from China. On Feb. 19, Students for a Free Tibet Executive Director Lhadon Tethong and other board members found a new message in their in-boxes. The note, addressed from Conall Watson, mentioned that he planned to pass along the résumé of a potential new activist. "Dear Alex, Ben and all other SFT friends," the message, also reviewed by BusinessWeek reads. "What a pity I can do little for the Tibetan cause, while I know you are all still fighting bravely for it. Yesterday a Tibetan friend came to my office and asked me to recommend his nephew Rinzen Yeshe to join the SFT UK.… I will email his [résumé] very soon. Best wishes, Conall. p.s. He is a Tibetan friend of mine who I trust, so I trust his nephew." An hour later, the résumé arrived. But suspicious SFT UK members called Watson to ask if he had sent the message. He had not. An alert was sent out, say SFT officials, and nobody opened the résumé. How did the unknown attackers learn so much about Conall Watson? "Either the message was intercepted, or it might have been an inside job," says Watson. SFT UK members have received harassing phone calls in the past, he says. "But the Internet was new." A Sweep of Spear-PhishingStudents for a Free Tibet is just one of thousands of alleged victims of a growing wave of cyber-spying. From the U.S. government and defense contractors to big banks and high-profile activist groups, millions of similarly sophisticated e-mails loaded with malicious code are being zapped through the Internet, to penetrate PCs, steal secrets, and report back to their electronic masters. Known as 'spear-phish,' the targeted e-mails are the Web's biggest new cyber-threat. The digital cunning that goes into spear-phishing attacks is highlighted by the mysterious missive sent in Conall Watson's name. Besides posing as Watson to send the note, the attackers built sympathy by alleging Watson felt bad for resigning ("I missed many great and important actions for the freedom of Tibet in the past few months," the e-mail reads.) And it also built trust by noting that the soon-to-be-sent résumé came from a "Tibetan friend."

Page 11

"It's part of the psychological game" to persuade recipients of the malicious e-mail to open an attachment or click on a link, enabling malicious code to bypass firewalls and antivirus software, says Matthew Devost, president of Total Intelligence Solutions, a cyber-security firm. These e-mails are "the equivalent of precision-guided missiles in cyberspace," says Paul Kurtz, a former National Security Council official. "Instead of blowing something up, they're sucking data out." China Denies InvolvementExecutives working for Students for a Free Tibet allege the attackers masquerading as Conall Watson are in China. According to a report from a cyber-security specialist who examined the e-mail, the malicious code in the fake résumé phones home to a server identified as scfzf.xicp.net. That server is located at an Internet address assigned to the Jiangsu Province area served by one of China's largest state-owned Internet service providers. The server could be based in China—or located anywhere in the world, say computer security experts. That's because Chinese PCs with Internet service from China-based ISPs could, themselves, be infected with malicious code. Then hackers in other countries could bounce attacks through the compromised China-based computers. BusinessWeek could not independently confirm the location of server scfzf.xicp.net. China denies any involvement in or support for hacker attacks on any groups. In an e-mail response to questions from BusinessWeek, Wang Baodong, a spokesman at the Chinese Embassy in Washington, D.C., says: "The Chinese Government always opposes and forbids any cyber crimes including 'hacking' that undermine the security of computer networks." China, he says, does not hire civilian hackers to collect information or intelligence. Bad "Seeds Sowed"The analysis by security experts of the malicious code in the fake résumé—named Revzin.doc—sent to SFT UK, shows that it exploits holes in older versions of Microsoft Word. Once inside a PC, the malware first contacts a server at the Web address www.windowsupdata.net. That Chinese-language Web site adds new code to the infection, the analysis says. As of mid-March, only 4 of 32 commercially available antivirus products detected the malicious code when tested by security experts. The attempted spear-phish intrusion—and other attacks since February—are sparking angst among Students for a Free Tibet activists. They come at a time when tensions are near an all-time high with the Chinese government because of its recent suppression of violent protests in Lhasa, the Tibetan capital, and almost daily disruption of the Olympic torch relay as it travels the world on its way to Beijing, ahead of the Olympic Games that China hosts beginning in August. "The saddest thing from all of this is seeing all the seeds [Chinese hackers] sowed some time ago. It is a moment of life or death," says Tethong, 32, the group's executive director. "It's just sick; they're just sick." Compromise DarfurOther critics of China or its policies have come under attack by mysterious cyber-intruders, too. In late March, analysts from cyber-security firm Total Intelligence Solutions were called in to root out a breach of the computer network at the Save Darfur Coalition, a Washington (D.C.) advocacy group for the war-torn southern region of the African nation Sudan. Save Darfur has been a leading critic of the Chinese government's policies regarding Sudan. The activist group agreed to allow Total Intelligence Solutions to discuss the details of that intrusion with BusinessWeek. According to Total Intel's Devost, who used to work for the Pentagon testing its computer security, hackers had accessed the Save Darfur computer system via a spear-phishing attack. "Potentially everything on the network was stolen," says Devost. Once inside, the hackers harvested e-mail addresses to send out additional spear-phishing attacks to other organizations. The malicious code embedded inside contacted a computer registered through a domain name service in the U.S. Total Intel analysts contacted the unidentified company, which agreed to shut down the master PC. "Then, it was like my team crossed the line, and the A-team of hackers stepped in," says Total Intel's Devost. The next day, he says, more aggressive spear-phishing attacks were launched from the Save Darfur network, this time exploiting a vulnerability in PCs that had only been released

Page 12

days before. The hackers didn't try to cover their tracks using a U.S.-registered domain name. The malicious code, Devost says, phoned home straight to "a verified Internet address in China." The FBI, which is investigating the attack, received a detailed briefing from Total Intel analysts on Mar. 27, says Devost. End In Sight?Meanwhile, SFT's cyber woes do not appear to have ended. SFT's Tethong says the group was notified by cyber-security consultants around Mar. 26 that someone using an Internet address in the Chinese enclave of Macau had hacked into SFT's main e-mail server, possibly downloading everything inside. Tethong says the group does not know how the intrusion occurred, though she has been advised that her e-mail may have been intercepted and intruders may have monitored SFT's network for unencrypted messages. "There is just so much happening that we can't keep track of it," says Tethong.Table of Contents

Recruiting for the Cyber WarsBy Keith Epstein and Brian Grow, Business Week, 15 April 2008 The U.S. military is looking for a few good geeks. "This building will be attacked 3 million times today," announces the commentator as the Pentagon appears on an ad available on the popular video site YouTube. "Who is going to protect it? Meet Staff Sergeant Lee Jones, Air Force Cyber Command, a member of America's only cyber command protecting us from millions of cyber threats every day." The YouTube recruitment video is part of a high-profile ad campaign running on TV, in print, and on the Web. In the ads, the Air Force boasts of its ability to protect the nation from a potentially devastating cyber attack. The ads overstate just how protected the U.S. military's networks are, but they underscore a new sense of urgency: As computer networks play increasingly vital roles in the U.S. military—and expose it to new dangers from skilled information warriors trained by other nations—the U.S. needs a new type of 21st century soldier. "How do you tap into the intellect of a completely different kind of Air Force warrior?" asks General William T. Lord, the chief of the nascent Air Force Cyber Command—the military's newest unit fighting digital warfare. Techies on PatrolGeneral Lord thinks the answer may be to encourage U.S. hackers to enlist. In an interview with techie forum Slashdot in early March, he was asked if hackers with checkered pasts, and overweight geeks who couldn't pass a physical training test, were candidates to join the growing ranks of cyber soldiers. "I believe even the most unlikely candidate, when working for a cause bigger than himself, turns out to be a most loyal ally," the general wrote. The next James Bond or GI Jane may well be a hacker—routinely peering and probing computer networks to further his country's industrial or military edge. Instead of tense confrontations and close calls in far-off places, the digital warrior will telecommute. Simply tapping at a keyboard, she'll connect with electronic moles that will pass on gigabytes of valuable data stored in the networks of prime targets half a world away. Using the Internet is less risky and exponentially more efficient, and, given some due diligence, cunning, and a knack for social engineering, the path leads to just about any computer's soft interior. The Air Force Cyber Command is still a work-in-progress. Pentagon officials are still wrangling over which U.S. military base will be home to the Command, which is not expected to be fully operational until October 2009. Once the project is complete, Cyber Command is expected to employ as many as 500 Air Force staff, says Gen. Lord, whose unit is currently headquartered at Barksdale Air Force Base outside Shreveport, La. A visit to the embryonic Air Force Cyber Command at Barksdale by BusinessWeek reporters in March shows how the Air Force's current ad campaign is more a Hollywood-version of Cyber Command. In an aging former recreation building on Barksdale's leafy grounds, fatigue-clad airmen

Page 13

—some with the physiques of couch-potato hackers—use off-the-shelf PCs to monitor Air Force computer network traffic. A wall of projection screens—reading "Unclassified" on a bright green background on the day BusinessWeek arrived—is used to highlight alerts about suspicious network traffic. League of Electronic NationsBut there are some surprising indications that the cyber-war future is here already, and in disturbing abundance. The U.S., China, and Russia are building up their cyber forces. "For the Chinese, info war is the next realm. They are never going to go tank to tank with the U.S.," says Matthew G. Devost, a former Pentagon network security tester and chief executive officer of Total Intelligence Solutions in Alexandria, Va. The Chinese military offers prizes to its best computer hackers, and according to a January, 2006, white paper by the Chinese military, it has a three-stage strategy between now and 2050 to win an "informationized war," one that is fast-paced and mostly digital. The superpowers are hardly alone. The league of electronically prying, prodding, and posturing nations now numbers well into the dozens—by some tallies, closer to 100. A report published in August, 2006, by the office of Joel F. Brenner, counterintelligence executive for the director of national intelligence, noted that his office discovered at least 108 countries engaged in "collection efforts against sensitive and protected U.S. technologies," up from 37 a decade ago. The report doesn't name many names, though it identifies China and Russia as among "the most aggressive" in targeting the U.S. China denies any involvement in cyber spying and says it, too, is a victim, "frequently intruded [upon] and attacked by hackers from certain countries." Spying on Defense Contractors on the RiseThe Russian government also denies participating in such activity. "Russia has never engaged in any kind of cyber intrusions in the U.S. or any other countries," says Yevgeniy Khorishko, the Russian government's spokesman at its embassy in Washington. "All these kinds of reports and articles that appear from time to time are pure speculation. They don't deserve to be commented upon." Suspicious activity associated with attempts at spying and stealing information from defense contractors is on the rise, too—especially from nations along the Pacific Rim and Asia, according to another declassified 2006 report by the Defense Security Service, which helps contractors keep tabs on espionage attempts. In particular, the report noted a "dramatic increase in the number of incidents involving government affiliated entities," and rising use of the Internet as a tool of choice. "The potential gain from even one successful computer intrusion makes it an attractive, relatively low-risk option for any country seeking access to sensitive information stored on U.S. computer networks," the report notes, while predicting the risk to sensitive information from cyber spies "will increase as more countries gain the expertise to exploit those systems." Weapons of Mass DisruptionIn the U.S., the latest wave of sophisticated, precisely targeted attacks prompted the Defense Dept. last summer to give the incursions and thefts of sensitive data a new name: "advanced persistent threats." The phrase is meant to underscore both the virulent nature of this type of cyber intrusion and their origin: hackers working for foreign nations. Pentagon insiders refer to the malicious software and devious methods of state-sponsored hackers as "weapons of mass disruption." U.S. military and intelligence officials worry about damage being inflicted by professionals, well-trained, backed by large sums of money, and making use of their own homegrown innovations. "Our adversaries are very good. But I'm not sure we've seen their best," says Lieutenant General Charles E. Croom, who heads the Pentagon's Joint Task Force for Global Network Operations. A Different Kind of SoldierThe U.S. Air Force is preparing for a digital onslaught. It now aggressively seeks recruits, identifying cyber space in all its recruitment ads as its new domain of military activity. The Air Force has long

Page 14

had a role in aviation, of course, and also in space. Now it's adding cyber space. Among skills said to be in demand: the use of "hack backs" that probe intruders' own systems, and outright offensive measures. "Everything out there can reach and touch us," says General John C. "Chris" Inglis, deputy director of the National Security Agency. "We must be able to outmaneuver our adversaries." Despite the alarming rise of cyber intrusions and a new sense of urgency, some traditions are hard to break. When General Lord told Air Force officials he wanted to reach out to hackers through a forum on Slashdot, some of his colleagues advised against it. "There were elements of the Air Force that didn't think I should engage the Slashdot guys," he says. "They're not the kind [of soldier] that I grew up with where you marched to breakfast in the morning. This is a different kind of crowd." General Lord says he ignored the advice because the U.S. needs top-notch cyber soldiers. "It's speed of light warfare, it's not speed of sound warfare. It's faster than our F-22."Table of Contents

Defenseless on the NetBy Keith Epstein, Business Week, 16 April 2008 Editor's Note: This is the fourth and final article in a series on cyber espionage. During the Middle Ages walls became less of a barrier. Soldiers would simply set up a catapult-like device known as a trebuchet. This enabled them to fling hundred-pound projectiles and disease-conveying corpses over supposedly impenetrable fortifications. Never mind how competently the 12th century's security professionals routinely patched and updated their fortress exteriors, invaders got in. Today, rapidly evolving cyber espionage threats, state-sponsored hackers, and other Internet miscreants are bounding over the best modern protections consumers, corporations, and governments can set up. The situation is providing a steady source of revenue—in the many billions of dollars—for the essential products and services of computer and network security firms. Yet as illustrated by the intrusions described by a BusinessWeek investigation, all these defenses—firewalls and antivirus updates—devouring an organization's time, servers, and technology budget can be useless against even one moderately adept hacker engaging in open-source "net reconnaissance" such as simple Googling; crafty "social engineering" of fake e-mail attachments that trick recipients because they mimic messages from the boss or a client; and leveraging of cyber-break-in "toolkits" readily available online. Disconnecting From the InternetIf the hacker hordes in China, Russia, or dozens of othercyberactive nations can catapult their Trojan programs and other malware over state-of-the-art safeguards—confounding some of the best cybersleuths that intelligence agencies and the private sector can muster—can any of us have confidence that our networks are secure? Not the U.S. government. On classified orders from President Bush the government is, in part, now coping with the hacking onslaught by literally disconnecting from the Internet. The feds are closing as many Internet ports as they can, everywhere they can, possibly leaving open fewer than 100 of the current 4,000-plus conduits used by cyberspies and hackers. Imagine if the government took the same approach to securing U.S. ports, closing all but a few seaports to shipping vessels. "We're well past the point where plugging holes is effective," says one of the nation's most senior military officials, who requested anonymity so he could speak about Pentagon anxieties over cyberattacks and defensive weaknesses. "This is persistent activity at the speed of light. If I'm the adversary and I get in, the guy at the other end can have all the McAfee products (computer security software) in the world but I'm always there. I'm in." Hoist With Our Own PetardNo wonder Microsoft—widely criticized in the past because its software has been riddled with so many vulnerabilities—is now proselytizing about rebuilding Internet trust through better security hardware. "Microsoft and the technology industry alone cannot create a trusted online experience,"

Page 15

acknowledges Scott Charney, Microsoft's chief security strategist. "Time to change the game," he says. Some say it's also time to publicly acknowledge the inescapable truth about a high-tech fighting force: By emphasizing technology meant to give us an edge over our enemies, we've given our potential enemies an edge. "We've shifted the field of military competition from nukes and ballistic missiles—hard to compete against—to networks and satellites where dozens of countries can compete. Our affinity for new technology has empowered all of our enemies," says Lexington Institute Chief Operating Officer Loren Thompson, a defense analyst and consultant with close ties to the Pentagon. The trouble is, nobody wants to put the technology away—not the government, the military, corporations, or the average user. The benefits are too many. Internet-dependent warfare, like Internet-dependent commerce and communications, will only grow in the years ahead, along with ever more challenging hazards. "Risk mitigation" is the strategy at the Pentagon's Joint Task Force for Global Network Operations, which oversees security of the military's seven million computers around the world—so many it requires 14,000 networks and 120,000 leased commercial circuits to tie them together. Break-ins soared 55% last year. An Online Arms RaceIndeed, for every security fix it seems a counter-exploit emerges. About a year ago the military beefed up its Internet perimeter defenses with layers of security and automated intrusion detection, and by requiring users to log into computers with electronic cards and codes rather than passwords that can be "logged" by hackers. The result? The number of password intrusions fell by half. That's when hackers turned from key-logging to more pernicious forms of spear-phishing. Yes, even the arms race is now online. Even the fortifiers themselves no longer have confidence in the fort. Microsoft's Charney, in a white paper unveiled Apr. 8 during the RSA computer security conference, is up front about his company's struggle to make the Windows world sufficiently sheltered. "Although Microsoft Corp. and many other organizations have taken significant steps to improve the security and privacy of their products and services," he writes, "these activities alone will not make the Internet secure enough and privacy-enhanced enough for many of its potential uses." Charney says the key to better security is seeking improved verification of users' identities, the ability to monitor or review their action, and—most strikingly for a software firm—security that is "rooted in the hardware." One of his solutions would tie the operating system to the hardware for a "trusted boot"—a way of ensuring no one has tampered with the software code. Says Charney, a former federal prosecutor of cybercrimes during the 1990s, "We need to create a more authenticated and audited Internet environment." Multi-Billion Dollar OverhaulOn the same day Charney presented his ideas, Homeland Security Secretary Michael Chertoff informed the same audience of the need for "a Manhattan Project to defend our cybernetworks." While Chertoff studiously avoided disclosing details, he emphasized the bottom line: It will take something on the scale of that historic race against time to develop bold weapons to lessen the threats of cyberadversaries. A largely classified overhaul of U.S. cybersecurity, expected to cost tens of billions of dollars, is already underway. President Bush quietly set it in motion by signing a pair of classified directives in January. Senior U.S. military officials tell BusinessWeek that still more money is needed, most likely requiring a partnership with industry. Behind the scenes there's spreading talk in Washington of ways, both timeworn and seemingly novel, to fix Internet security. After what has been a revolving door of cybersecurity chiefs, the Homeland Security Dept., for instance, has made an unconventional choice. Last month it hired its fifth cybersecurity chief in five years—a Silicon Valley entrepreneur, Rod Beckstrom, whose trendy book, The Spider and the Starfish, suggests how to defeat competitors or adversaries with decentralizing, non-hierarchical tactics.

Page 16

Insured by Internet ProtectionAnother unconventional approach, a public-private research and development endeavor on the scale of Los Alamos or the Manhattan Project, could involve sensors to broaden surveillance along Internet pathways, the better to warn companies of threats within milliseconds of when they might arrive, government sources say. At the Pentagon, of all places, generals are quietly advocating a Federal Deposit Insurance Corporation-like agency that could, for example, certify financial institutions that have agreed to be part of this real-time, government-run monitoring system. Supercomputers would analyze massive volumes of traffic to detect intruders and assure the credibility of data flows. Financial institutions would help pay for the sensor and surveillance system. An "FDIC" sticker on the window—such as "Financial Data Insurance Corporation"—would reassure investors and depositors. Other people in Washington are urging greater development of countermeasures and offensive tactics—ways to "hack back" and, yes, strike first. A "hack-back," itself a form of hacking, is sometimes used by law enforcement (armed with a court order) to locate the source of an attack. Other forms involve striking back to disrupt or shut down an attacking machine, or planting software to spy on the attacker. Absolute Security Not PossibleMeanwhile, defense contractors are trying to cope with a controversial government proposal worrying them. Though still informal and undisclosed as of April, 2008, it suggests that companies such as Boeing and Lockheed open their private networks to government monitoring and scrutiny, or risk being unable to compete for contracts. And then, of course, there's the certainty that such solutions won't work perfectly. A senior U.S. military official, after describing the possible fixes and paradigm shifts he views as urgently needed, suddenly stops during an interview. "Even then," he says, sighing. "The truth is, absolute security won't be possible."Table of Contents

The Al-Qaeda Media MachineBy Phillip Seib, J.D., Military Review, May-June 2008Like an aging rock star who has dropped out of the public eye, Osama bin-Laden occasionally decides to remind people that he’s still around. He makes video appearances that first appear on Arabic television channels but which the world quickly sees on television or on multiple Web sites. Bin-Laden’s message is “Hey, they haven’t caught me yet,” which cheers up his fans, but his threats and pronouncements are mostly terrorist boilerplate. For all the parsing of his sentences and scrutinizing of the color of his beard, hardly anything in his videos helps us better understand and combat terrorism.Meanwhile, significant Al-Qaeda media efforts go largely unnoticed by news organizations and the public. This myopia is characteristic of an approach to antiterrorism that focuses on Bin-Laden as terror-celebrity while ignoring the deep-rooted dynamism of a global enemy. Most jihadist media products make no mention of Bin-Laden, but they deserve attention because they are vital to Al-Qaeda’s mission and to its efforts to extend its influence. Al-Qaeda has become a significant player in global politics largely because it has developed a sophisticated media strategy.Lacking a tangible homeland—other than, perhaps, scattered outposts in the wilds of Waziristan—Al-Qaeda has established itself as a virtual state that communicates with its “citizens” and cultivates an even larger audience through masterful use of the media, with heavy reliance on the Internet. For every conventional video performance by Bin-Laden that appears on Al-Jazeera and other major television outlets, there are hundreds of online videos that proselytize, recruit, and train the Al-Qaeda constituency.Growth of Media MachineThe Al-Qaeda media machine has grown steadily. Al-Qaeda and its jihadist brethren use more than 4,000 web sites to encourage the faithful and threaten their enemies. The Al-Qaeda production company, As-Sahab, released 16 videos during 2005, 58 in 2006, and produced more than 90 in

Page 17

2007. Like a Hollywood studio, As-Sahab has a carefully honed understanding of what will attract an audience and how to shape the Al-Qaeda message. You won’t get As-Sahab’s videos from Netflix, but any Web user can easily find them, and the selection is wide. In 2006, the Global Islamic Media Front, an Al-Qaeda distribution arm, offered “Jihad Academy,” which includes footage of attacks on U.S. troops, insurgents assembling improvised explosive devices (IEDs), prospective suicide bombers reading their last testaments, and general exhortations to join the war against the United States, Israel, and other foes.Another distributor with ties to Al-Qaeda, Ansar al-Sunnah’s Media Podium, produced “Top 20,” a selection of filmed IED attacks on U.S. forces in Iraq “in order to encourage the jihad and the competition between the mujahideen to battle and defeat their enemy.” For this greatest hits video, criteria for selection included “the degree of security conditions while filming the operation’s site” and “precision in hitting the target.”1

With the stirring music and graphic images of an action movie, the videos fortify the resolve of the Al-Qaeda faithful and, even more important, capture the attention of 15-year-olds in cyber cafes—the next generation of Al-Qaeda warriors. Al-Qaeda takes recruitment seriously, recognizing that potential martyrs require convincing that their sacrifice will be noble and worthwhile. Once inspired by the videos, the prospective jihadist might move on to a Web posting such as “How To Join Al-Qaeda,” which tells him: “You feel that you want to carry a weapon, fight, and kill the occupiers . . . . Set a goal; for example, assassinating the American ambassador—is it so difficult?”2

Spreading the MessageAs-Sahab is part of the media department Bin-Laden established when Al-Qaeda formed in 1988. The first message to emerge was that Al-Qaeda was a brave underdog facing the monstrous Soviet Union. Soon thereafter, Al-Qaeda announced its resolve to take on other purported enemies of Islam. In 1996, Bin-Laden issued his “Declaration of War on the United States” and used the Al-Qaeda media machinery to spread the call for jihad.Before a U.S. air strike killed him in June 2006, Abu Musab al-Zarqawi, the self-proclaimed head of Al-Qaeda in Iraq, took this kind of media work to a new level. He first displayed his grisly flair for using media when terrorists abducted American businessman Nicholas Berg and beheaded him in Iraq in 2004, with Zarqawi apparently the executioner. The terrorists videotaped the beheading and presented it on a Web site, from which it was copied to other sites and downloaded 500,000 times within 24 hours.3

The following year, Zarqawi began an online magazine, Zurwat al-Sanam (The Tip of the Camel’s Hump, meaning ideal Islamic practice), which featured 43 pages of text, including stories about fallen jihadists, and photographs of Osama bin-Laden and George W. Bush.4 Later, Zarqawi’s “information wing”—which included his own online press secretary—released “All Religion Will Be for Allah,” a 46-minute video with scenes including a brigade of suicide bombers in training. As The Washington Post reported, the video was offered on a specially designed Web page with many options for downloading, including Windows Media and RealPlayer versions for those with high-speed Internet connections, another version for those with dial-up, and one for downloading it to play on a cell phone.5 Production quality has become more sophisticated, with many videos now including subtitles in several languages and some featuring 3-D animation.6

Al-Qaeda-related operations outside the center of the Middle East have also copied the As-Sahab look, as we can see in the Al-Qaeda organization’s video productions in the Islamic Maghreb. Videos of the December 2006 attack in Algeria on a convoy of employees of Halliburton subsidiary Brown & Root-Condor and the April 2007 attacks in Algiers featured the professional technical quality of As-Sahab productions. Terrorism experts speculated that an Al-Qaeda condition for its affiliating with the North African Salafist Group for Call and Combat was an upgrade of the local group’s media competency.7

Even cartoons depicting children as suicide bombers are easily available on the Web, and Hamas’s Al-Aqsa Television has featured children’s programming that extols martyrdom. On one popular program on this channel, Pioneers of Tomorrow, a Mickey Mouse-like character became a martyr when he refused to turn over his family’s land to Israelis. In another episode, the child host of the show sang, “We can defeat the colonialist army. We have regained our freedom through bloodshed

Page 18

and the wrath of fire. If we receive good tidings, we will meet our death with no hesitation.”8 It is hard to calculate the damage that the poisonous residue of such fare may cause over time.Through news reports, satellite television provides Al-Qaeda and the public with graphic representations of Al-Qaeda’s work and occasional glimpses of Bin-Laden himself. More significantly, the Internet supplies more detailed versions of what the news media have covered, all the while furthering operational connectivity and a sense of cohesion. Michael Scheuer observed that “the Internet today allows militant Muslims from every country to meet, talk, and get to know each other electronically, a familiarization and bonding process that in the 1980s and early 1990s required a trip to Sudan, Yemen, Afghanistan, or Pakistan.”9 As author Gabriel Weimann noted, Sawt al-Jihad (Voice of Jihad), an Al-Qaeda online magazine, reflects the multiple purposes of such ventures: “Orchestrating attacks against Western targets is important, but the main objective remains that of mobilizing public support and gaining grassroots legitimacy among Muslims.”10

Training OpportunitiesA further aspect of this effort to build a Web-based constituency is an online library of training materials explaining how to mix ricin poison, how to build a bomb using commercial chemicals, how to sneak through Syria and into Iraq, and other such advice. Experts who answer questions on message boards and chat rooms support some of these items.Another Al-Qaeda online magazine, Muaskar al-Battar (Camp of the Sword), underscored the value of online instruction: “Oh Mujahid brother, in order to join the great training camps you don’t have to travel to other lands. Alone in your home or with a group of your brothers, you too can begin to execute the training program.”11 To enhance cyber security for such connections, the online Technical Mujahid Magazine was begun in late 2006 to instruct its readers about electronic data security and other high-tech matters.During the past few years, the online training curriculum has expanded to include small-unit infantry tactics and intelligence operations such as collecting data, recruiting members of state security services, and setting up phone taps. Readers have downloaded this material in places such as Australia, Canada, Germany, Great Britain, and Morocco, and it has turned up when law enforcement raided cells in those countries. Some intelligence experts argue that online training has its limits—that technical skills and tradecraft require more than Web-based instruction. But although Al-Qaeda’s students might be able to glean only rudimentary knowledge from Internet sources, it is enough to make them dangerous.12

Information OperationsThe Al-Qaeda leadership has stressed Internet use in directives to its citizens/followers, as was illustrated in this message carried on one of its Web sites:

Due to the advances of modern technology, it is easy to spread news, information, articles, and other information over the Internet. We strongly urge Muslim Internet professionals to spread and disseminate news and information about the Jihad through e-mail lists, discussion groups, and their own Web sites. If you fail to do this, and our site closes down before you have done this, we may hold you to account before Allah on the Day of Judgment . . . . We expect our Web site to be opened and closed continuously. Therefore, we urgently recommend to any Muslims that are interested in our material to copy all the articles from our site and disseminate them through their own Web sites, discussion boards, and e-mail lists. This is something that any Muslim can participate in easily, including sisters. This way, even if our sites are closed down, the material will live on with the Grace of Allah.13

This appreciation of the value of the Internet is nothing new for Al-Qaeda. Even when under attack by U.S. forces in late 2001, Al-Qaeda fighters in Afghanistan clung to their high-tech tools. A Pakistani journalist who was on the scene wrote that while retreating, “every second Al-Qaeda member was carrying a laptop computer along with his Kalashnikov.”14

The Internet allows access to an almost infinite array of information providers and is attractive for other reasons, as well. For terrorist organizations, the Internet is preferable to satellite television because it provides unmatched opportunities to reach a global audience with video productions without having to rely on any particular television channels. In addition, using the Internet avoids

Page 19

problems associated with distribution of a physical product. Instead of establishing clearing houses to mail videos—a process that law enforcement agencies were able to disrupt—these groups now rely on pirated video-editing software and Web sites onto which material may be uploaded for their followers to access. These sites feature items such as the 118-page “Comprehensive Security Encyclopedia,” which was posted in 2007 with detailed instructions about improving Internet and telephone security, purchasing weapons, handling explosives, transferring funds to jihadist groups, and other useful hints.15

One of the masters of this craft was Younis Tsouli, a young Moroccan whose nom de cyber-guerre was “Irhabi007.” Based in England, Tsouli provided technical skills needed by Al-Qaeda after it left Afghanistan and established an online headquarters. He assisted Zarqawi when he used the Internet as part of his war plan in Iraq. Tsouli was adroit at hacking into servers that he then used to distribute large video files. (One of his hacking victims was the computer system of the Arkansas Highway and Transportation Department.)Arrested in London in 2005 and sent to prison by a British court in 2007, Tsouli understood the effectiveness of the Internet in reaching potential recruits for Al-Qaeda’s cause. The 2006 U.S. National Intelligence Estimate acknowledged the importance of this: “The radicalization process is occurring more quickly, more widely, and more anonymously in the Internet age, raising the likelihood of surprise attacks by unknown groups whose members and supporters may be difficult to pinpoint.”16

By mid-2007, some Al-Qaeda-related Web sites were broadening their agendas. “Media jihad” included entering online forums with large American audiences in order to influence “the views of the weak-minded American” who “is an idiot and does not know where Iraq is.” The “weak-minded” were to be targeted with videos showing U.S. troops under fire and with false messages purportedly from American soldiers and their families lamenting their involvement in the Iraq war. At the same time, Web forums for Islamist audiences featured information gleaned from Western news reports, such as poll results showing lack of public support for the war and, occasionally, information about weapons systems that news stories published.Worldwide RecruitingBeyond the material directly addressing warfare, such Web sites devote some of their content to ideological and cultural issues that are at the heart of efforts to win the support of young Muslims. Because Al-Qaeda’s leaders believe this will be a long war, they see appealing to prospective jihadists and enlarging their ranks as crucial to their eventual success. The number of English-language jihadist sites has been growing, with approximately 100 available as vehicles for militant Islamic views. Some of these operate overtly. In October 2007, the New York Times profiled a 21-year-old Saudi-born American living in North Carolina whose blog extols Bin-Laden’s view of the world. He includes videos designed to appeal to North American and European Muslims who are angry about the Iraq war and are responsive to claims that Islam is under siege.This blogger had apparently not violated any U.S. laws, so he continued his online efforts, reaching—he claimed—500 regular readers. Although some law enforcement officials want to shut down such sites and prosecute their proprietors, some terrorism experts propose that such sites be allowed to operate in public view because they may provide insights into terrorist thinking and operations.17

Al-Qaeda’s recruiting efforts have targeted British and American Muslims, such as a 2006 video that described rapes and murders allegedly committed by U.S. soldiers in Iraq. Released to mark the first anniversary of the 7/7 bombings in London, the video featured Bin-Laden’s deputy, Ayman al-Zawahiri; Shehzad Tanweer, one of the London bombers, who died during the attack; and Adam Gadahn, also known as “Azzam the American,” who grew up in California.Tanweer, delivering his final testament in English with a Yorkshire accent, said: “We are 100 percent committed to the cause of Islam. We love death the way you love life. . . . Oh, Muslims of Britain, you, day in and day out on your TV sets, watch and hear about the oppression of the Muslims, from the east to the west. But yet you turn a blind eye, and carry on with your lives as if you never heard anything, or as if it does not concern you. . . . Oh, Muslims of Britain, stand up and be counted. . . . Fight against the disbelievers, for it is an obligation made on you by Allah.” To this, Gadahn added,

Page 20

“It’s crucial for Muslims to keep in mind that the American, the British, and the other members of the coalition of terror have intentionally targeted Muslim civilians.”18

Among more recent videos aimed at a U.S. audience is “To Black Americans,” which features Zawahiri criticizing Colin Powell and Condoleezza Rice and introducing video clips of Malcolm X talking about the unfair treatment of African-Americans. (These video clips date back to the Vietnam War years.) This video resembles Cold War-era communist propaganda, and it does not appear to have caused much of a stir, but it gives some indication of where Al-Qaeda’s propaganda efforts are heading.Terrorist organizations see young Muslims in non-Islamic countries as likely prospects for recruitment, and so they use media tools to stoke anger about purported economic and political discrimination. Al-Qaeda is apparently trying to create an online community where members of the Muslim diaspora will feel at home. Once they are part of this “community,” they can view a steady stream of jihadist messages of varying degrees of subtlety.Al-Qaeda recognizes the value of developing online networks. Chris Zambelis wrote, “The Internet enables like-minded militants to associate and communicate anonymously in cyber social networks. This process reinforces their sense of purpose and duty and encourages solidarity with the greater cause.”19 Extending such efforts beyond an Arabic-speaking core of support is a crucial part of Al-Qaeda’s expansion.YouTube and other such sites make videos like “To Black Americans” easily available, which differentiates today’s propaganda from its antecedents during the Cold War and earlier. It can reach a global audience instantly. Just how big that audience really is remains open to question, but as Al-Qaeda increases its video production output, it seems to be operating on the theory that at least some of its messages will reach their desired viewers.During the second half of 2007, U.S. forces in Iraq shut down at least a half-dozen Al-Qaeda media outposts in that country. One house the U.S. raided in Samarra contained 12 computers, 65 hard drives, and a film studio. The American military effort to halt such media operations relied in part on the belief of General David Petraeus that “the war is not only being fought on the ground in Iraq but also in cyberspace.”20 Petraeus’s concern relates to an issue raised in U.S. Army and Marine Corps Field Manual, Counterinsurgency—insurgents attempt to shape the information environment to their advantage by using suicide attacks and other such tactics to “inflate perceptions of insurgent capabilities.”21

Cyberspace WarfareInformation dominance is a modern warfare tenet that is increasingly important, particularly if conventional military strength accompanies the effective exercise of soft power. Al-Qaeda understands the limitations of its own use of “hard power”—the coercive force of terrorist attacks—and continues to expand its conceptual approach to information warfare. Recognizing the pervasiveness of the information delivered by satellite television and the Internet and the influence of news organizations ranging from the BBC to Al-Jazeera, Al-Qaeda is now offering, in the words of Michael Scheuer, “a reliable source of near real-time news coverage from the jihad fronts for Muslims.” From Iraq and Afghanistan, wrote Scheuer, Iraqi insurgents and Taliban forces produce, on an almost daily basis, combat videos, interviews with their commanders, and graphic footage of retaliatory measures against locals who cooperate with American or U.S.-backed forces.22

This effort reflects Al-Qaeda’s dissatisfaction with Arab news organizations as vehicles for its media products. Zawahiri has criticized Al-Jazeera, in particular, because it refused to be a mere conveyor belt for Al-Qaeda videos, dared to edit Bin-Laden’s pronouncements rather than show them in their entirety, and gave airtime to Al-Qaeda’s critics. Because of As-Sahab’s video producers’ technical expertise, Al-Qaeda can now set itself up as a third force that provides a message different from Western media and the new generation of Arab news providers.Zawahiri has said that what he calls “jihadi information media” have been “waging an extremely critical battle against the Crusader-Zionist enemy” and have “demolished this monopoly” by confronting conventional media organizations. Taking things a step further, in late 2007, Zawahiri offered to participate in an online interview in which he would take questions from individuals and news organizations.23

Page 21

To some extent, this might be mere gamesmanship on the part of Al-Qaeda. By making himself available for a cyberspace chat, Zawahiri taunts those who have been hunting him for years. By holding a “news conference,” the Al-Qaeda leadership positions itself on a plane comparable to that where “real” governments operate. By using new media to communicate with the rest of the world, Al-Qaeda stakes a claim to being an exponent of modernity.One is tempted to dismiss these maneuvers as just another distracting ploy by murderous thugs, but for those who see Al-Qaeda’s cadres as heroic defenders of Islam—and their numbers are substantial—this exercise is evidence of legitimacy, despite Al-Qaeda’s vilification by much of the world.The inadequate responses to Al-Qaeda’s media messages heighten the danger. Even a flawed argument has appeal when we allow it to stand in an intellectual vacuum. Moderate Muslims and non-Muslims who do not accept the idea that prolonged conflict is inevitable must recognize this reality and act on it in a sophisticated, comprehensive way.This means providing a steady stream of videos and other materials through the new media that many members of the Al-Qaeda audience use. This counter-programming should not feature defensive, pro-American content, but rather should concentrate on undermining Al-Qaeda’s purported nobility, such as by reminding the audience how many Muslims have died in the terrorist attacks and insurgent warfare Al-Qaeda instigated.Osama bin-Laden will undoubtedly pop up in another video before long. Note what he says, but then look to the always expanding reservoir of jihadist media to see what Al-Qaeda is really up to.NOTES1. <www.archive.org/details/jihad-academy>; <www.archive.org/details/top_20>.2. “On Islamist Websites,” MEMRIRI (Middle East Media Research Institute), Special Dispatch Series no. 1702, 31 August 2007.3. Naya Labi, “Jihad 2.0,” The Atlantic Monthly (July/August 2006): 102.4. Robert F. Worth, “Jihadists Take Stand on Web, and Some Say It’s Defensive,” New York Times, 13 March 2005.5. Susan B. Glasser and Steve Coll, “The Web as Weapon,” Washington Post, 9 August 2005.6. Craig Whitlock, “The New Al-Qaeda Central,” Washington Post, 9 September 2007.7. Andrew Black, “Al-Qaeda in the Islamic Mahgreb’s Burgeoning Media Apparatus, Jamestown Foundation Terrorism Focus, vol. IV, issue 14, 15 May 2007.8. “On Hamas TV Children’s Program,” Middle East Media Research Institute, Special Dispatch Series no. 1793, 27 December 2007.9. Michael Scheuer, Imperial Hubris (Washington, DC: Brassey’s, 2004), 81.10. Gabriel Weimann, Terror on the Internet (Washington, DC: United States Institute of Peace, 2006), 44.11. Steve Coll and Susan B. Glasser, “Terrorists Move Operations to Cyberspace,” Washington Post, 7 August 2005, A 1.12. Michael Scheuer, “Al-Qaeda’s Media Doctrine,” Jamestown Foundation Terrorism Focus, vol. IV, issue 15, 22 May 2007; “The Role and Limitations of the ‘Dark Web’ in Jihadist Training,” Stratfor Terrorism Brief, 11 December 2007.13. Weimann, Terror on the Internet, 66.14. Abdel Bari Atwan, The Secret History of Al-Qaeda (Berkeley, CA: University of California Press, 2006), 122.15. Even F. Kohlmann, “The Real Online Terrorist Threat,” Foreign Affairs 85, no. 5 (September-October 2006): 117; Middle East Media Research Institute, “Islamist Websites Monitor 82, 84,” Special Dispatch Series no. 1543, 13 April 2007.16. National Intelligence Council, National Intelligence Estimate, “Trends in Global Terrorism: Implications for the United States,” April 2006, Key Judgments (Unclassified).17. Michael Moss and Souad Mekhennet, “An Internet Jihad Aims at U.S. Viewers,”New York Times, 15 October 2007; Michael Moss, “What To Do About Pixels of Hate,” New York Times, 21 October 2007.18. “American Al-Qaeda Operative Adam Gadahn, Al-Qaeda Deputy al-Zawahiri, and London Bomber Shehzad Tanweer in New al Sahab/Al-Qaeda Film Marking the First Anniversary of the 7/7 London Bombings,” Middle East Media Research Institute (MEMRI), Special Dispatch Series no. 1201, 11 July 2006; Jessica Stern, “Al-Qaeda, American Style,” New York Times, 15 July 2006.19. Chris Zambelis, “Iraqi Insurgent Media Campaign Targets American Audiences,” Jamestown Foundation Terrorism Focus, vol. IV, issue 33, 16 October 2007.20. Jim Michaels, “U.S. Pulls Plug on Six Al-Qaeda Media Outlets,” USA Today, 4 October 2007.21. The U.S. Army-Marine Corps Counterinsurgency Field Manual (Chicago, IL: University of Chicago Press, 2007), 5.22. Scheuer, “Al-Qaeda’s Media Doctrine.”23. Shaun Waterman, “Zawahiri Pledges Online Chat,” United Press International, 17 December 2007.Table of Contents

Page 22

A Model Strategic Communications Plan from Where You Wouldn't Expect It

By Matt Armstrong, via MountainRunner blog, April 22, 2008 One of the most famous aphorisms of Edward R. Murrow is his statement on the "last three feet": The really crucial link in the international communication chain is the last three feet, which is bridged by personal contact, one person talking to another. The importance of face-to-face, personal contact in counterinsurgency cannot be emphasized enough. Engaging in this last three feet requires more than figuring out the right words and establishing a grammar to communicate with locals. It means understanding we have a "say-do" gap (the propaganda of deeds versus the propaganda of words) that requires emphasizing actions over words and public and private pronouncements. Marine Corps General Doug Stone, commander of Task Force 134, Detainee Operations, in Iraq has just signed off on a smart strategic communications plan that should be used as a model for other units. It clearly communicates intent and provides guidance and has the buy-in of General Petraeus. It makes perfect sense to focus on detainee operations. As Stone notes, "detainee operations is certainly a battlefield; it is the battlefield of the mind, and it is one of the most important fights in counterinsurgency." Besides the fact he has a captive audience, by definition, his charges have decided to take significant action against the Coalition. For more on the operations of TF134, read this post. The primary audience and the primary target of the plan is the Task Force itself, which, as one reviewer noted, is a statement that the military culture still requires tweaking. The challenge will be, according to another reviewer, translating the high-level guidance into action. The plan isn't long, so if you're at all interested, I suggest you read it. To encourage that, excerpts from the Overview and Purpose are below the fold. From the Overview:

For our purposes as the counterinsurgent force, we will consider it an absolute imperative that our actions are fully congruent with the ideals that we promote. There can be no “gap” between what we say and what we do.Leaders must understand the importance of this last statement; it is the keystone of our communication efforts. As the above passage from Counterinsurgency Warfare: Theory and Practice makes clear, we have the responsibility as the counterinsurgent to “walk the walk” as well as we “talk the talk.” Our priorities and values must be displayed in every deed, and reflected in the actions of every man and woman serving in internment facilities throughout the Iraqi Theater of Operations.What you will find here is far more than a collection of talking points or a series of taskings for the Public Affairs Office and Information Operations Cell. The doctrinal information functions of PA and IO certainly serve to support select aspects of our strategic communication initiatives, but they are not the main effort. Rather, this plan places the emphasis on the conduct of the individual service member to demonstrate who we are, what we do, and what we stand for. This point is critical to the ultimate success of the plan.

From the Purpose: Winning a counterinsurgency requires gaining the support of the population. In the case of Iraq, defeating the insurgency means empowering moderates to marginalize the violent extremists. Detainee operations are a major front in that struggle because internment is, at its best, population engagement. ...This is the ultimate purpose of our strategic communication plan: Demonstrate to the citizens of Iraq and the greater Muslim Umma that we are dedicated to establishing an alliance with moderate Muslims and empowering them to marginalize violent extremists.

Page 23

Faithful execution of this plan is critical to our success, and it is the duty of every leader within the task force to understand its purpose and apply its guidance. Each and every warrior in this command must understand that all we say and do will be judged by the peoples of the world, and it is our inherent responsibility to inform that judgment through the values demonstrated in our every action.

{Editor Note: You can download the document at http://mountainrunner.us/files/TF-134_Strategic_Communication_Plan_FINAL_Apr_08.pdf} Table of Contents

Page 24