National Security


The case for kicking terrorists off Twitter.

Somali al Qaeda affiliate al-Shabab woke up one January morning to discover that its popular English-language Twitter account -- @HSMPress -- had been suspended, apparently because it had issued a direct, specific threat of violence in breach of Twitter's terms of service.

This rare termination dusted off one of the counterterrorism industry's most-cobwebbed and least-resolved debates: Should we let terrorist groups use the Internet, or should we try to knock them offline?

When the debate first started, not long after 9/11, terrorist use of social media -- anything from message boards to Facebook accounts -- was concentrated in a relative few channels. Today, it's spread to hundreds of different outlets, including multiple dedicated Web forums, blogs, Facebook, Twitter, YouTube, and beyond.

Stopping terrorists from spreading their propaganda online (using U.S.-based Internet companies to boot) seems like a no-brainer to many. But within the terrorism studies community, there are two common and sincere objections to disruptive approaches for countering violent extremism online.

The first objection is that knocking terrorists offline "doesn't work," because when you eliminate one account, the terrorists just open up a new account under a different name -- which is exactly what al-Shabab did after a little more than a week. And then, the theory goes, you're back to square one. It's a high-tech game of whack-a-mole.

The second objection is that forcing terrorists off the Internet destroys a valuable source of intelligence, because government, academic, and private sector researchers rely on these online operations for information about what distant groups are doing and who supports them. "The intelligence community took the position that you cannot take this stuff, you cannot take these sites, down," intelligence historian Matthew Aid told Voice of America last year after a number of jihadist forums went offline. The argument was that more information was gained "by monitoring these sites than any possible advantage that could be derived from shutting them down. And the intelligence community prevailed on this point."

Until now, there has been precious little data in the public domain to clearly support or refute either notion. But al-Shabab's termination is what scientists call a "found experiment" -- a free lunch in which the universe hands you the data you need to test a theory.

Al-Shabab is a particularly useful example, since its Twitter account has by most measures been one of the most successful terrorist forays into popular social media. But it's not the only one. Jabhat al-Nusra already has more Twitter followers than al-Shabab ever did, and jihadis are by no means the only extremists using the medium. So the lessons learned from this example are likely to have broad applications.

Theory One: Disruption accomplishes nothing because they just come roaring back

I collected a list of @HSMPress's followers on January 16, less than a week before the account was suspended on January 25. At the time, al-Shabab had nearly 21,000 followers. As of Sunday, February 17, two weeks after its creation, the new account had just passed the 2,400-follower mark. (I won't help them out by linking the new account, but it's not hard to find if you're interested.)

Obviously, al-Shabab will continue to rebuild its follower network, but a disruption doesn't have to be permanent to be effective. From January 26 to February 17, al-Shabab averaged about 1,300 followers per day. It currently has less than 12 percent of its former reach. And its followers are in no hurry to come back.


If it maintains its current rate of growth, al-Shabab will need six months to a year to rebuild its former network. While that pace could well accelerate, there's also no guarantee the account will ever fully recover.

Significantly, Al Jazeera English did a story on al-Shabab's return during the period used to make this forecast. The story linked directly to al-Shabab's account, yet it barely moved the needle in terms of generating new followers for the Somali terrorists.

So the termination is likely to produce months or more of disadvantage to al-Shabab. Its ability to communicate with fans and generate a supportive social network certainly hasn't been eliminated, but it's been seriously and measurably damaged for a fairly significant length of time.

This isn't the only dataset suggesting that disruptions to online extremist networks do long-term damage. An ambitious New America Foundation paper published last week by Aaron Zelin, a fellow at the Washington Institute for Near East Policy, tracked the number of posts per day at the most important jihadi message forums.

Zelin also benefited from a found experiment when two of the three top forums he was tracking were knocked offline for a significant amount of time. The cause of the disruption is still unknown, but its effects were easy to see in Zelin's data.

Zelin/New America Foundation

While two of the three forums were offline, the third one picked up some activity -- but not nearly enough to compensate for the loss of other two. The overall number of posts per day plummeted by 80 percent. After the two disrupted forums returned, their posts per day ran 13 percent lower than before the takedown.

One reason the disruption was less severe on the forums than on Twitter has to do with the structure of each network. When al-Shabab's Twitter account was terminated, it lost all of its followers and had to rebuild from scratch. User accounts on the forums can be backed up, so users did not have to re-register and they could jump right back in.

The forums are also destination Web sites; you go there seeking out specific kinds of discussion and community. On Twitter, where attention spans are shorter, most users follow multiple accounts, so the loss of @HSMPress was more easily overlooked.

Importantly, although there's a Web forum devoted specifically to al-Shabab, it has never gained nearly the same kind of traction that the Arabic jihadist forums enjoy. Al-Shabab is much more reliant on social media than the broader global jihadist community, so the termination of its Twitter account was a pretty big deal.

Theory Two: You lose valuable intelligence by knocking terrorists offline

@HSMPress had 21,000 followers -- surely that's more useful than 2,400, right? It's intuitive to think that more is better in the intelligence business -- no matter how many times solid leads drown while we try to drink from the fire hose.

But although we're still getting the same basic information from the account's tweets, our ability to evaluate al-Shabab's social network of supporters just got a big boost.

Twitter accounts accrue followers; that is their nature. Some of those followers are indiscriminate about who they link up with, others become inactive over time. Some are curiosity-seekers with a casual interest who are too lazy to unfollow. The vast majority are simply passive consumers of information.

Any time you can weed a dataset down from large and fuzzy down to small and focused, you're winning the intelligence game. The active social network that springs up around a propaganda account is its most important feature, and to study it, you need to winnow that list of 21,000 users down to the handful who are really engaged.

There are many different ways to do this, but here's just one, and it happens to be easy. We know who followed al-Shabab in January, and we know follows al-Shabab at its new account. There's noise in the new list of 2,400 followers as well, but we can use a comparison of the two lists to figure out who among the first group made a conscious effort to find and follow al-Shabab at its new address.


The former followers who quickly signed up for al-Shabab's new Twitter account -- just 882 users -- have a serious interest in the al Qaeda affiliate's activities.

While there is still some noise in the set -- well over 100 journalists and researchers, for instance -- this smaller group forms a strong starting point for analysis. We know these users are more likely to be very interested in al-Shabab, and the number is manageable enough that a single analyst can look at each account individually to make a more sophisticated evaluation.

A concerted effort to keep al-Shabab off Twitter forever would indeed cost Western observers valuable intelligence. But "forever" is only one option in a universe of possibilities. The "found experiment" of al-Shabab's Twitter suspension demonstrates that disrupting terrorists online doesn't hurt intelligence-gathering. It strengthens it.

In the world of countering violent extremism, opinions are plentiful, but unambiguous data are rare. Al-Shabab's travails provide us with clear evidence for the value of disruption.

All of this illustrates an important but oft overlooked point: Strategy doesn't have to be an all-or-nothing proposition. Total suppression of extremists on the Internet would cost us real intelligence, but that isn't a reason to just let them do whatever they want. By making their lives difficult, we make ours easier in ways large and small.



Chinese Hackers Are Getting Dangerously Good at English

And they're coming to an inbox near you.

The New York Times' announcement in January that Chinese hackers had compromised its computers, stolen employee passwords, and wormed around its network for four months made for a chilling read to those of us concerned about press safety and digital security. But the paper's latest installment, based on a report released by computer security firm Mandiant, lays out even more spectacular and serious possibilities that China's military has stolen information from companies "involved in the critical infrastructure of the United States -- its electrical power grid, gas lines and waterworks."

An alarmed American public may wonder whether it's time to push the panic button, but in many respects, this is old news to those in the digital security industry. Chinese hackers have been tracked and traced before. Experts with a dismal view assume everything's hacked, until proven otherwise.

"There's a saying in the security industry," says Eva Galperin of the Electronic Frontier Foundation, an Internet advocacy group. "Everybody is 'owned' all the time. These attacks are constant."

Mandiant's report is the result of years spent tracking a Shanghai-based hacking team dubbed the "Comment Crew," also known as APT1. The company's investigators even managed to pinpoint the hackers' work space: a Shanghai building owned by Unit 61398 of the People's Liberation Army. Mandiant says it has observed some 140 attacks by Comment Crew since 2006.

While the corporate and governmental attacks described by Mandiant and the attacks against New York Times reporters are separate cases executed by different hacking groups, the digital trail leads back to the same location: China.

Galperin has the solution. "If organizations are concerned about security, and they want to know what the one thing is that they can do -- they can teach their users not to click on these links or open these attachments," she says.

The problem is, Chinese hackers are getting dangerously good at tricking users into clicking on what are known as "phishing emails" -- messages with links or attachments that seem innocuous, but actually dump spyware on recipients' computers. One of the secrets? Language skills. Over the course of my five years in China, hackers targeting foreign correspondents became more advanced, upgrading from early phishing attempts using haphazard "Chinglish" to more convincing and polished English.

In one case in 2012, an email appeared to have come from organizers of the Boao Forum, a China-run meeting modeled after Switzerland's World Economic Forum. The English text, grammatically perfect, was copied and pasted from legitimate emails sent by Ogilvy, the international PR firm. It made for a much more convincing phishing attempt from the days when we would receive one-liners that read: "China's environmental topic. The latest news."

Mandiant's report observes the same developing sophistication: "They begin with aggressive spear phishing, proceed to deploy custom digital weapons, and end by exporting compressed bundles of files to China -- before beginning the cycle again. They employ good English -- with acceptable slang -- in their socially engineered emails."

Opening the Boao attachment would have shown a sign-up sheet for journalists interested in attending the event. The actual payload would take place in the background, installing a rare "Trojan" that would send information stolen from the computer to a server located in Chongqing, China. The recipient would have never known he or she had been compromised.

Some phishing emails were bespoke. To my knowledge, I was the only recipient in August 2011 of an email that took advantage of the CVE-2010-3333 vulnerability, a flaw in Microsoft Word's codebase. The message, in Chinese, concerned a July 2011 high-speed rail crash in the city of Wenzhou, a story I had covered and complemented with prolific live-tweeting. The message discussed comments from press freedom organization Reporters Without Borders concerning media access to the crash site. The hackers would have had to know I understood Chinese and would have put in some time to research recent stories I'd worked on. A few other journalists received custom phishing attempts during this period, each email message different but all taking advantage of the same exploit.

Mandiant's report underscores how difficult it is these days to spot a hacker. "The subject line and the text in the email body are usually relevant to the recipient. APT1 also creates webmail accounts using real peoples' names -- names that are familiar to the recipient, such as a colleague, a company executive, an IT department employee, or company counsel -- and uses these accounts to send the emails."

The irony in this brave new world of the digital frontier is that we need to return to old technologies. If you want to check an attachment's safety, pick up the phone and call the sender. Even writing back with email might not work. Mandiant describes how in one instance, the hacker responded to a query by confirming the attachment ("It's legit," the email read). Email back … and you may well start chatting with the very person who is trying to deceive you.

Keeping an eye out for suspicious file extensions no longer works, either. The primitive days of mysterious and suspicious .exe, .rar, and .zip attachments have been replaced by attachments with reassuring but false file formats. The hackers from Unit 61398 "even went to the trouble of turning the executable's icon to an Adobe symbol to complete the ruse," Mandiant notes.

Mandiant's report, titled "APT1," refers to "advanced persistent threats" -- hacker groups of an institutional, well-resourced nature. Those who've followed APTs know they're nothing new.

A 2009 investigation by Infowar Monitor, a team of technologists at the University of Toronto and the SecDev Group, a Canadian consultancy, revealed an advanced cyber-spying operation called GhostNet. Researchers traced GhostNet's command-and-control center back to China. Hackers had infiltrated computers across 103 countries, from embassies to the offices of the Dalai Lama. In its report, Infowar Monitor declared GhostNet "capable of taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras." The hackers used polished phishing emails to gain entry to those systems.

What's different with what's happening now is that the scope and target of APTs, bleeding beyond governmental espionage to commercial groups and even to individual reporters, highlight a messier, more complex, and dangerous hacker universe where individuals and institutional players fight with different political, economic, and social agendas.

Even the most advanced technology companies have been hit. In this one month alone, Twitter, Facebook, and Apple all announced their systems had been penetrated by hackers. Bloomberg's latest report says they belong to an Eastern European criminal group. Chinese hackers, while not the sole culprits, pose a bigger geostrategic threat: The same group of hackers targeting a Fortune 500 company may well go after the State Department or a lone activist the next day.

That pattern will likely continue because of one compelling fact: It's affordable. Frank Smyth is founder of Global Journalist Security, an organization working to equip reporters with complete security training, including a digital component. "No one should be surprised, because it doesn't take that much infrastructure. If you have a team of people in a room, you can create a lot of havoc," he says. "That's much cheaper than building a tank or a jet fighter."