Presidential Adviser for Cyberspace Security (2001-2003)
What we found on Al Qaeda computers were two things. One, the kind of simple hacking tools that are available to anyone who goes out on the Internet looking for them, tools such as LOphtCrack that allows you to get into almost anyone's password if they've used a simple eight-digit password. That kind of tool frightens most people when they learn that if they're using only an eight-digit password with standard numbers and letters that probably anyone can get into your password in less than two minutes by downloading a tool like LOphtCrack, which is available publicly on the Internet. It was that kind of tool which we found, nothing terribly sophisticated.
But we also found indications that members of Al Qaeda were from outside the United States doing reconnaissance in the United States on our critical infrastructure. Where were the railroad crossings? Where were the big natural gas depositories? Where were the bridges over rivers that also carried the fiber for the backbone of the Internet? It's possible now to do that kind of targeting, which would have, in the past, required lots of people and running around the country. It's possible to sit in the cyber cafe in Peshawar and do that kind of reconnaissance.
We're troubled by the fact that a number of people related to Al Qaeda -- including Khalid Sheikh Mohammed, who was recently arrested, and was the chief operating officer -- a number of these people have technical background. Khalid Sheikh Mhammed studied engineering at [a] university [in] North Carolina. He was employed for awhile at a water ministry in the nation of Qatar in the Persian Gulf. Recently, a student at the University of Idaho was arrested by the FBI for alleged terrorist connections, and he was studying in a Ph.D. program on cyber security.
So, I think, similarly to the fact that some of the Sept. 11 hijackers had training in flight training, some of the people that we're seeing now related to Al Qaeda had training in computer security.
What does this mean as far as attitude towards Al Qaeda's interest in cyber war?
Well, the fact that these people are gathering skills in cyber war capability is very troubling, combined with the fact that we know that they're looking on the Web for hacking tools. We know that because we've seized some of their computers. It suggests to me that Al Qaeda may be trying to grow an indigenous cyber warfare capability.
I think, it suggests that some day we may see Al Qaeda, if it's still alive and operating, use cyberspace as a vehicle for attacking infrastructure, not with bombs but with bytes.
For an organization like Al Qaeda that is looking to leverage its investment, to have the biggest possible damage for the least possible investment, cyberspace is a good bet because it doesn't cost a lot of money to develop these skills. You could have an effect in a number of places simultaneously, without being in those locations, and you can achieve a certain degree of anonymity and a certain degree of invulnerability to arrest [or] apprehension.
Naval Postgraduate School
Some of the things that concern me about the increasing awareness Al Qaeda has of advanced information technologies is the apparent evidence that some of their operatives were undergoing advanced hacking training. It's very clear from intercepted communications, as well as discs that were found, that there is an extremely vigorous use of the Web and the Net. There is a surprisingly small amount of strong encryption being used, but that doesn't mean their messages are uncoded. It appears that there's a lot of low-tech coding going on with simple word substitution codes or perhaps book codes being used, which are also very hard. This is why we need a new Bletchley Park of code-breakers for the information age, because it's not all going to be codes broken by high-performance computers. It's also going to be about intuitive insights that are generated into what kind of paradigm are they using for securing their communications. It's also clear that all money movement is basically done with e-mails rather than the physical movements of money.
Now it's also important, as a last point, not to consider Al Qaeda 10 feet tall in this area. We're looking at [Khalid] Sheikh Mohammed, for example, who was simply using the e-mail account of a relative or friend, and assuming that maybe that relative or friend wasn't going to be monitored in some fashion. Very, very sloppy in that particular case. And there are other examples of sloppiness that we can't talk about in more detail.
But from the evidence that's out there, is there enough evidence to believe that they could be gearing up? And if they are -- or if they're not -- would we know it?
When we think about Al Qaeda and its potential for cyber terror or other sympathetic Muslim groups, we're now in an area that's very proprietary in nature. All I can say on this subject is that there is a cyber jihad going on right now against Israel. And so, we see some people that we associate with modern terrorism who are trying to use cyberspace-based means to pursue their ends. Beyond that, I'm afraid we're in a very classified area.
Center for Strategic and International Studies
[Al Qaeda] laptops were found with programming information and software sites for SCADA systems and other systems for power and water company sites.
I think one of the things that's troubling about Al Qaeda, and really some of the other groups, is they're very methodical. They're very serious. And so, I think they will work through all the options and say, "If I do this attack, what do I get? If I do that attack, what do I get?" They're also very good at collecting information.
They have taken advantage of the global communications networks that we've set up, the global information networks that have appeared in the last decade, and learned how to use them to become a terrorist organization that can operate almost anywhere in the world. So they're a very thorough group. But at the end of the day, I think their first choice is always going to be some more powerful physical weapon. Cyber weapons just aren't a good replacement for bombs.
You're walking sort of out on a limb here, aren't you, because you could be proven wrong?
What I'm trying to do is think about if there was a cyber attack, would it paralyze the United States? And I think that the odds of that are very low, because it's easier to recover from a cyber attack. There's no physical damage. There's no casualties. I think that when Al Qaeda goes through their calculations, they'll go to the same sort of calculation I've gone through, which is they want something that's going to be successful.
I think there's the psychological payoff which is these people want to do things that will allow them to attack the United States. And both on the receiving end and on the sending end, a cyber attack doesn't have that payoff. Going back to Osama and saying, "Hey, I launched 16,000 attacks against electrical networks and one of them caused a blackout in Cloverdale, California for three hours," it's not going to get you there in the martyr's hall of fame. They're going to want to do something much more damaging. And that's a very frightening possibility, but cyber is not part of that.
Deputy Secretary of Defense (1997-1999)
On [Al Qaeda's] laptops, which we got our hands on, there were all these probing of sites dealing with programming of SCADA systems and control of SCADA systems within electrical and other power company scenarios. Should we be worried? ...
I think we should worry about it. But these are the same people that had drawings of nuclear power plants and treatises about how to make ricin out of castor beans. You know, it's very clear these people have been listening to us more intensively than, frankly, our own country has, about the risks and the threats we faced. The fact that there is evidence that they're aware of our debate doesn't mean that that is evidence of their capability.
I think we have to take a much more seasoned and dispassionate assessment before we simply jump to a conclusion that because there's a file where some guy is referencing the vulnerability of SCADAs or cyber attack, that that equals capability. I'd have to see a lot more evidence that indicated that just simply an awareness constitutes capability. ...
Sandia National Laboratories
I think that we shouldn't underestimate any adversary, especially one as sophisticated as Al Qaeda. This kind of group, if they don't have the innate knowledge to achieve a cyber attack, if they should choose to do so, can obtain that knowledge from other individuals. ...
FBI, National Infrastructure Protection Center (2001-2002)
As the director of the National Infrastructure Protection Center, I'm not aware of any terrorist organizations using any malicious activity to attack the infrastructures. However, they do use it. It's widely known. They use it for command and control and communication purposes within the various terrorist organizations. And they also use the Internet to collect information of potential targets, just like any other military operation. So that we need to be better prepared, not only in the government, but also in the private sector, to understand what information we're putting out there and are we telling our enemies too much.
Al Qaeda's expertise in using the Net for communication, does that translate into an expertise to use cyber as a weapon?
It certainly translates into a knowledge of the capability. I mean, there had to be some research done on the part of various terrorist organizations that use a command and control communications as to how they use it. I don't know that I'd call this sophisticated techniques, but obviously techniques that were more than just what the home user would normally know. But in doing that kind of research you also would be able to discern that you can use it for malicious purposes.
Why haven't terrorist organizations used it in that fashion? My opinion is that it doesn't have the impact that they're looking for. Most terrorist organizations want to have visuals, if you will, for the media, of loss of life and destruction of various buildings and so forth. If you have an attack in cyberspace you're not going to have those kind of visuals that terrorist organizations are looking for.
That's why what keeps me awake at night -- that if they use visuals in conjunction with a cyber attack, it can dramatically compound the impact of that.
How imminent a threat from Al Qaeda, the use of this weapon?
I don't know. I mean, that's the $64 million dollar question. We have known for some time that terrorist organizations have been looking at those things and trying to acquire the skills to utilize those kinds of tools or weapons.
Information Warfare Expert
Al Qaeda. What do we know about their capabilities?
Al Qaeda uses information technology and computers for a number of purposes. We know that they use them for communications. The FBI has two terabytes of data sitting that they're running analysis on. Everyone is very, very happy in the intelligence committee when an Al Qaeda computer is seized because they know that that's used for plans and communications.
Al Qaeda as a network has known connections to ISI, Inter Services Intelligence, which is Pakistani intelligence, which then has contacts established to some of these hacker groups that are then operating against other targets.
The belief is that if you accept that there is a connection between Al Qaeda and the ISI, and that the ISI would be, for example, operating against the Indians, Al Qaeda then has a conjoint interest with the ISI, either against India or other targets that Al Qaeda would be able to gain access to or task those computer hackers to do what they need done.
You mentioned that we have in our hands from laptops two terabytes, or whatever, of material. Do we know what that stuff is, or are we still stymied by the fact that they were sophisticated enough to code it?
As an example, the U.S. and British intelligence acquired in Manchester a copy of Al Qaeda's tradecraft manual. In the version that the U.K. and the U.S. released to the public of this tradecraft manual, the section on Al Qaeda's use of cryptography was removed because nobody wanted the world to see that Al Qaeda was communicating to its own members how to use cryptography. As a supporter of strong cryptography myself, I don't want to make an argument that would be interpreted as, "Well, you have to control cryptography." I mean, the worms are out of the can. You can't put them back in.
But they use sophisticated codes, and they use sophisticated cryptography, and they use sophisticated electronic mechanisms to communicated, including now, one-time-use electronic mail accounts that--
So give me one example of sophisticated cryptography using communications?
As an example of Al Qaeda using sophisticated technical means to communicate, one of the members of Al Qaeda was receiving what looks to be spam e-mail. That spam e-mail was not structured the way other spam e-mail is. I don't want to go into the forensic details on that. But, what it was is it looked like a link to a sex site where there was an image. And every time the piece of spam e-mail was sent, it was actually a mailbox flag. Because what that meant is that somebody had changed the message inside the image. The image was the same, the byte count was different. What happened was that the person receiving the message knew to go and pull the coded information back out because it was new. It was a mailbox flag. That's extremely sophisticated, and that's extremely difficult to track back using electronic means.
The basic information is that using a Web-based electronic dead drop, essentially, Al Qaeda members were clueing each other in that they were exchanging coded secret messages and planning information across what looks to be normal Web sites, and then they were informing each other of this through electronic mail. So there was no way for somebody intercepting the mail to figure out what was going on or looking at the Web site.
So they were getting it all using a pornographic Web site to transfer communications?
How did they do that?
Well, you can throw up any kind of a Web site on the Web that you want. You can use any one of numerous free mechanisms on the Web. They've been a big user of Yahoo Groups. They've been using Yahoo Groups where they set themselves up a little discussion group that was being used back and forth to plan their trips through Pakistan to Afghanistan.
The other sophisticated use that you were talking about is one time only e-mail addresses? How did that work?
Using actually very, very simple mathematics, two people could exchange a secret, whether it's over the phone or when they meet in person, so that in the future they would be able to coordinate creating e-mail addresses, whether it's at Hotmail or some other free service, such that only they would know what the next e-mail address was going to be, so that they would use an e-mail address once to send or receive a message, and then they would never use it again, so that there is no forensics and no way of looking at prior traffic to tell where the next traffic is going or coming from.
So what does it say about their ability to translate this into using cyberspace as a method of hitting us tactically?
If you looked at Al Qaeda as sort of going from the core outward, at the core of Al Qaeda, the communications amongst the core members, bin Laden and his inner circle, is occurring using non-electronic means because they recognize that intercept technology from the U.S., and the U.K., and other players is extremely sophisticated.
Where Al Qaeda gets interesting is, once you move out of that core, they become very, very high tech, because the group is acting without positive control, without somebody delivering specific orders. You'll hear this referred to as the franchise model, where Al Qaeda has partners or loose connections with other groups who will operate independently, who are given support. Those organizations are coordinated with using very, very sophisticated technical means. The technical means that they would use are such that they are already a participant in the very same communities that are exchanging computer vulnerabilities, vulnerable systems, other sorts of attack information, including knowledge of how to attack U.S. infrastructure.
So, the very fact that they're using very, very sophisticated communications technology, it doesn't happen in a vacuum. It occurs as part of a community. The same community that exchanges one set of information, is exchanging other information. I can't believe that Al Qaeda is only listening to a very, very small part of the chatter in the community and ignoring all the rest.
home :introduction : interviews : experts' answers : faqs : vulnerabilities : warnings?
discussion : readings & links : maps : producer's chat
FRONTLINE : wgbh : pbsi
published apr. 24, 2003
background photograph copyright © photodisc
web site copyright 1995-2013 WGBH educational foundation