Cyber Terrorism

Encryption, online messaging and terrorism

The UK Security Expo returns to London’s Olympia on 29-30 November 2017. Ahead of the show, Philip Ingram looks at some of the security issues that will form the discussions of UK Security Expo

At the end of April 2017, Europol’s Internet Referral Unit (EU IRU) coordinated a targeted removal of terrorist and violent extremism content online. Operating from Europol’s headquarters in The Hague, the teams jointly targeted accounts used by terrorist groups to radicalise, recruit and direct terrorist activities.

The tragic events so far this year in Westminster, Stockholm, Paris, Manchester and on London Bridge have maintained the extremist terrorist threat at the forefront of our minds. The EU IRU action is an attempt to try and reduce the possibility of further attacks by reducing the visibility of extremist propaganda.

European nations have started changing their laws to enable greater monitoring of internet messaging. The Germans, at federal and state level, have agreed to broaden the current law that governs the authorities’ ability to monitor phones and text messaging to include messaging apps.

So what are the issues that vex both the politicians and security authorities as they try to find ways of protecting the public and police alike?

Time for change
Following the sophisticated attack on London Bridge, Prime Minister Theresa May, in a statement made just after hosting the government’s emergency Cobra committee meeting, said: “The security intelligence services and police have disrupted five credible plots since the Westminster attack in March. We cannot and must not pretend that things can continue as they are. Things need to change and they need to change in four important ways.”

She went on to outline her four main points. The first dealt with the ‘evil ideology of extremist Islam’ and the second with not allowing this ideology ‘the safe space it needs to breed’, calling for more action from internet companies and an international agreement on tackling extremism in cyberspace. Her third point highlighted the need to deprive extremists of physical space not just in Syria and Iraq, but also at home in the UK. May’s fourth and final point emphasised the need to review the government’s counter-terrorism strategy as the threat ‘becomes more complex, more fragmented [and] more hidden, especially online’.

One thing is clear from her statement: the nature of the threat has morphed in recent weeks such that it has not come onto the radar of the already stretched security services. It may not be a resource issue but it is a capability issue in which resources play a part.

A recently published report by Pool Re examining the attacks and implications concluded that both the Manchester and London Bridge attacks were sophisticated, saying that Manchester’s marked ‘a significant change in recent UK attack methodology’, and London Bridge’s was ’indicative of a high level of planning and organisation’.

Combatting the ‘cyber caliphate’
It is vital for the intelligence services to identify any changes so they can retune their activities to include these developing threats. Part of that retuning will come from the internet. The so-called Islamic State (ISIS) has a huge cyber network hidden in encrypted communications channels. One that is popular is the Russian-owned Telegram, and where Twitter, Facebook and others are cooperating, they refuse. However, dealing with this issue is not simple due to encryption and the way extremists use invite-only communications groups. The authorities will have to look at how to penetrate the communications channels and not just close them, as when the channels are closed extremists simply move to new groups.

As the extremists’ physical safe places in Iraq, Syria and Libya get squeezed, they are developing their global caliphate in cyberspace. It is this cyber caliphate that is generating terror attacks by encouraging individuals who have had some form of physical connection to extremism and providing them with motivational propaganda and access to training materials that mean they only surface above the ‘background noise’ of activity when they execute their attack.

So far, the investigations have not commented on a coordinated thread linking all the attacks outside the conclusion that they have all been perpetrated by individuals espousing Islamic extremism. All the attacks seem to have been ‘inspired’ in some way and the extremists doing this are either ISIS and/or Al-Qaida. So, the question that occurs immediately is how do extremists inspire individuals to carry out such horrific atrocities?

A common denominator between all the attackers is they had some connection to internet encrypted communications apps such as WhatsApp and Telegram. These and other apps are used to disseminate extremist propaganda, to recruit supporters, to encourage individuals and groups to carry out terrorist acts, and, on occasion, to direct terrorist activities from afar.

In the aftermath of Westminster, Home Secretary Amber Rudd, speaking on the BBC’s Andrew Marr show, called end-to-end encryption on messaging services such as WhatsApp and iMessage ‘completely unacceptable’.

Responding to reports that the attacker Khalid Masood used WhatsApp, owned by Facebook, minutes before the attack, Rudd said: “There should be no place for terrorists to hide. We need to make sure that organisations like WhatsApp, don't provide a secret place for terrorists to communicate with each other. It used to be that people would steam open envelopes or just listen in on phones when they wanted to find out what people are doing - legally through warrants - but on this situation, we need to make sure that our intelligence services have the ability to get into situations like encrypted WhatsApp."

Jimmy Wales, the founder of Wikipedia, has a different view to encryption and described it as ‘the only moral thing to do’. He reported a previous conversation he had with David Cameron when he was Prime Minister, saying: “David Cameron said to me, “In our country, do we want to allow a means of communication between people which we cannot read?” My response was, well Prime Minister, that time is here and the bottom line is that it is now harder for the security services to do what they feel they want.”

However, it seems the Facebook founder Mark Zuckerberg bowed to pressure and said he will hire an extra 3,000 staff to combat extremist and distressing content, especially in videos posted on Facebook. He isn’t giving his encryption algorithms away but is starting to self-police content.

Monika Bickert, director of Global Policy Management, and Brian Fishman, counterterrorism policy manager with Facebook, outlined in their 15 June blog Hard questions: How we counter terrorism the measures Facebook were taking. This is a clear example for all.

Not all communications platforms are following suit as Rob Wainwright, the director of Europol told The Times newspaper. He said: “There are some that simply won’t co-operate with us. One in particular causing major problems for us is Telegram… [the messenger provides] some co-operation but nowhere near what we are getting from Facebook, Twitter and some of the others."

Removing content and breaking encryption is unlikely to solve the problem. Vasco Amador, from the cyber intelligence company Global Intelligence Insight, said: “Trying to break into and monitor encrypted traffic is very difficult, even if the encryption keys were provided. The volume of communications on these channels and others, promoting, encouraging and directing extremist actions is huge. The extremists are very good at providing very professional and well-targeted material aimed at manipulating vulnerable people into carrying out lone wolf type attacks. They also have increasingly sophisticated command and control networks in cyberspace.

“One way to deal with this type of threat and complement electronic monitoring is treat it like any traditional intelligence target. The people posting the material are human beings, utilising humint [human intelligence] techniques in an online environment reveals so much more detail than chance interception ever will, but it is training- and manpower-intensive. Extremists change their online identity frequently and those doing the inspiring are not badly disrupted when accounts are taken down.”

Moving forward
A cyber security roundtable event organised by the UK Security Expo in London mid June brought together a group of cyber security leaders from the government, National Cyber Security Centre (NCSC), academia, training providers, end-users and more. The opening issue they debated related to these statements from politicians, and the collective conclusion was that the soundbite cries that political leaders are coming out, with regarding policing messaging apps and encrypted communications, are all but impossible to achieve.

However, recent reports by the BBC make clear that ‘the UK is heading for a record number of terrorism-related arrests amid massive investigations into three attacks. New figures show that in the year to March 2017, police arrested 304 people - up a fifth on the previous 12 months’.

This matches the growth highlighted in the recently published Europol Terrorism: Situation and Trend Report 2017 which says: “In 2016, a total of 142 failed, foiled and completed attacks were reported by eight EU Member States. More than half (76) of them were reported by the United Kingdom. France reported 23 attacks, Italy 17, Spain 10, Greece 6, Germany 5, Belgium 4 and the Netherlands 1 attack. 142 victims died in terrorist attacks, and 379 were injured in the EU.”

It is clear the threat remains and will likely continue to develop. Therefore, this debate will continue for some time, and the perfect forum to explore the advantages and disadvantages of different approaches, as well as putting those who should know the answers under the spotlight, will be at the UK Security Expo on 29-30 November 2017 at Olympia in London.