The Grugq is an information security researcher and operational security expert. This is the second article in a series; Generation Jihad 2.0 can be read here. You can follow the author on Twitter here.
There’s a game where you have to predict how teenagers and twenty-somethings are going to communicate. If you play one way and get it right, you become rich. If you play another way and get it wrong, people may die.
The older analysts are struggling to keep up with the rapidly shifting ways in which the younger generation are communicating. When it emerged that the Paris attackers used encryption, it doesn’t read like an attempt at clandestine communication so much as youngsters using modern communications technology. They used an cell phone app to chat.
ISIS terrorists aren’t using TAILS and PGP-backed by YubiKey smartcards, they’re using Telegram and WhatsApp on smart phones. The communications tools of terrorists are not dictated by a need for high security, but rather by convenience and “secure enough, for now.”
For terrorist operations it is critical to maintain secrecy before the execution of the plot. However, after the plot has been completed, especially if it’s a suicide operation, there’s not much critical need for security. Preventing the plot from being foiled ceases to be a concern after it has completed. Unlike criminals (or traditional terrorists) who are concerned about prosecution, ISIS terrorists have only an immediate need for secrecy. One that can be satisfied by using unmonitored communication channels.
The Number of Communications Platforms is Too Damn High
It’s not uncommon for a suspected member of a terrorist cell we are monitoring in Belgium to have a dozen cell phones and 40 SIM cards. And many have moved away from using the phone altogether, shifting to communicating over Skype and various VoIP’s, WhatsApp, Twitter, and online games played through video consoles. Given the fast changing technologies, it’s difficult for the police to keep up.
Old intelligence collection techniques of wiretapping a landline migrated, successfully, to wiretapping cell phones and SMS. Then came the Internet, video game consoles, smartphones and apps. The explosion of communications platforms has completely wrong-footed the European intelligence agencies who lack the serious Signals Intelligence (SIGINT) capabilities of the NSA.
Suspected terrorists in Europe, young men, are playing online video games with their friends, some of whom are also suspected terrorists. These games have chat functionality. Security forces are caught off guard as no one was thinking of FIFA 15 as a terrorist communication tool. The reality is, almost anything young people use today allows them to chat with each other. This is less an encryption problem than an overabundance of communications options available to, and used by, young people.
The French found out long ago that no one is planning attacks over the phone any more. Most of these terrorists have been able to conduct their planning sessions face to face, obviating the need for encryption. When they do communicate they use whatever is convenient rather than whatever is most secure. For terrorists, maintaining secrecy is more important than privacy.
NSA SIGINT Product Sharing, Please Hold…
An additional complication is that when it comes to internet communications we generally have to enlist the help of our American friends. Managing information sharing between an intelligence service of one country and a police service of another can be challenging on several fronts, including from a legal dimension, but these are the problems of friends.
The Belgians are unable to monitor the internet services’ communications traffic and flows of themselves, instead relying heavily on SIGINT assistance from the NSA. This takes time. If the terrorist cell can keep their pool of burner phones compartmented or isolated from each other, and they rotate fast enough (as they appear to be doing) then they can stay a step ahead of the surveillance. Consistently the ISIS terrorists in Europe have shown that rapidly switching mobile phones is sufficient to avoid detection by the security forces.
Shared Context is Hard to Crack
Not only are the terrorists able to switch phones fast, they are able to preserve secrecy in the face of surveillance by relying on “shared context.” By using local dialects, oblique references, and slang, they are able to discuss a topic in the open without observers understanding the significance of the conversation.
Shared context is extremely powerful as a security mechanism. The speakers have the “key” to the conversation in their heads, and can decipher what is being said. This is similar to a form of communication used to bypass Soviet telephone taps: Aesopian Language. Anything used to evade KGB monitoring is more that sufficient to evade the Belgian Federal Police.
“Dick Pics” and Terror Plots
The wide range of communications tools available is one of the major factors hindering the counter terrorism response in Europe. But it is far from the only one:
- Too many communication channels
- Slow SIGINT assistance
- Aesopian language and shared context
- Short term security requirements
Crucially, these are not the most significant issues facing European counter terrorism officials. While the security forces are having difficulty keeping up with the myriad communications technologies employed by ISIS, the real problems are structural and deeper. These problems include the lack of Arabic speakers, the poor information sharing about suspected terrorists, years of poor counter terrorism investment, and other systemic failures. This has create a lax operational environment for terrorists in Europe.
This lax operational environment has more to do with the success of terrorists in Europe than any security precautions they’re taking.
Photo via Khalid Albaih