Issn 2421-4442

Home , Jake Angeli

ISSN 2421-4442 La Rivista semestrale Sicurezza, Terrorismo e Società intende la Sicurezza come una 13 condizione che risulta dallo stabilizzarsi e dal mantenersi di misure proattive capaci di promuovere il benessere e la qualità della vita dei cittadini e la vitalità democratica delle istituzioni; affronta il fenomeno del Terrorismo come un processo complesso, di lungo periodo, che affonda le sue radici nelle dimensioni culturale, religiosa, politica ed economica che caratterizzano i sistemi sociali; propone alla Società – quella degli studiosi e degli operatori e quella ampia di cittadini e istituzioni – strumenti di comprensione, analisi e scenari di tali fenomeni e indirizzi di gestione delle crisi.

Sicurezza, Terrorismo e Società si avvale dei contributi di studiosi, policy maker, analisti, operatori della sicurezza e dei media interessati all’ambito della sicurezza, del terrorismo e del crisis management. Essa si rivolge a tutti coloro che operano in tali settori, volendo rappresentare un momento di confronto partecipativo e aperto al dibattito.

La rivista ospita contributi in più lingue, preferendo l’italiano e l’inglese, per ciascuno dei quali è pubblicato un Executive Summary in entrambe le lingue. La redazione solle- cita particolarmente contributi interdisciplinari, commenti, analisi e ricerche attenti alle principali tendenze provenienti dal mondo delle pratiche.

Sicurezza, Terrorismo e Società è un semestrale che pubblica 2 numeri all’anno. Oltre ai due numeri programmati possono essere previsti e pubblicati numeri speciali. 13

EDUCatt - Ente per il Diritto allo Studio Universitario dell’Università Cattolica 2021 Largo Gemelli 1, 20123 Milano - tel. 02.72342235 - fax 02.80.53.215 e-mail: [email protected] (produzione) - [email protected] (distribuzione) redazione: [email protected] web: www.sicurezzaterrorismosocieta.it ISBN: 978-88-9335-822-4 Sicurezza, Terrorismo e Società Euro 20,00 Euro SICUREZZA, TERRORISMO E SOCIETÀ INTERNATIONAL JJOURNAL Italian Team for Security, Terroristic Issues & Managing Emergencies 13

ISSUE 1/2021

Milano 2021

EDUCATT - UNIVERSITÀ CATTOLICA DEL SACRO CUORE SICUREZZA, TERRORISMO E SOCIETÀ INTERNATIONAL JOURNAL – Italian Team for Security, Terroristic Issues & Managing Emergencies

ISSUE 1 – 13/2021

Direttore Responsabile: Matteo Vergani (Università Cattolica del Sacro Cuore – Milano e Global Terrorism Research Centre – Melbourne) Co-Direttore e Direttore Scientifico: Marco Lombardi (Università Cattolica del Sacro Cuore – Milano) Comitato Scientifico: Maria Alvanou (Lecturer at National Security School – Atene) Cristian Barna (“Mihai Viteazul” National Intelligence Academy– Bucharest, Romania) Claudio Bertolotti (senior strategic Analyst at CeMiSS, Military Centre for Strategic Studies – Roma) Valerio de Divitiis (Expert on Security, Dedicated to Human Security – DEDIHS) Chiara Fonio (Università Cattolica del Sacro Cuore – Milano) Sajjan Gohel (London School of Economics – London) Rovshan Ibrahimov (Azerbaijan Diplomatic Academy University – Baku, Azerbaijan) Daniel Köhler (German Institute on Radicalization and De-radicalization Studies – Berlin) Miroslav Mareš (Masaryk University – Brno, Czech Republic) Vittorio Emanuele Parsi (Università Cattolica del Sacro Cuore – Milano) Anita Perešin (University of Zagreb – Croatia) Giovanni Pisapia (Senior Security Manager, BEGOC – Baku – Azerbaijan) Iztok Prezelj (University of Ljubljana) Eman Ragab (Al-Ahram Center for Political and Strategic Studies (ACPSS) – Cairo) Riccardo Redaelli (Università Cattolica del Sacro Cuore – Milano) Mark Sedgwick (University of Aarhus – Denmark) Arturo Varvelli (Istituto per gli Studi di Politica Internazionale – ISPI – Milano) Kamil Yilmaz (Independent Researcher – Turkish National Police) Munir Zamir (Fida Management&C7 – London) Sabina Zgaga (University of Maribor – Slovenia) Ivo Veenkamp (Hedayah – Abu Dhabi) Comitato Editoriale: Gabriele Barni (Università Cattolica del Sacro Cuore – Milano) Alessia Ceresa (Università Cattolica del Sacro Cuore – Milano) Barbara Lucini (Università Cattolica del Sacro Cuore – Milano) Marco Maiolino (Università Cattolica del Sacro Cuore – Milano) Davide Scotti (Università Cattolica del Sacro Cuore – Milano)

© 2021 EDUCatt - Ente per il Diritto allo Studio Universitario dell’Università Cattolica Largo Gemelli 1, 20123 Milano - tel. 02.7234.22.35 - fax 02.80.53.215 e-mail: [email protected] (produzione); [email protected] (distribuzione) web: www.educatt.it/libri Associato all’AIE – Associazione Italiana Editori issn: 2421-4442 issn digitale: 2533-0659 isbn: 978-88-9335-822-4

copertina: progetto grafico Studio Editoriale EDUCatt Sommario

Perspectives on violent extremism Barbara Lucini QAnon: risk assessment sociologico di un fenomeno estremista ...... 7

Abdullah Metin West of ISIS: a discourse and operation analysis from occidentalist perspective ...... 29

Daniele Maria Barone EU economic losses in the haze of jihad ...... 53

Tiziano Li Piani Threat Assessment and Vulnerability Mapping for Sensitive Buildings against Terrorism in urban environments ...... 115

Perspectives on cyberwarfare Federico Borgonovo - Luca Cinciripini - Marco Zaliani L’attacco hacker a SolarWinds: nuove frontiere del cyber warfare e impatti geopolitici ...... 173

Cosimo Melella Cyberwarfare: combattere in una nuova dimensione ...... 197

PERSPECTIVES ON VIOLENT EXTREMISM

Sicurezza, terrorismo e società 13 (2021)

QAnon: risk assessment sociologico di un fenomeno estremista Barbara Lucini

Barbara Lucini (phd in Sociology and Methodology of Social Research) is Senior Researcher at the Italian Team for Security Terroristic issues and Managing Emergencies – ITSTIME. She is adjunct professor of risk management and crisis communication at the Catholic Uni- versity. She is currently the working group leader of Converge – Covid – 19 Working Group, Itstime Working Group: COVID-19 and Viral Violence (https://www.itstime.it/w/converge/). Converge is a National Science Foundation-funded initiative headquartered at the Natural Hazards Center at the University of Colorado Boulder. She has been involved in the scientific coordination of several research projects (European and others) focused on crisis management, risk communication, risk perception, security, resilience, radicalisation and extremisms. Her research interests are oriented to sociology of disaster, disaster resilience, disaster management, extremisms and radicalisation. Further, the issue of the relation between terrorism and resilience as well as political extremism have been studied. She is the author of several publications and the“Disaster Resilience from a Sociological Perspective Exploring Three Ital- ian Earthquakes as Models for Disaster Resilience Planning”, Springer International Publish- ing, 2014; The Other Side of Resilience to Terrorism A Portrait of a Resilient-Healthy City”, Springer International Publishing, 2017.

Abstract This article aims to propose a sociological reflection of risk assessment represented by the QA- non phenomenon. The complexity of QAnon, its communication mechanisms, the relational and organizational peculiarities deserve to be deepened, considering the social categories and cultural aspects that intervene in the constitution of different forms of the same phenomenon. Through an analysis of the historical, social and cultural components of this phenomenon and a google trends research related to the research on the subject QAnon carried out in Italy, France, the United Kingdom, Germany it has been possible to propose an interpretative model capable of orienting the assessment of the risk of radicalization and extremism, as well as the future scope of this potential threat, which seems to be increasingly a resilient extremist phenomenon.

Keyword QAnon; radicalisation; extremism; violence; social movements; resilience 8 BARBARA LUCINI

1. Introduzione Il fenomeno sociale QAnon nato negli Stati Uniti fra il 2016 e il 2017 merita attenzione da parte di chi si occupa di estremismo e radicalizzazione, date le sue caratteristiche comunicative polarizzanti delle quali si è avuto e le sue manifestazioni violente, come per esempio l’assalto a Capitol Hill, il 06 Gennaio 2021. Definire questo fenomeno nelle sue componenti comunicative e sociologiche non è un’azione semplice, in quanto negli ultimi anni molte definizioni si sono sovrapposte, rendendo così difficoltoso l’analisi di QAnon e la comprensione della sua rapida evoluzione. Oltre a ciò il contesto pandemico, che si è andato definendo oramai più di un anno fa, ha accelerato certe dinamiche polarizzanti e fornito opportu- nità strategiche e operative ad attori prima ai margini dell’ecosistema sociale. Fin dal suo avvento QAnon si è mostrato come una realtà sociale e collettiva degna di approfondimento per chi si occupa di estremismo e temi ad esso correlati, come i processi di radicalizzazione o le manifestazioni di odio sia fisico sia verbale in ambienti online e offline. Per questo motivo, duplice nella sua accezione teorica e metodologica, si ritiene utile procedere ad una analisi di risk assessment di QAnon, al fine di meglio delineare quali prospettive di sviluppo esso può avere nel breve e medio periodo. Tale studio è stato condotto nell’ambito del progetto Converge - COVID-19 Working Group – Itstime Working Group: COVID-19 and Viral Violence1 e si fonda sulla questione fondamentale di definire il fenomeno QAnon da una prospettiva sociologica, considerando i potenziali aspetti di minaccia futura sia nel contesto americano sia in quello internazionale.

1 Questo articolo è il risultato di alcune considerazioni empiriche emerse durante il lavoro che l’Autrice sta conducendo nell’ambito del COVID-19 and Viral Violence Working Group (National Science Foundation funded Social Science Extreme Events Research-SSEER Network& CONVERGE/Natural Hazards Center at the University of Colorado Boulder, https:// converge.colorado.edu/resources/covid-19/working-groups/issues-impacts-recovery/covid-19- and-viral-violence). This COVID-19 Working Group effort has been supported by the National Science FoundationfundedSocial Science Extreme Events Research (SSEER) network and the CONVERGE facility at the Natural Hazards Center at the University of Colorado Boulder (NSF Award #1841338). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the NSF, SSEER, or CONVERGE. https://www.itstime.it/w/converge; https://converge.colorado.edu/resources/ covid-19/working-groups/issues-impacts-recovery/covid-19-and-viral-violence. QANON: RISK ASSESSMENT SOCIOLOGICO DI UN FENOMENO ESTREMISTA 9

Ad una iniziale descrizione socio – culturale del fenomeno, seguirà una ricerca Google Trends delle frequenze assolute di ricerca del concetto Qanon in Italia, Francia, Regno Unito e Germania. I risultati emersi da tale ricerca saranno indicatori utili, per approfondire la potenziale minaccia rappresentata da Qanon secondo l’ottica di un’analisi del rischio, che utilizzi cinque driver di lettura analitica: 1. adattabilità; 2. m utamento; 3. proattività; 4. resilienza; 5. auto – finanziamento.

Queste cinque dimensioni si intrecciano all’analisi di alcuni rilevanti aspetti del fenomeno QAnon, quali: l’organizzazione; le credenze culturali e gli influssi ideologici che vengono diffusi nei suoi circuiti online e offline; le interpretazioni dei fatti del giorno o dei grandi eventi della storia (si pensi ad esempio alla pandemia provocata dalla diffusione del virus Covid- 19). Il quadro interpretativo che ne emerge permette di aggiungere un punto di vista nuovo e sociologico del fenomeno QAnon e della sua portata, in qua- lità di potenziale minaccia futura.

2. QAnon: culto religioso, teoria cospirazionista, gruppo terroristico o movimento sociale? Fin dall’avvento di questo fenomeno e dalle sue prime manifestazioni, in molti fra analisti, esperti di sicurezza e studiosi di terrorism studies si sono impegnati nella definizione di QAnon. Ciò nonostante a quasi cinque anni dalle sue prime mosse, risulta difficile definire in modo unanime e riconosciuto che cosa sia QAnon. A questo proposito, è bene ricordare che tale complicazione è tipica di tutti quei fenomeni estremisti (religioso, politici, sociali, culturali), che devono essere studiati e compresi dalle istituzioni per garantire la sicurezza e le stabilità nazionali. La molteplicità di questi fenomeni, il loro essere poco culturalmente definiti, ma molto ibridi a livello sociale li rende difficilmente categorizzabili e per questo si determinano una pluralità di interpretazioni, che spesso non agevolano la pianificazione e la progettazione di interventi di contenimento o contrasto. Negli ultimi anni questa dinamica è stata molto presente nell’azione di definizione dell’estrema destra (Lucini, 2020) e di quella che molte testate giornalistiche hanno definito come “galassia nera”, sottolineando quindi le molteplici sfumature ideologiche, organizzative e comunicative, che rendo- 10 BARBARA LUCINI no questo fenomeno estremista sempre più pervasivo nella vita sociale odierna. Inoltre, medesimo approccio destrutturato ad una auspicabile sistematizzazione di un concetto, sia da un punto di vista legale sia sociale può essere ravvisato riferendosi ai concetti – fenomeni di radicalizzazione, estremismo, hate crime e hate speech. Infatti, nel corso dei decenni molteplici definizioni e interpretazioni di tali fatti sono state fornite sia da studiosi sia dalle agenzie istituzionali preposte alla prevenzione e gestione di eventuali manifestazioni contro l’ordine nazionale costituito. Tenuto conto di questa importante premessa teorica, per affrontare un’a- nalisi di risk assessment è comunque necessario definire l’oggetto di studio e procedere all’interno dei confini di quella definizione. La prima considerazione che si identifica è quella di considerare QAnon come una molteplicità di circuiti interpretativi e comunicativi, che si fonda- no su differenti visioni culturali. In particolare, secondo Wu Ming 1 (2020): QAnon è: 1. un gioco di realtà alternativa divenuto mostruoso; 2. un modello di business particolarmente cinico; 3. una setta che pratica forme di condizionamento mentale; 4. un movimento reazionario di massa che cerca di entrare nelle istituzioni; 5. una rete terroristica in potenza. Riferendo questa categorizzazione al contesto sociologico più generale è possibile individuare le seguenti dimensioni: 1. il gioco diventa la dimensione comunicativa, di condivisione di spazi alternativi (online e offline), di fuga dalla realtà; 2. il modello di business diventa la dimensione economica di sopravvivenza del fenomeno e del suo auto – finanziamento; 3. una dimensione religiosa rappresentata dalla forma della setta; 4. una dimensione collettiva rappresentata dal suo essere movimento sociale, tenendo in considerazione che: “Non tutte le teorie cospirazioniste sono sbagliate, irrazionali o pericolose per la società, molte di loro sono infatti intrecciate da vicino con alcuni dei più potenti, distruttivi movimenti sociali di oggi.” (Sternisko et al., 2020);2 5. una dimensione organizzativa individuata nella rete terroristica in potenza. L’FBI ha recentemente definito QAnon come una minaccia terroristica interna.

2 In inglese nel testo originale: “Though not all conspiracy theories are wrong, irrational, or harmful for society, many of them are in fact closely intertwined with some of today’s most powerful, destructive social movements.” (Sternisko et al., 2020). QANON: RISK ASSESSMENT SOCIOLOGICO DI UN FENOMENO ESTREMISTA 11

Ciò che preme sottolineare, è la contemporaneità di tutte queste cinque dimensioni, duplicate sia nell’ambiente reale sia in quello virtuale, che rende originale questo fenomeno collettivo anche per le sue potenzialità di forme di manifestazioni individuale e collettive differenti. Inoltre, la peculiarità di poter agire su svariati piani comunicativi e canali di diffusione, dai videogiochi ai siti per gli acquisti di gadget, moltiplica in modo esponenziale il target di riferimento, idealmente arrivando a raggiungere ognuno di noi: [...] come ha scritto lo psicologo Rob Brotherton, include potenzialmente tutti noi. Le teorie del complotto, scrive l’autore di Suspicious minds (2015), sono “in risonanza con alcuni dei preconcetti incorporati nel nostro cervello e con le scorciatoie che il nostro pensiero tende a prendere, e attingono dal pozzo dei nostri più profondi desideri, delle nostre paure, delle nostre presup- posizioni sul mondo e le persone che ci vivono. (Wu Ming 1, 2020). Tale caratteristica è vera sia sul piano spaziale, coinvolgendo la dualità online e offline, sia sul piano temporale per il quale non esiste limite certo, ma una infinita replicabilità. Al fine di poter procedere ad una identificazione del fenomeno QAnon secondo un approccio sociologico, si ritiene utile considerare alcuni aspetti emersi dalla prospettiva culturale delle azioni collettive di protesta proposta da Pilati (2018). Infatti, QAnon nasce non solo come teoria cospirazionista in netta opposizione all’ordine costituito, ma anche come comportamento collettivo ovvero: “il comportamento collettivo è caratterizzato dalla presenza di aggregati sociali di individui [...]” (Pilati, 2018) così come dalla contempo- raneità di un’azione collettiva, che per Pilati (2018) “è una caratteristica di gruppi sociali”. Attraverso questa definizione, per la quale la componente individuale ha in QAnon una forte valenza simbolica e culturale, diventa possibile condurre interessanti trasposizioni di riferimenti alla prospettiva culturale, considerando gli elementi principali che sono i frames e le emozioni. Nello specifico: “I frames che guidano l’azione collettiva, collective action frames, sono l’insieme dei significati, dei valori e delle credenze orientati all’azione collettiva e che legittimano l’azione stessa.”(Pilati, 2018). I frames sono quindi schemi interpretativi che assumono il ruolo di agenzie di socializzazione, le quali hanno come finalità quella di costruire significati che possano essere condividi e diffusi. La prospettiva culturale delle azioni collettive di protesta (Pilati, 2018) utilizza oltre ai frame interpretativi anche le emozioni personali e sociali ad essi associati. 12 BARBARA LUCINI

Nel corso dei decenni, l’analisi dei fenomeni collettivi ha mostrato che i frame si sviluppano in accordo a delle precise dinamiche, che iniziano con il loro allineamento: “L’allineamento dei frames ha luogo grazie a quattro processi: l’unione dei frames, l’amplificazione di un frame, l’estensione di un frames, e la trasformazione dei frames” (Snow et al. 1986, in Pilati, 2018). Questi processi dimostrano l’elevato grado di trasformazione e adattamen- to, che interessa un fenomeno sociale come Qanon nelle sue diverse fasi di sviluppo. Accanto a questa dinamicità relazionale, è possibile ravvisare anche una fondamentale dimensione comunicativa, che svolge il ruolo di rafforzare il significato simbolico dei frame, la loro condivisione e diffusione. In particolare, riferendosi alla diffusività del fenomeno QAnon durante l’anno pandemico 2020 è chiaro come un preciso modello comunicativo sia stato utilizzato come base anche per la comunicazione pubblica del fenomeno e non solo interna fra i singoli membri: Nel processo di comunicazione con il pubblico, gli attivisti dei movimenti sociali producono discorsi conflittuali e in opposizione a quello dominante. Per fare questo, il movimento esprime e comunica le frustrazioni e lo sconten- to diffusi, con l’obiettivo di promuovere cambiamenti nelle attitudini e nelle pratiche dei membri e degli individui esterni al movimento. Da questo punto di vista i movimenti sociali sono quindi momenti centrali per la ricostituzione della cultura e sono agenti – chiave per le trasformazioni culturali. (Eyerman e Jamison, 1998 in Pilati, 2018). I processi di costituzione di frame culturali quanto più accessibili e condi- visibili su larga scala uniti alla dimensione comunicativa, nonché a tecniche di manipolazione e persuasione informativa portano alla possibilità di definire QAnon come un fenomeno sociale, collettivo che oscilla lungo un conti- nuum, dove i poli opposti sono rappresentati da un lato dalle azioni collettive di protesta e dall’altro da attività contestualizzate nell’ambito di un più strutturato movimento sociale. Il livello di radicalizzazione è differente, a seconda dei tratti culturali e della loro commistione utilizzati in forme diverse dello stesso fenomeno QAnon: per esempio riferendosi alla sua costituzione come setta religiosa, il grado di radicalizzazione ed estremismo appare massimo fra chi aderisce, non così invece quando QAnon assume forme di manifestazio- ne culturale fine a se stessa. Infine, è possibile identificare QAnon in modo più generale come una comunità immaginata secondo la definizione di Anderson (2016) contestua- lizzata nell’ambito dei nazionalismi e che considera il senso di appartenenza ad una comunità e la definizione della propria identità in relazione al gruppo, come basata sulla percezione dei singoli membri e sull’immaginazione collettiva che si determina. QANON: RISK ASSESSMENT SOCIOLOGICO DI UN FENOMENO ESTREMISTA 13

3. Storia sociale e Cultura di QAnon La definizione proposta in precedenza trova la sua specificità nelle fonti storiche e culturali, che sono state alla base dello sviluppo di QAnon come lo si è conosciuto dal 2016-2017. Le influenze culturali del fenomeno sociale QAnon sembrano avere radici temporali più lontane dell’ultimo decennio, in particolare affondando alcune visioni verso la fine degli anni ’90. Infatti, da una prospettiva culturale e sociale, non sono pochi coloro i quali (Frankel 2021) hanno evidenziato delle somiglianze culturali, comunicative, strategiche e organizzative, probabilmente involontarie, con alcune visioni riportate dal Luther Blisset Project. Quest’ultimo nasce in Italia fra il 1994 e 1999 e si definisce come: “Luther Blissett è un nome collettivo, ovvero uno pseudonimo utilizzato da un numero imprecisato di artisti, riviste underground, operatori del virtuale e collettivi di squatter americani ed europei a partire dagli anni ottanta.”3 e ancora “Die- tro lo pseudonimo di Luther Blissett hanno forse operato alcuni membri del collettivo denominato Wu Ming.”4 Gli orientamenti teorici e pratici vengono poi così delineati: Questo Robin Hood dell’era dell’informazione ha condotto una guerriglia sull’industria culturale, ha condotto campagne di solidarietà non ortodosse per le vittime della censura e della repressione e - soprattutto - ha fatto elaborati scherzi mediatici come una forma d’arte, rivendicando sempre la respon- sabilità e spiegando quali insetti avevano sfruttato per piantare una storia falsa. Blissett fu attivo anche in altri paesi, specialmente in Spagna e Germania.5 L’attitudine performativa, che riprende l’origine artistica del movimento, ricorda le immagini dell’assalto a Capitol Hill occorso il 06 Gennaio 2021 e la figura mitizzata dello sciamano Jake Angeli. Lo stesso rimando nella presentazione del Luther Blisset Project alla figura di Robin Hood, colui che derubava i ricchi per dare ai poveri, assurge al mito di qualcuno che si sacri- fica affinché giustizia sia fatta.

3 https://web.archive.org/web/20121125091449/http://www.liberliber.it/libri/l/luther_blissett/ index.htm. 4 https://web.archive.org/web/20121125091449/http://www.liberliber.it/libri/l/luther_blissett/ index.htm. 5 In lingua inglese nel testo originale: “This Robin Hood of the information age waged a guerril- la warfare on the cultural industry, ran unorthodox solidarity campaigns for victims of censorship and repression and – above all – played elaborate media pranks as a form of art, always claiming responsibility and explaining what bugs they had exploited to plant a fake story. Blissett was active also in other countries, especially in Spain and Germany.” http://www.lutherblissett.net. 14 BARBARA LUCINI

Non solo però queste afferenze storiche a porre in essere un potenziale legame fra il fenomeno QAnon che oggi conosciamo e il Luther Blisset Project con la sua massima espressione nel romanzo storico Q. Per esempio, anche Frankel (2021) sottolinea questa somiglianza, che potrebbe anche essere involontaria e dovuta da una certa lettura del romanzo Q: “I legami tra QAnon e Q si estendono ben oltre le somiglianze alfabetiche. Il libro segue un eretico sovversivo mentre si unisce a una serie di rivolte in tutta l’Europa del XVI secolo. In tutto, viene perseguito senza sosta da un agente papista chiamato Q, una figura che manipola i fatti e diffonde la disinformazione per seminare semi di dubbio nella società e aiutare a mantenere il dominio della chiesa, infiltrandosi e sabotando ogni rivolta, ogni rivolta. Sembra familiare? Dovrebbe, perché la Q dell’odierno QAnon ha una storia di origine simile, e metodi simili.”6 A questo riguardo è possibile approfondire questa prospettiva considerando sei categorie di somiglianza, che vengono espresse proprio in alcuni passaggi del romanzo Q. Esse sono: 1. identità; 2. ruolo delle donne; 3. strategia organizzativa; 4. violenza; 5. comunicazione; 6. finanziamento.

Le molteplici forme identitarie che convivono contemporaneamente all’interno del fenomeno QAnon rimandano all’assenza di un unico corpus identitario ben definito, nel quale riconoscersi come membro di quella specifica comunità: “Una fede diversa ogni volta, sempre gli stessi nemici, un’unica sconfitta.” (Blisset, 2014) Il vagabondare infinito di quello che per molti è l’eroe del romanzo, sottolinea quanto l’identità individuale e collettiva non sia una priorità strategica del fenomeno originario Q. La fede, le credenze, i valori cambiano di volta in volta, ma non i nemici che invece vengono confermati, nonostante tutti i mutamenti storico – sociale che intercorrono. Volendo attualizzare questa tendenza, si può sottolineare come il cuore centrale del fenomeno QAnon possa essere rappresentato dalle sue origini

6 In lingua inglese nel testo originale: “The links between QAnon and Q extend far beyond alphabetic similarities. The book follows a subversive heretic as he joins a series of revolts across 16th-century Europe. Throughout, he is pursued relentlessly by a Papist agent called Q, a figure who manipulates facts and spreads disinformation to sow seeds of doubt in society and help maintain the dominance of the church, infiltrating and sabotaging every revolt, every uprising. Sound familiar? It should, because the Q of today’s QAnon has a similar origin story, and similar methods.” QANON: RISK ASSESSMENT SOCIOLOGICO DI UN FENOMENO ESTREMISTA 15 cristiane7 per quanto attiene la sfera religiosa e nazionalistiche, di estrema destra per quanto concerne l’ambito politico. Quest’ultimo aspetto richiede però una consapevolezza fondamentale: formalmente il fenomeno QAnon nato nel 2016/2017 è apolitico e solo successivamente si affianca a movimenti di estrema destra, che però non sono esclusivi, perché come si è visto la matrice culturale iniziale si contestualizza nell’ambito dell’estrema sinistra e dell’anarchismo.8 In relazione diretta con il tema dell’identità sottostante il fenomeno QA- non, vi è il ruolo delle donne assunte come componente sociale di rilievo e riconosciuto anche in contesti organizzativi, come coloro le quali possono portare contributi essenziali per lo sviluppo del fenomeno: “In questa terra che non è terra, la potenza delle donne muta il corso degli eventi, impone tor- sioni repentine alla stanca ragione maschile, conferma nella mia mente una sensazione profonda, assaporata più volte e altrove, sulle loro virtù superiori, frutto di risorse cui ci è negato l’accesso.” (Blisset, 2014). Il legame fra il QAnon e l’adesione femminile è testimoniato non solo dalla precedente citazione letteraria, ma anche da forme differenti di infiltrazione di QAnon in mondi sociali altri rispetto al suo originario: nel corso della pandemia causata dalla diffusione del virus Covid – 19 nel 2020, si è progressivamente assistito ad un interesse di QAnon per introdursi anche nel mondo dello yoga (Greenspan and Landsverk, 2020), della medicina alternativa e dell’interpretazione medica della pandemia da Covid -19: “Marc-André Ar- gentino, phd candidate alla Concordia University che ricerca l’estremismo, ha soprannominato questo fenomeno di donne che diffondono QAnon nel mondo del benessere “pastel QAnon” perché usano colori pastello e un lin- guaggio più morbido nei loro post sui social media.” (Greenspan and Lan- dsverk, 2020).9 Il genere di appartenenza rappresenta quindi un elemento importante, sia da una prospettiva sociale sia per l’evoluzione delle teorie legate al fenomeno QAnon. La strategia organizzativa che sottende a QAnon è decisamente limitata nella sua leadership, tanto che è possibile definire questo fenomeno come una creatura senza testa, ma che vive grazie ai rinforzi e alla diffusione continua di informazioni. Infatti, è il basso profilo organizzativo che caratterizza il

7 https://www.politico.com/news/magazine/2021/02/04/qanon-christian-extremism-nationalism- violence-466034. 8 https://gen.medium.com/nazi-hippies-when-the-new-age-and-far-right-overlap-d1a6ddcd7be4?gi=sd. 9 In lingua inglese nel testo originale: “Marc-André Argentino, a doctoral candidate at Concordia University who researches extremism, has dubbed this phenomenon of women spreading QAnon in the wellness world “pastel QAnon” because they use pastel colors and softer language in their social-media posts.” (Greenspan and Landsverk, 2020). 16 BARBARA LUCINI fenomeno QAnon e questa caratteristica riporta l’attenzione al romanzo Q e al modo con il quale una singola persona possa assumere su di sé molteplici identità: Annuisco: – Un agente segreto attivo nei territori imperiali. Da quanto tempo? – Più di dieci anni, così mi dissero. Di nuovo quel presentimento oscuro, una pressione schiacciante dietro gli occhi. Metzger, Niemanson, Jost, Boekbinder, Lot. Tanti e uno. Quelli che sono stato. Tanti e uno. Uno qualunque. L’uomo della folla. Nascosto nella comunità. Uno dei nostri. (Blisset, 2014). La strategia che si evince è quella del mantenimento di un basso profilo al fine di massimizzare la possibilità di diffusione del messaggio, cercando di comprendere il contesto e chi viene definito come nemico. In modo congiunto alla strategia organizzativa è opportuno considerare i due ambiti della comunicazione e del finanziamento. Il modello comunicativo utilizzato è quello di una comunicazione cripti- ca (Pitzianti, 2021), manipolativa e votata alla diffusione di disinformazione. Un aspetto rilevante del modo con il quale viene gestita la comunicazione fra gli aderenti somiglia ad una dimensione comunicativa sottolineata nel romanzo Q ovvero che l’importanza e la veridicità dei contenuti lasciano spazio alla necessità e urgenza della divulgazione: “Va bene che non sappiano di cosa stanno parlando, importante è che continuino a parlarne. Nella nebbia di un dissenso diffuso ci si muove agevolmente.” (Blisset, 2014). In questo passaggio, viene sottolineato il tema della diffusione del dissenso come metodo per favorire la disseminazione dei messaggi, senza dimentica re il ruolo fondamentale che la dimensione della violenza ha all’interno di questo fenomeno. Violenza simbolica, operativa e comunicativa convivono in contesti differenti e attraverso molteplici forme, con il fine ultimi di allar- gare l’orizzonte di influenza del fenomeno QAnon, sfruttando ogni possibile opportunità offerta dall’ambiente sociale, istituzionale circostante: Per non dire poi delle menti raffinate che convogliano l’odio delle genti basse, il rancore sordo che cova da sempre, verso se stesse, dividendole in fazioni e creando mille pretesti, e mille giochi, perché queste abbiano a sfogarsi tra loro, con spargimenti di sangue tanto cruenti quanto immotivati, e mai contro coloro che stringono il bastone del comando. (Blisset, 2014). Intercettare gli stati di bisogno, le carenze o le insoddisfazioni è un’attività essenziale per il mantenimento e l’evoluzione del fenomeno QAnon proprio le manifestazioni violente come proteste, riots, rivoluzioni sono il milieu socio – culturale attrattivo che può permettere la circolazioni di visioni e cre- denza sottostanti, ma anche i necessari finanziamenti: QANON: RISK ASSESSMENT SOCIOLOGICO DI UN FENOMENO ESTREMISTA 17

Gli incentivi finanziari forniscono ulteriore carburante al movimento: diffondere la disinformazione può essere un modo semplice per fare soldi con un sovraccarico relativamente basso. I prodotti che vanno dalla merce agli in- tegratori vengono venduti insieme alle teorie del complotto e gli influencer dello stile di vita stanno commercializzando la teoria. Questo è redditizio per coloro che vogliono capitalizzare la credulità. (Paresky et al. 2021).10 Un’idea di quanta organizzazione finalizzata al finanziamento e alla diffusione di QAnon è possibile averla visitando lo store del sito Deep State Mapping Project11 sul quale vengono venduti prodotti differenti tutti che ri- portano loghi o scritte riconducibili a QAnon. Un riferimento storico delle necessarie attività di finanziamento è ripreso anche dal romanzo Q: “Tutto il meccanismo è mosso dal denaro. Senza il denaro non si solleverebbe un ago ad Anversa e forse in tutta Europa. Il denaro è il vero simbolo della Bestia.” (Blisset, 2014). Le sei categorie di somiglianza fra le componenti storiche del romanzo Q e il fenomeno Q contemporaneo permettono di confermare non solo che il libro è circolato in ambienti legati a QAnon più o meno direttamente, ma anche la profonda complessità di QAnon ai giorni nostri, ben visualizzata dalla Q – web map (versione 7. 07. 2018).12 Infine, essendo QAnon un fenomeno così multiforme e variegato merita un ulteriore approfondimento, circa la possibilità che esso si stabilizzi come minaccia concreta futura per altri Paesi oltre gli Stati Uniti.

4. Google Trends: Qanon in Italia, Francia, Regno Unito, Germania La ricerca mediante Google Trends è utile per meglio esplorare che cosa le persone cercano sul web in riferimento ad un dato argomento. Essa quindi permette di comprendere, quali dimensioni della tematica oggetto di attenzione vengano ricercate da un pubblico non ben definito, ma molto ampio. Per esempio, l’interesse potrebbe nascere da approfondimenti o semplici curiosità, così come potrebbe essere l’inizio di un percorso più strutturato di coinvolgimento.

10 In lingua inglese nel testo originale: “Financial incentives provide further fuel to the movement: Spreading disinformation can be an easy way to make money with relatively little overhead. Products that range from merchandise to supplements are being sold alongside conspiracy theories, and lifestyle influencers are marketing the theory. This is lucrative for those who want to capitalize on credulousness.” (Paresky, P. et al.,2021). 11 https://deepstatemappingproject.com/product-category/posters. 12 https://www.dylanlouismonroe.com/q-web.html. 18 BARBARA LUCINI

La ricerca dell’argomento QAnon è stata condotta via Google Trends per un periodo temporale di un anno dal 18 Marzo 2020 al 18 Marzo 2021. I criteri metodologici che sono stati seguiti sono i seguenti: 1. il focus su quattro Paesi Europei al fine di meglio comprendere la penetrazione e la diffusione di questo fenomeno in altri contesti, oltre a quello americano. I Paesi considerati sono Italia, Francia, Regno Unito, Germa- nia. Questi Paesi sono stati scelti in considerazione dei dati di maggiore diffusione di QAnon in Europa, come riportato da analisti ed esperti (Molle, 2021); 2. QAnon è stato utilizzato come unico termine di ricerca; 3. La ricerca prevedeva qualsiasi tipologia di prodotto. Per esempio, non solo la ricerca di notizie, ma anche di video ad esso associati; 4. Quando le frequenze con le quali il termine è stato ricercato sono inferiori ad 1, vengono arrotondate a cifra intera di 1.

Il grafico sottostante riporta l’andamento delle frequenze di ricerca per i quattro Paesi europei selezionati, nel periodo temporale dal 18 Marzo 2020 al 18 Marzo 2021.

Grafico 1 - Qanon – Google Trends 18 Marzo 2020-18 Marzo 2021

La prima evidenza interessante che emerge dalla lettura del grafico, riguarda il fatto che l’andamento della frequenza di ricerca rimane costante per ogni singolo Paese considerato, in relazione agli altri. Per esempio, il trend in Italia presenta frequenze di ricerca più basse nell’anno considerato, rispetto agli altri tre Paesi europei considerati. Lo stesso si può sostenere per Francia, Regno Unito e Germania, dove quest’ultimo Paese rappresenta costanti frequenze di ricerca maggiori per tut- to il periodo considerato e comparate a quella degli altri Paesi. Ciò rappresenta un’indicazione importante, per coloro i quali vorrebbero meglio comprendere l’interesse per questo fenomeno e le potenzialità, che in futuro esso possa assumere forme devianti e violente più sistematiche all’interno delle società europee. QANON: RISK ASSESSMENT SOCIOLOGICO DI UN FENOMENO ESTREMISTA 19

Nel dettaglio è possibile individuare alcuni periodi di picco nelle frequenze di ricerca, rispetto a eventi occorsi e argomenti correlati a QAnon: – fine Marzo 2020: Oprah Winfrey smaschera la teoria principale di QAnon ovvero quella sul traffico e sfruttamento sessuale;13 alcuni account Twitter dei sostenitori del presidente Trump vengono trasformati in bot sul modello russo e diffondono la teoria cospirazionista di QAnon;14 – metà Maggio 2020: la stampa mainstreaming attribuisce un ruolo rilevante al fenomeno QAnon e al suo potenziale impatto.15 Sempre di più l’argomento QAnon e Coronavirus viene affrontato in luoghi diversi;16 ancora grande attenzione viene riservata alla vicenda degli account Twitter trasformati in bot per la diffusione della teoria QAnon; – 22 Luglio 2020: Twitter chiude settemila account correlati alla teoria QA- non e ai suoi sostenitori;17 – da luglio a ottobre 2020 c’è una costante di interesse, sempre più alto in Germania concentrato sulla correlazione fra QAnon ed estrema destra, ma anche sulla situazione delle elezioni americane. Per quanto concerne la Francia il focus principale di interesse è l’origine di QAnon, ma anche i collegamenti con estrema destra e l’ascesa del fenomeno QAnon in occasione della pandemia da Covid – 19. Nel Regno Unito si riprendono le tematiche francesi legate alla maggiore conoscenza di questo fenomeno e delle teorie cospirazioniste in generale. L’attenzione è anche riservata alla diffusione delle teorie e dei sostenitori di QAnon nel Regno Unito, nonché al bando di alcuni account Facebook e Twitter. Infine, gli argomenti correlati a QAnon in Italia riguardano la sua diffusione in altri contesti, chiusura di alcuni account Facebook e Twitter di sostenitori pro – QAnon. In generale, si nota per tutti e quattro i Paesi considerati una maggiore consapevolezza circa la sistematizzazione crescente di questo fenomeno in contesti diversi dagli Stati Uniti, nato come teorie ma presto diffusosi come movimento e sempre più strutturato attorno a delle linee politiche; – primi di novembre 2020: l’evento principale correlato alla crescente attenzione verso QAnon riguarda la vincita di un seggio repubblicano in

13 https://www.washingtonpost.com/nation/2020/03/18/oprah-winfrey-qanon-conspiracy. 14 https://www.businessinsider.com/power10-activists-transformed-accounts-bots-spread-conspiracies- 2020-02?IR=T. 15 https://www.theatlantic.com/magazine/archive/2020/06/qanon-nothing-can-stop-what-is-coming/ 610567. 16 https://www.wumingfoundation.com/giap/2020/05/coronavirus-complottismo-qanon. 17 https://www.wired.it/internet/social-network/2020/07/22/twitter-qanon; https://www.bbc.com/ news/world-us-canada-53495316. 20 BARBARA LUCINI

Georgia da parte di Marjorie Taylor Green, 46 anni e sostenitrice delle teorie cospirazioniste di QAnon; – 06 gennaio 2021: l’evento culmine è l’assalto violento a Capitol Hill da parte di sostenitori di QAnon, Proud Boys, Boogaloo al culmine di una rivolta violenta organizzata tramite gruppi via Gab o Parler per contestare l’esito delle ultime elezioni americane. Inoltre, interessante sottolineare come questa rivolta sia stata condotta in mancanza dei dispositivi di protezione personale, causando la diffusione del virus Covid – 19 fra le forze dell’ordine intervenute.

Questa analisi generale sottolinea come i periodi di picco nella ricerca di argomenti correlati al fenomeno QAnon sia influenzata dagli eventi che trattano di QAnon o sono ad esso direttamente riconducibili. Due aspetti risultano interessanti da ricordare: 1. la ricerca di informazioni relative al fenomeno QAnon presenti in ambiti e Paesi diversi dal proprio; 2. un grado di sensibilità maggiore rispetto al fenomeno QAnon crescente lungo l’arco temporale dell’anno considerato (18 Marzo 2020 – 18 Marzo 2021).

Nonostante non sia possibile dimostrare al momento un chiaro nesso fra la ricerca di informazioni relative a QAnon e argomenti simili e il livello di adesione o partecipazione a tale fenomeno, risulta comunque interessante notare che una prima forma di socializzazione al tema è avvenuta e che essa può aprirsi lungo percorsi e orientamenti molto diversi, come l’analisi degli argomenti correlati e delle query associate presenti nei quattro Paesi europei dimostra. Da una prospettiva geografica risulta interessante individuare le singole zone per ogni Paese europeo considerato, dove si è registrata una maggiore frequenza di ricerca su QAnon e temi ad esso correlati. Per ogni Paese esse sono in ordine decrescente: – Italia: Trentino- Alto- Adige, Friuli Venzia Giulia, Liguria, Emilia - Roma- gna, Marche, Toscana, Lombardi e Lazio; – Francia: Corsica, Linguadoca – Rossiglione, Ile de France, Provenza Alpi Costa Azzurra, Bretagna, Rodano – Alpi, Alsazia, Midi Pirenei, Lorena, Aquitania, Paesi della Loira, Alvernia, Basso Normandia; – Regno Unito: Irlanda del Nord, Scozia, Inghilterra, Galles; – Germania: Berlino, Amburgo, Baden Wuettemberg, Sassonia – Anhalt, Brena, Baviera, Assia, Sassonia, Mecleburgo – Pomerania, Bassa Sassonia, Renania Settentrionale – Vestfalia, Renania – Palatinato, Schleswig – Hol- stein, Turingia, Saarland, Brandeburgo. QANON: RISK ASSESSMENT SOCIOLOGICO DI UN FENOMENO ESTREMISTA 21

Il dato geografico rispecchia la grande diffusività di interessa per il fenomeno QAnon e per le tematiche ad esso correlate, andando a individuare un indicatore importante per l’analisi del rischio e della potenziale minaccia futura. L’attenzione ora concerne gli argomenti delle ricerche eseguite nei quattro Paesi europei e riassunti nella tabella sottostante.

Tabella 1 - Google Trends – Argomenti correlati QAnon

Argomenti Italia Francia Regno Unito Germania Correlati Donald Trump 45° Twitter Sciamanesimo – Adrenocromo – Presidente degli Religione Composto chimico Stati Uniti Teoria Twitter Inc. Tom Hanks – Attore Xavier Naidoo – Società Cantante Sciamanesimo – Québec – città Teoria della cospirazione Teoria del Religione in Canada – Pizzagate Complotto Angelo 8chan 4chan Cospirazione Wu Ming Band RT canale Anonymous Sciamanesimo – televisivo Religione

L’aspetto originale da sottolineare analizzando gli argomenti più ricercati, è la specificità rappresentata dai singoli Paesi e dal loro approccio culturale. Infatti, osservando l’elenco degli argomenti più ricercati in Italia, non sor- prende trovare al primo posto l’ex Presidente degli Stati Uniti Trump: segno questo di una tendenza alla personalizzazione e alla identificazione in figure mitiche, che ha un ancoraggio culturale e storico importante per il Paese considerato. Gli altri argomenti riguardano gli approfondimenti della teoria QAnon e il lato più religioso – spirituale, che viene indagato tramite ricerche sullo sciamanesimo e religione. Inoltre, interessante notare come all’ultimo posto compaia un riferimento a Wu Min, collettivo di artisti che scrittori, i quali hanno dedicato scritti e inchieste proprio al fenomeno Qanon. La situazione appare invece differente in Francia, dove gli argomenti più ricercati risultano essere caratterizzati da una dimensione di strumento: il focus è su Twitter (per avere censurato migliaia di account di sostenitori di QAnon) e quindi una ricerca generica sulla piattaforma di microblogging, seguita da un focus specifico sulla situazione di QAnon in Québec, sottolineando in questo caso la relazione che la Francia intrattiene storicamente con le sue ex colonie, legate non solo da vincoli geopolitici, ma anche da tradi- zioni linguistiche e culturali comuni. Infine, ancora gli argomenti prevalenti ricercati risultano essere due canali quali 8chan e il canale televisivo RT. 22 BARBARA LUCINI

Il Regno Unito rappresenta un mix di argomenti correlati ai contenuti delle teorie legate a QAnon e gli strumenti di sua diffusione. Una maggiore frequenza di ricerca risulta essere per la componente religiosa e spirituale del fenomeno QAnon, ovvero lo sciamanesimo. In aggiunta si trova il riferimen- to a Tom Hanks il quale viene associato a QAnon, in quanto ritenuto un sa- tanista. Questa ricerca è interessante, perché soddisfa due criteri di successo della diffusione del fenomeno QAnon: – la personificazione del male, in modo tale che attribuendoli un nome e una immagine sia possibile contrapporlo nettamente a chi promette di portare una soluzione a questa situazione drammatica; – il substrato culturale che porta a ricercare nel Regno Unito argomenti che sono più specifici e tipici della realtà americana, come per esempio il Pizzagate, teoria del complotto diffusasi all’indomani delle elezioni presi- denziali americane del 2016. Altre ricerche nel Regno Unito si sono focalizzate su aspetti di strumento e quindi 4chan sito web imageboard al quale è direttamente collegato il fenomeno dell’attivismo online rappresentato da Anonymous. In Germania si presenta una maggiore frequenza per due argomenti, che non appaiono in nessun altro dei Paesi considerati: al primo posto si trova l’a- drenocromo, considerato dai sostenitori di QAnon un elisir di lunga vita e per la cui estrazione sarebbe necessaria l’uccisione dei bambini; al secondo posto il cantante tedesco Xavier Naidoo, il quale secondo la stampa nazionale in alcuni suoi testi rimanda a teorie del complotto e antisemite. La considerazione degli argomenti ricercati con maggiore frequenza assume rilevanza per la migliore comprensione di come il fenomeno QAnon è interpretato nei Paesi considerati e quali dimensioni esso attiva. Un altro elemento di analisi interessante è rappresentato dalle query che vengono digitate direttamente e che sono associate al fenomeno QAnon. A questo riguardo si notano delle discrepanze interessanti rispetto alla ricerca più generale per argomenti, in quanto attraverso le query si comprende meglio l’interesse dell’utente che sta cercando informazioni correlate all’argomento principale. La tabella sottostante riassume le query associate con maggiore frequenza al fenomeno QAnon nei quattro Paesi analizzati. QANON: RISK ASSESSMENT SOCIOLOGICO DI UN FENOMENO ESTREMISTA 23

Tabella 2 - Google Trends – Query associate QAnon

Query Italia Francia Regno Unito Germania associate Qanon facebook Qanon Québec Qanon Qanon telegram conspiracy theory Qanon twitter Qanon fr Qanon shaman Xavier naidoo Teoria qanon Qanon france v2 Trump twitter Wiki qanon Jake Angeli Qanon france v2 What is qanon Adrenochrom twitter conspiracy Qanon shaman Qanon français twitter Marjorie Taylor Qanon Greene bewegung

Gli aspetti più rilevanti risultano essere per singoli Paese: 1. in Italia un approfondimento degli strumenti e di quanto accaduto agli account dei sostenitori di QAnon sia di Facebook sia di Twitter. Un riferimento importante rimane quella della personificazione e quindi la figura di Jake Angeli alias lo sciamano di Capitol Hill diventa un tema di ricerca specifico; 2. in Francia la linea rimane quella di un focus specifico alla situazione in Québec, considerando che a Gennaio 2021 l’account Twitter di Alexis Cossette-Trudel, definito come un influencer cospirazionista, è stato chiuso. A questo proposito si noti però che la dimensione prevalente in Francia permane quella di strumento con riferimenti a Twitter e meno a dirette figure legate a QAnon; 3. anche nel Regno Unito permane la curiosità delle teorie cospirazioniste e dei suoi contenuti anche più religiosi e spirituali, con l’aggiunta di una ricerca consistente sulla figura di Marjorie Taylor Greene, 46 anni membro della Camera dei Rappresentanti per lo stato della Georgia dal 2021ed esplicita sostenitrice di QAnon; 4. in Germania aumenta la ricerca di informazioni specifiche per i canali utilizzati da QAnon per la sua diffusione, ma anche la personalizzazione del fenomeno attraverso query relative al cantante tedesco Xavier Naidoo.

In conclusione, l’analisi delle query associate all’argomento più generale QAnon ha confermato certe tendenze storico, sociali e culturali presenti nei quattro Paesi europei selezionati. 24 BARBARA LUCINI

5. Osservazioni finali: un modello interpretativo sociologico del fenomeno QAnon I risultati emersi dall’analisi dei quattro Paesi europei mediante Google Trends uniti alla prospettiva teorica dei frames delle azioni collettive (Pilati, 2018) e delle emozioni che orientano i comportamenti, risultano utili ed efficaci per la proposta di un modello interpretativo sociologico, che consideri le finalità di un’analisi di risk assessement. In accordo ai cinque driver identificati per la valutazione del rischio, quali adattabilità, mutamento, proattività, resilienza e auto – finanziamento è possibile schematizzare nel grafito sottostante un modello interpretativo, che possa essere di supporto a una riflessione teorica e metodologica circa il possibile futuro e l’espansione di QAnon anche in altri Paesi diversi dagli Stati Uniti.

Grafico 2 - Modello interpretativo sociologico della ricerca QAnon mediante Google Trends

Il grafico mostra chiaramente che è possibile ravvisare quattro diversi scenari in relazione ai quattro Paesi europei considerati. In particolare, essi rimandano ad altrettanti modelli culturali e organizzativi di penetrazione, comunicazione e diffusione delle idee e delle prospettive teoriche, che ani- mano il fattore iniziale propulsivo di QAnon, ovvero i miti: Il successo di QAnon è soprattutto statunitense, ma più in generale occidentale, quindi anche italiano. Il motivo? Questi miti (satanismo, comunisti che trafficano bambini, ebrei come George Soros che controllerebbero il mondo e così via) sembrano nuovi, ma sono in realtà vecchie leggende diffuse dalla propaganda occidentale anticomunista, quella che imperversava durante la Guerra fredda, quando l’Occidente era in conflitto con l’Unione sovietica. (Pitzianti, 2021). QANON: RISK ASSESSMENT SOCIOLOGICO DI UN FENOMENO ESTREMISTA 25

Si nota quindi che i modelli attengono alla presenza di tre elementi chiave: – intercettare bisogni sociali specifici che possono essere milieu culturale, nel quale fare attecchire le proprie credenze. La pandemia causata dal virus Covid – 19 ha giocato un ruolo fondamentale in questo processo. – le credenze fondative del nucleo centrale di QAnon e che sono mutevoli e adattabili al contesto, nel quale si decide di diffonderle; – le opportunità operative che si avvalgono dei canali comunicativi online per essere sviluppate e organizzate.

I driver di lettura mostrano come QAnon sia un fenomeno in nuce e di potenziale portata diffusiva, anche in altri contesti differenti dagli Stati Uniti, ma che rappresentano condizioni sociali, culturali ed economiche favorevoli per il suo sviluppo. Infatti, i driver adattabilità e proattività sono caratteristici di questo fenomeno sociale, che si fonda su una grande capacità di intercettare il cambiamento e favorirlo in funzione di interessi particolari. Il mutamento deve essere compreso secondo una doppia accezione: – il lato esterno, contestuale agli ambienti sociali e collettivi; – il lato interno allo stesso fenomeno QAnon e alle sua molteplici forme.

Quest’ultima peculiarità lo rende particolarmente resiliente, essendo in grado di adattarsi a diverse realtà e quindi aumentando le opportunità operative di radicalizzazione e di auto – finanziamento, in quello che potrebbe essere un infinito perpetrarsi. I modelli dei quattro Paesi europei considerati mettono in luce, che esiste una prioritizzazione degli obiettivi e delle idee da diffondere in accordo a caratteristiche culturali e sociali tipiche di ogni Nazione. In questo ambito entrano in gioco le modalità comunicative dei miti che possono quindi essere di duplice natura: pubblici e strategici (Limes, 2020): Ci sono i miti pubblici, racconti di imprese e di eroi tramandati dal popolo per il popolo, funzionali alla coesione della comunità. E ci sono i miti strategici, prodotti nello Stato per lo Stato, che ne orientano la geopolitica. (Limes, 2020). Considerata anche la spettacolarizzazione dei miti di QAnon e l’utilizzo di simboli e loghi per facilitare l’appartenenza identitaria a questo fenomeno e alle sue diverse manifestazioni autoctone, è possibile sostenere che anche per QAnon si è in presenza di una diffusione di miti strategici contestuali e adattabili all’ambiente culturale di riferimento: QAnon è un passepartout 26 BARBARA LUCINI per l’estremismo politico (destra, sinistra), quello religioso – confessionale e ancora quello ambientalista. Queste riflessioni, l’attuale situazione americana e le difficoltà di uscita (Watt, 2020) da questo gruppo nel momento in cui si è raggiunto un alto livello di radicalizzazione mostrano come QAnon possa considerarsi una minaccia sul medio – lungo periodo di una certa portata, considerando i limiti dei metodi di contrasto e di de-radicalizzazione, la sua capacità trasformativa resilienza, ma anche le opportunità sociali e tecnologiche che il perdurare della crisi pandemica potranno evidenziare.

Bibliografia Anderson, B. (2016), Imagined Communities: Reflections on the Origin and Spread of Nationalism, Revised edition, Verso Books, New York. Blissett, L. (2014), Q, Einaudi, Torino. Eyerman, R. e Jamison, A. (1998), Music and Social Movements: Mobilizing Traditions in the Twentieth Century, Cambridge University Press, Cambridge. Frankel, E. (2021): QAnon: the Italian artists who may have inspired America’s most dangerous conspiracy theory, The Art Newspaper, Disponibile online: https://www. theartnewspaper.com/feature/was-qanon-america-s-most-dangerous-conspiracy- theory-inspired-by-italian-artists. Greenspan, R.E. and Landsverk, G. (2020), How QAnon infiltrated the yoga world, Disponibile https://www.insider.com/qanon-conspiracy-theory-yoga-influencer- took-over-world-2020-11. Limes (2020), Tutti i miti portano a Roma, Limes, n° 2, GEDI Gruppo Editoriale, Roma. Lucini, B. (2020), Extremisms, viral violence and pandemic: Fusion Extreme Right and future perspectives”, in Sicurezza Terrorismo Società - Security Terrorism Society, International Journal Italian Team for Security, Terroristic Issues & Managing Emergencies, Educatt, Università Cattolica del Sacro Cuore, Milano. Vol. 12, Issue 2. Molle, A. (2021), Il movimento terrorista QAnon: la sua evoluzione dal Pizzagate all’attacco al Campidoglio, Disponibile online: https://www.startinsight.eu/il-movimento- terrorista-qanon-la-sua-evoluzione-dal-pizzagate-allattacco-al-campidoglio. Paresky, P. et al. (2021), How to respond to the QAnon threat, Brookings, Disponibile online: https://www.brookings.edu/techstream/how-to-respond-to-the-qanon-threat. Pilati, K. (2018), Movimenti sociali e azioni di protesta, Il Mulino, Bologna. Pitzianti, E. (2021), Chi sono e cosa vogliono i QAnon italiani?, Wired, Disponibile online: https://www.wired.it/attualita/politica/2021/01/23/qanon-italiani-chi-sono-trump- complottisti/?refresh_ce=. Snow, D.A., Rochford, E.B., Worden, S.K. e Benford, R.D. (1986), Frame alignment processes, micromobilization, and movement participation, in American Sociological Review, 51, 4. QANON: RISK ASSESSMENT SOCIOLOGICO DI UN FENOMENO ESTREMISTA 27

Sternisko, A., Cichocka, A. & Van Bavel, J.J. (2020), The dark side of social movements: Social identity, non-conformity, and the lure of conspiracy theories, Current Opinion in Psychology, Issue 1, Vol.6, Elsevier, Amsterdam. Watt, C. s. (2020), The QAnon orphans: people who have lost loved ones to conspiracy theories, The Guardian, Disponibile online: https://www.theguardian.com/us- news/2020/sep/23/qanon-conspiracy-theories-loved-ones?fbclid=IwAR2kJoepWfo- iYC9BHQeX1Fe_plGKSBWDMoF9A-WoclQY-WJck_5fX3CVAU. Wu Ming 1 (2020), Il mondo di QAnon: come entrarci, perché uscirne. Seconda parte, Disponibile: https://www.internazionale.it/opinione/wu-ming-1/2020/09/18/mondo- qanon-seconda-parte.

Sitografia https://www.bbc.com/news/world-us-canada-53495316. https://www.businessinsider.com/power10-activists-transformed-accounts-bots- spread-conspiracies-2020-02?IR=T. https://deepstatemappingproject.com/product-category/posters. https://www.dylanlouismonroe.com/q-web.html. https://gen.medium.com/nazi-hippies-when-the-new-age-and-far-right-overlap- d1a6ddcd7be4?gi=sd. https://www.internazionale.it/reportage/wu-ming-1/2020/09/02/mondo-qanon- prima-parte. http://www.lutherblissett.net. https://www.politico.com/news/magazine/2021/02/04/qanon-christian-extremism- nationalism-violence-466034. https://www.theatlantic.com/magazine/archive/2020/06/qanon-nothing-can-stop- what-is-coming/610567. https://www.washingtonpost.com/nation/2020/03/18/oprah-winfrey-qanon-conspiracy. https://web.archive.org/web/20121125091449/http://www.liberliber.it/libri/l/luther_ blissett/index.htm. https://www.wired.it/internet/social-network/2020/07/22/twitter-qanon. https://www.wumingfoundation.com/giap/2020/05/coronavirus-complottismo-qanon.

Sicurezza, terrorismo e società 13 (2021)

West of ISIS: a discourse and operation analysis from occidentalist perspective Abdullah Metin1

Abdullah Metin is Assistant Professor of Political Science at Çankırı Karatekin University. His research focuses on East/West debates, Occidentalism, and Comparative Politics. He is currently studying on government forms and political systems in the Middle East.

Abstract Studies on terrorist organizations have been constantly increasing as terrorism have become an imminent threat at the global level. One of these organizations, the self-declared Islamic State in Iraq and Sham (ISIS) has provided so much data through its intensive media use. Although considerable research has been done on ISIS’ magazines, videos, and social media releases, less attention has been paid to its discourse on the West. Therefore, this paper aims to explore ISIS’ perception of the West from Occidentalist perspective. To achieve this aim, numerical and text-based data was acquired by scanning ISIS propaganda magazines, Dabiq, Konstan- tiniyye, and Rumiyah. Also, an operational analysis was performed by mapping the locations targeted by ISIS’ actions. This article contributes to the literature on several points. First, while almost all of the studies analyze only the English-language magazines Dabiq and Rumiyah, this study also includes the Turkish magazine Konstantiniyye. Second, unlike other studies, this research also focuses on ISIS’ targeting of the Western way of life. Third, the study assesses ISIS’ attacks in the West by combining them with the content analysis of the magazines. Last but not least, it compares ISIS’ reaction to the West with the other Eastern reactions that persisted for nearly 200 years. The results disclose that ISIS considers its struggle against the West as a religious and sacred war. It also targets the different core values and lifestyles of the West. Furthermore, ISIS’ discourse is repudiative, condemning, and challenging, whereas previous Eastern reactions to the West were eclectic and apologizing.

Keywords Dabiq, Rumiyah, Konstantiniyye, terrorist propaganda, the Islamic State (ISIS), Occidentalism

1 Dr., Çankırı Karatekin University, Department of Political Sciences and Public Administra- tion, [email protected], ORCID: 0000-0003-4426-6380. 30 ABDULLAH METIN

Introduction With the entire destruction of the feudal order in the 17th century, the West had launched the modern era in politics, economics, philosophy, and everyday life. As modernity crossed the Western borders and spread out to the rest of the world, the ‘other’ societies needed to react to it. Many statesmen and intellectuals had discussed the issue of modernization as from the 18th century, and in the 20th century, political party leaders, political and social movement leaders, and ideologues further sustained the discussion. ISIS, the movement around which this reseacrh revolves, has also reacted to this wave of modernity and the Western perception of that will be zoomed in here. Even though ISIS became known in 2014, its history goes back to nearly two decades. The organization was founded in 2000 under Abu Musab al-Zarqawi’s leadership, under the name of ‘Tawhed wa Jihad’ and joined Al-Qaeda in 2004. Abu Omar Al-Baghdadi has led the organization after Zarqawi was killed in 2006 and changed the organization’s name as the Is- lamic State in Iraq (ISI). In 2010, Abu Bakr Al-Baghdadi was in the leadership position. Under his directions, the organization separated from Al Qaeda in 2011 and changed its name to the Islamic State in Iraq and Sham (ISIS) in 2013. Following its capture of Mosul in 2014, ISIS declared the Caliphate (Islamic State/IS). ISIS has started to use the media actively following the proclamation of the Caliphate. As is generally known, ISIS is not the first organization to actively use the media as similar organizations have previously published magazines in different languages, particularly in English (Ingram, 2018, p. 5). ISIS’ media outlet, Al Hayat Media Center, firstly released Islamic State Reports (ISR) and Islamic State News (ISN) in June 2014. ISN was released as three issues, and the pages range from 6 to 10. ISR was released in June 2014 as well; its number of pages is in the range of 5-7. These magazines, which are enriched with photographs of ISIS operations and news on ISIS-controlled areas, are not incorporated into this study because they do not provide enough data for analysis. Some other magazines released by AHMC, Al Naba in Ar- abic, Istok in Russian, and Dar Al-Islam in French, were not included in this study due to the language barrier. The study involves three magazines; Dabiq, Konstantiniyye, and Rumi- yah. In fact, the literature consists of many papers, reports, and theses which analyzed ISIS’ publications differentially. Haroro Ingram has published a series of papers on ISIS. He (2016) asserts that the organization prioritizes dichotomy-reinforcing messages and plunges its readers into a bi-polar world. In his following article (2017), he identifies that ISIS’ messages are not only too offensive, but also synchronized with the WEST OF ISIS 31 actions. Therefore, we added an analysis of ISIS attacks in this paper. Besides, in one of his articles (2018), he focuses on ISIS’ propaganda after introducing the contents of the magazines. Lakomy (2019) also analyzed ISIS propaganda using several methods, and Colas (2017) applied a detailed content analysis on Dabiq, identifying the masses that ISIS targets in order to reach as English-speaking second-generation Muslims, Western policymakers, and the third group of current or would-be ISIS members. Vergani and Bliuc (2015) analyzed Dabiq to identify the use of emotions, internet jargon, and discourse on women. Abdelrahim (2019) examined the visual discovery strategies used in Dabiq and Rumiyah and found out that Dabiq and Rumiyah communicate ISIS’ messages through five common visual strategies: legitimation, false dilemma, obligation, derogation, and per- suasion. Zelin (2015) stated that ISIS gives importance to visual propaganda rather than text-based one. He also revealed that although the execution videos are highlighted, the ratio of these videos is quite low in general visual usage. Winkler et al. (2016) made a visual analysis of the execution images. Their study claims that the primary aim of publishing executive images is to instill fear in the enemies rather than instill confidence in the fans. Moreover, by making quantitative and qualitative analyzes, Damonhoury and Winkler (2018) discussed ISIS’ shari’a law enforcement, and Macdonald and Lorenz- Dus (2019) analyzed the depiction of Good Muslim in Dabiq. In his original study, Bregantini (2017) went beyond the formal magazines and analyzed ISIS propaganda through graffitis. Whiteside (2016) discussed the change of ISIS from its establishment to 2015 and divided it into four parts: early growth (2002-2006), defeat and ad- justment (2006-2010), expansion to caliphate (2011-2014), and contraction (2015-present). Some authors studied the change of ISIS’ propaganda over time. Wignell et al. (2017) unveiled that while ISIS has changed its strategic focus over time in response to its changing conditions, the organization’s underlying world view, values, and ultimate aims remain consistent and un- changed. Welch’s (2018) paper confirmed this by reporting that ISIS’ operational focus had shifted from administering a physical caliphate to inspiring attacks locally and abroad. Drogaan and Peattie (2017) focused on the narra- tive themes of Dabiq and assess how these have shifted over time. Al-Dayel and Anfinson (2017) analyzed just a column of Dabiq, entitled “In the Words of the Enemy.” They noted that ISIS positions itself as a viable alternative to existing nation-states over hostile rhetoric. Yessiltasş and Kardasş’s paper (2015) also corroborated this point, focusing on ISIS’s derecognization of the Sykes-Picot agreement. Furthermore, it challenges the present West- ern political values in four main areas: (1) ISIS prioritizes theology to make primary rules (how society should behave) and secondary rules (how primary 32 ABDULLAH METIN rules are made and enforced. (2) It proposes a radical religious identity and model of governance far beyond the confines of the secular society of states. (3) ISIS images apocalyptic geopolitics in considering its own religiopolitical caliphate as a new form of sovereignty. (4) ISIS’ ontology is neither the state nor the individual, but a (utopian) idea of the Ummah, which is understood as the unity statehood of Muslim countries (2015, pp. 82-86). The think tanks, SETA and ORSAM, analyzed ISIS’ Turkish language magazine Konstantiniyye. As SETA’s report introduced the magazines (Kon- stantiniyye, Dabiq, Rumiyah, and Al-Naba) as form and content, ORSAM’s report analyzed Konstantiniye numerically, rhetorically, and photographically. A small number of studies focuses on ISIS’ discourse on the West, which I aim to unveil. Baele et al. (2019) carried out a remarkable study that deals with ISIS’ propaganda of the West in the context of the clash of civilization. Similar to this work, by using quantitative analysis, they plotted the conceptual network that ISIS uses to describe the West and found out that it constructs a homogenous and reified negative Western identity. Hegghammer and Ness- er (2015) analyzed ISIS-related attacks in the West and disclosed that it en- courages its sympathizers to attack rather than plan the attacks centrally. In her MA thesis, Stein (2015) criticized the weaknesses of a “new war theory’s frame that delegitimizes non-Western actors and reliance on the idea of moral superiority as justification for many Western actions.” Rather than focusing solely on the Western side of the story, her thesis suggests (2015, p. 52) a new branch, called “empirical conflict theory,” that includes “the perspectives of all three sides; perpetrators, victims, and observers.” Lorenzo-Dus, Kinzel, and Walker (2018) identified the otherr of Al-Qae- da and ISIS by the question of “which groups and which identities are dis- cursively they-ified/othered in online jihadist propaganda magazines?” They classified the groups referred as ‘they’ to “ (1) west, (2) non-group, (3) other groups, (4) themselves, (5) govt in the Middle East, (6) civilians, (7) apostates, (8) mujahidin and (9) Al-Qaeda”. The rates in Dabiq magazines are as follows, respectively: (1) %15.2, (2) %28.9, (3) %25.2, (4) %15.2, (5) %6.1, (6) %2.6, (7) %2.8, (8) %1.9. Considering that the West was referred to almost twice as frequently in Inspire at 28.9% than it was in Dabiq (2018, p. 527), they have concluded that Al-Qaeda places more emphasis on presenting the West as the enemy of jihad than ISIS. As can be seen in the literature review, although considerable research has been devoted to analyzing ISIS’ media releases, the literature on its discourse on the West is still limited. By taking into account the theoretical gap in the literature, this study analyzes ISIS’ discourse on the West. The following research questions would lead us to reach the purpose: WEST OF ISIS 33

– Is ISIS fighting the West in retaliation for the West’s military operations against itself, or is it a war of values beyond the military operations? – How does ISIS conceptualize the West? – What values of the West does ISIS fight against? – In what aspects ISIS’ reaction against the West and modernization differ from other Eastern reactions? The results of this study were commentated in the analysis section, and they were also handled from occidentalist perspective in the discussion section. Hence, an introduction of the Occidentalist perspective imposes itself. Occidentalism is a discipline suggested by the Egyptian philosopher Hasan Hanafi, with his 1992 book Muqaddimah fi Ilm al-Istighrab (Introduc- tion to the Science of Occidentalism). As Occidentalism is not a full-fledged discipline and fairly a new discipline, no single definition was agreed upon. Metin (2020) classifies the definitions as follows: Definition One: Occidentalism is the study of the West by the East. Definition Two: Occidentalism is the reflection of hostility against the West. Definition Three: Occidentalism is the answer to the question: “How can Western values be developed and adopted?” In his book, Occidentalism, Metin (2013) wished the establishment of Occidentalism as a full-fledged discipline and discussed it within the context of scientificity. He concluded that Occidentalism is first a scientific discipline in academicians’ hands, second a way of thought in the minds of (oriental) people in general and third a counter-discourse in the speech of the (movement and party) leaders as well. Buruma and Margalit are two prominent authors who contributed to the second opinion. They (2005) considered Occidentalism as hostility against the West; hence, the title of their book: Occidentalism: The West in the Eyes of Its Enemies.2 In their understanding, Occidentalism is against Reformation, Enlightenment, Capitalism, and Globalization. Furthermore, it protests Western qualifications achievements such as: The Occidental city, capitalism, the Occidental mind, and ‘idolatry.’ They consider Hitler as an Occi- dentalist like Bin Laden (2005, p. 16) because they both fought against the occidental cities and values. This perspective to Occidentalism was further discussed in light of the findings in the discussion section.

2 The subtitle of another edition is A Short History of Anti-Westernism. 34 ABDULLAH METIN

Method First and foremost, this paper ignores the conspiracy theories on whether ISIS’ discourse is determined by foreign powers and accepts its publications as the primary sources of its discourse. It also considers ISIS as a political organization, although it is not a sovereign state. The present paper has two main hypotheses. First, ISIS otherizes the West religiously. Second, ISIS’ reaction to the West is considerably different from the existing and historical Eastern reactions. This study adopts a deductive approach by using both quantitative and qualitative methods. The qualitative content analysis was conducted through compiling ISIS operations and unveiling the discourse it uses. As for the quantitative method, it was used to produce statistical data from the magazines. To achieve this aim, the words ISIS uses to highlight othering the West were listed. The specified words are as such: crusader, Rome, Constantinople, ‘Malhamah’, West, democracy, civil, pluralism, secular, pagan, sexual, sodomy, modern, and alcohol/drug. While the first half of the words until ‘West’ expresses ISIS’ war against the West, the second half alludes to the Western way of life, through the lenses of ISIS. The words, crusader, democracy, secular, plural, sexual, and modern are scanned with their roots, and their suffixed cases were also included. For the word civil; civil society, civil state, and civil law were included, but the word “civilians” was excluded. The use of the west as the ‘direction’ was ignored, and the word pagan also covers the words of idol and idolatry. The data has been obtained from ISIS’ official magazines: Dabiq, Rumiyah, and Konstantiniyye. Dabiq’s first issue was released in June 2014, and the final issue was in July 2016. It is a total of 15 issues, and the page number ranges from 40 to 83. Konstantiniyye was released in the aftermath of ISIS’ control loss over Dabiq after the Turkish military operations. The first issue was released in June 2015, and the final issue in September 2016. It is a total of seven issues, and the page number ranges from 46 to 72. Rumiyah supplanted Konstantiniyye. Its first issue was released in September 2016, and its final issue in September 2017. It is a total of 13 issues, and the page number ranges from 38 to 60. The analysis will proceed as follows: firstly, the frequency of using the specified words in each issue of all magazines was calculated. Next, the results were tabular- ized and last, another table comparing the overall results of the three magazines was created. For the operational analysis, the locations where ISIS had carried out an attack were searched, singling out the ones that are supposed to be hate attacks. The attacks against the security units were excluded from the list. Furthermore, the numbers of casualties are not included because the attacked locations are more critical for the analysis. WEST OF ISIS 35

Results The results of this study are commented on in three categories. The first one analyzes the numerical results acquired by scanning the frequency of occurrence of specified words. The second one is textual analysis based on the results attained by scrutinizing essays in the magazines, and the third one is operational results attained by listing the locations targeted by ISIS attacks.

Numerical Overview and Analysis In this part, the numerical results acquired by scanning the magazines are exhibited and commented on.

Table 1 - Dabiq Statistics

Concepts\Issues 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Total Av.

Crusader 16 6 13 6716 28 85 36 132 69 89 87 41 41 52778 51,8 Rome/Romans 5 2 2 38 5 - 1 4 7 1 3 2 2 2 41115 7,6 Constantinople 3 - 2 2 - - 3 1 - 1 1 - 1 - 3 17 1,1 Malhamah 1 - 9 9 - - 2 - 5 - - 1 - 1 - 28 1,8 West 1 - 6 14 8 3 17 19 18 7 24 47 - 23 33 220 14,6 Democracy 2 4 - 1 - 2 11 23 4 14 13 12 1 29 7123 8,2 Civil ------2 3 1 - 1 1 4 - 12 0,8 Pluralism ------3 1 1 7 - 12 0,8 Secular 2 8 - 3 2 2 10 22 9 17 3 21 2 19 8 128 8,5 Pagan 2 - 2 1 - - 3 14 7 15 7 8 6 12 74 97 10,0 Sexual ------8 ------4 12 0,8 Sodomy - - 1 - - 4 9 - - 1 5 3 1 4 17 45 3,0 Modern, 1 - 7 2 2 3 2 4 7 3 3 2 114 758 3,8 Alcohol/drug 5 4 - 1 - 1 4 1 8 2 6 2 3 4 41 2,7 Source: Compiled by the author

Dabiq, selected as the name of the journal, refers to a town in the northern countryside of Aleppo in Sham. As mentioned in a hadith, one of the greatest battles between the Muslims and the crusaders will take place near Dabiq (Dabiq, 2014a, p. 4). The most commonly used word in Dabiq magazine is crusader, which is central to ISIS’ conceptual framework for the West, followed by the words West, secular, democracy, and Rome. The word modern is always used in a pejorative sense. The concept of pluralism, which is not mentioned in all issues, is used in the context of political and religious pluralism. Similarly, the concept of civil is encountered in specific numbers and is specially used as civil society and civil law. Besides alluding to the West, the word pagan also describes ‘Rafidah’ and Hindus. It is possible to find examples such as «pagan democratic religion, 36 ABDULLAH METIN pagan Church, pagan Papacy, pagan Christians, and the pagan nation of Den- mark» when depicting the West and the Westerners. The word sexual, which is used only in two issues, collocates with the words revolution, deviance, and perversion. The concept of sodomy is used both to refer to the West and also the ISIS-controlled areas. Despite the low frequency of their use, the words alcohol and drug are used almost in all issues to mark the depravity of the West.

Table 2 - Konstantiniyye Statistics

Concepts\Issues 1 2 3 4 5 6 7 Total Av. Crusader 17 24 25 32 6 11 13 128 18,2 Rome/Romans 7 2 1 4 - 1 419 2,7 Constantinople 18 3 1 3 - - 1 26 3,7 Malhamah ------0 0 West 3 - - 13 1 3 1 21 3,0 Democracy 62 7 5 19 5 31 6 135 19,2 Civil - - - - 1 - - 1 0,1 Pluralism - - - - 1 7 - 8 1,1 Secular 2 9 21 23 1 19 2 77 11,0 Pagan 35 8 2 5 9 4 1 64 9,1 Sexual - 1 - - - - - 1 0,1 Sodomy ------0 0 Modern, - 2 - - 1 11 - 14 2,0 Alcohol/drug 4 6 6 6 - 4 1 27 3,8 Source: Compiled by the author

The Turkish language magazine Konstantiniyye differs in content from the other two magazines. The magazine, which usually includes evaluations of Turkey’s situation, calls out to ISIS sympathizers in Turkey and invites them to the Caliphate territories. For that, the operations have also been included to demonstrate the power of the Caliphate. In Konstantiniyye, the word crusader plays second fiddle to democracy. By describing Turkey not as a crusader but as an ally of crusaders, ISIS otherizes Turkey through democracy, secularism, and idols. Through these concepts, it aims to emphasize that the way of life in Turkey is not different from that in the West. While words such as civil, pluralism, sexual, sodomy have not reached a significant frequency, the words alcohol and drug, along with words such as gambling, games of chance, and interest, are highlighted almost in all issues to display the depraved and non-Islamic nature of the Turkish way of life. WEST OF ISIS 37

Table 3 - Rumiyah Statistics

Concepts\Issues 1 2 3 456 7 8 9 1011 12 13 Total Av. Crusader 1645 3121281814 162960 36 30 39 383 29,4 Rome/Romans 1 5 22 6 - 10 2 224 2 3 4 63 4,8 Constantinople 1 3 2 - - - - - 1 - - - - 7 0,5 Malhamah - 1 11------120,9 West - 5 1 1 - 1 - - 5 2 1 1 2 19 1,4 Democracy 4 6 2 2 1 2 3 - 1 2 - 1 1 25 1,9 Civil - 1 ------1 0,07 Pluralism - 1 ------1 0,07 Secular - 2 4 2 2 4 ------141,0 Pagan 3 4 54 1 4 3 - 1 - 1 3 2 - 16 5,8 Sexual ------0 0 Sodomy - - - - 4 - - - 1 - - - - 5 0,3 Modern, 1 1 2 1 5 - - - - 1 - - - 11 0,8 Alcohol/drug - 1 1 - 2 - - - - - 5 2 - 11 0,8 Source: Compiled by the author

In Rumiyah, the word crusader keeps its central position. The words pagan and Rome are respectively subordinate to crusader. The words Constan- tinople, Mahlamah, civil, pluralism, sodomy, modern, alcohol, and drug are barely used. Even the words West, democracy, and secular are below the frequency of 2.0, demonstrating that Rumiyah is a less theoretical magazine.

Table 4 - Statistical comparison of the magazines

Concepts\Magazines Dabiq Konstantiniyye Rumiyah Crusader51,8 18,2 29,4 Rome/Romans 7,6 2,7 4,8 Constantinople 1,1 3,7 0,5 Malhamah 1,8 0 0,9 West 14,6 3,0 1,4 Democracy 8,2 19,2 1,9 Civil 0,8 0,1 0,07 Pluralism 0,8 1,1 0,07 Secular 8,5 11 1,0 Pagan 10,0 9,1 5,8 Sexual 0,8 0,1 0 Sodomy 3 0 0,3 Modern, 3,8 2,0 0,8 Alcohol/drug 2,7 3,8 0,8 Source: Compiled by the author 38 ABDULLAH METIN

As Table 4 presents, while Dabiq is found to be the most theoretical of these three magazines, reflecting the discourse, philosophy, and ideology of the organization, both Rumiyah and Konstantiniyye devote more pages to operations, news from the headquarters and so-called provinces in other countries, interviews, and religious guidance to the members. As the crusader is the central concept in defining the West, the frequency of its use decreas- es considerably from Dabiq to Rumiyah. The enormous decrease in using the words West, democracy, civil, pluralism, secular, pagan, sexual, sodomy, modern, alcohol, drug points out that the theoretical framework is less significant than the operational framework. When it comes to the battleground, the loss of Dabiq to the Turkish-backed Syrian opposition and the loss of some other areas may have instigated an upsurge in ISIS’ attacks. As military concerns have overridden the religious discourse, the theoretical framework seems to have completely disappeared in Rumiyah.

Textual Results and Analysis As the numerical results reveal, the most central concept in ISIS’ perception of West is ‘crusader’. Besides, as ISIS frequently label its close other (Iranians) as Safawite or Rafidah, we can claim that ISIS establishes both its close and distant relations on historical dichotomies. ISIS grounds its hatred of the West on faith and values and rejects the other explanations: “... So you can continue to believe that those “despicable terrorists” hate you because of your lattes and your Timberlands” (Dabiq, 2016c, p. 33). This sentence evokes the words of a Taliban fighter, who says, “The Americans would never win, for they love Pepsi-Cola, but we love death” (Margalit & Buruma, 2005, p. 49). The clear message of the fighter’s expression is that “we do not envy the lifestyle, welfare, cities, the conformism of the West. On the contrary, we hate them. We have values worth dying. We can dispense with our comfort, and that is what Westerners can not.” ISIS-like organizations, fighting against great powers, absolutely believe they will win. To their conviction, there may be short-term retreats and losses, but the triumph will be theirs in the long-term. As mentioned in Konstan- tiniyye, “the mujahideen in the path of Allah may lose a conflict, a city or a region, but they will never be defeated. The pleasing ending and the triumph would ultimately always be theirs” (2015a, p. 22). Sayyid Qutb’s famous work, Milestones, had underlined the similar point: “Conditions change, the Mus- lim loses his physical power and is conquered, yet the consciousness does not depart from him that he is the most superior (2016, p. 161). One of the sources of motivation for such organizations is that they dispense with their comfort, as mentioned above. The second source of motivation is that they WEST OF ISIS 39 believe they possess the most powerful weapon their enemies do not have: faith. Islamic movements and theorists in particular strictly believe that the enemy is technologically perfectly equipped but morally and spiritually flawed. Indeed, this study exhibits that ISIS focuses on the moral flaws of the West. They believe that the spiritual is superior to the material one, and expresses this belief as follows: “materialist analysis believing that power is in weaponry and technology, forgetting that true power relies in the creed of tawh¯ıd” (Dabiq, 2014d, p. 39). In one subtitle, addressing the fighters with “Your Religion is Greater than Any Weapon They Possess” (Rumiyah 11, p. 57), faith is depicted such as a kind of weapon. Likewise, one of the chapter titles of Milestones is «Faith Triumphant» which Qutb (2006, p. 157) explains «it means to feel superior to others when weak, few and poor, as well as when strong, many and rich.» ISIS gives that message across to the world with the headline «we are at the dawn of a new era.» Also, Al-Baghdadi states that: «Today we are upon the doorstep for a new era, a turning point for the map of the region, rather the world. Today we witness the end of the lie called western civilization and the rise of the Islamic giant» (Dabiq, 2014d, p. 4). This turning point is expected to be the nullification of the Sykes-Picot Agreement and the destruction of the artificial borders (Dabiq, 2014a, p. 13). Paralleling its struggle to that of the Crusaders and the Islamic armies in history, ISIS implies that history repeats itself. In this struggle, it presents itself as the representative of the Islamic Front. It also uses the phrase «modern crusaders» to emphasize that today’s struggle is an updated version of the historical one (Dabiq, 2015c, p. 57, Rumiyah, 2016c, p. 2). The phrase crusader is delicately preferred to lay stress that ISIS’ struggle is not an ordinary nationalist, statist defense, but a holy war as enunciated in ‘Konstantiniyye’ «It is a crusader war being waged against Islam, against the ‘Ahl As-Sunnah’. You do not declare it, because you are weak» (Konstantiniyye, 2015a, p. 8). The phrase Crusader is also frequently used as an adjective; such as crusader media, crusader jets, crusader city. Today ISIS uses the word crusader by expanding the frontline a little further. Japanese or Copts which were not a part of the historical struggle, are described as crusaders. For example, «the Japanese crusader Shosei Koda», «the Japanese Crusader Kenji Goto Jogo», «Coptic crusaders». As an exception, Jordanian pilot Mu’a¯dh sa¯fi Yu¯suf al- Kasa¯sibah was also described as a crusader (Dabiq, 2015a, pp. 3-4-5-31). Al- though ISIS aims to invade Eastern territories, it by no means conceptualizes this struggle with a religious word, like crusader. It also should be noted that ISIS does not label Shiites and Turks as crusaders, but as crusaders’ puppets, dogs, and their apostate allies (Dabiq, 2014d, p. 41). 40 ABDULLAH METIN

In ISIS’ struggle against the crusader, two significant cities are crucial: Constantinople and Rome. Basing on prophetic tiding in a hadith, ISIS states that it respectively will conquer these two cities (Dabiq, 2016a, p. 47). For Constantinople, two points are remarkable. First, ISIS prefers to use the ancient name of the city (Constantinople) over Istanbul. The second is that although the Ottomans had conquered the city, ISIS ignores it and does not consider Istanbul as a part of an Islamic territory and plans to re-conquer it. This desire is versified in Konstantiniyye as follows: “Even though you have been under the occupation of the tawaghit [false deities/leaders] for a century, you will certainly have your freedom (2015a, p. 7). The magazines remark Rome as a name both symbolizing the ancient struggle in hadith and the conquest of the West today. Romans, crusaders, and westerners are sometimes used interchangeably. The prophecied war, which is expected to take place in Dabiq with Romans, is regularly referred to. In Dabiq (2014c, p. 6), this holy war is named as Malhamah (or Al-Mal- hamah Al-Kubra, the great battle before the Doomsday), which is the Islamic counterpart of the biblical war Armageddon, and described as follows (2014d, p. 35): These events all lead up to the final, most significant, and bloodiest battle between the Muslims and the Romans. This battle ends the era of the Ro- man Christians, as the Muslims will then advance upon Constantinople and thereafter Rome, to conquer the two cities and raise the fag of the Khila¯fah over them. ISIS usually points to Rome as a target in its war against the West, but it updates its immediate goals and symbols by referring to the USA: «we will not rest from our jihad until we are under the olive trees of Rome after we destroy the filthy house called the White House». This updating seems a response to the rhetoric of the West. Following the 9/11 attacks, President Bush (Dabiq, 2014d p. 42) had named his war as crusade by his statement: «This crusade, this war on terrorism, is going to take a while.» ISIS positions itself as the Islamic front against the crusade front and calls this war a two-camp war. As Baghdadi (Dabiq, 2014a, p. 10) states: O Ummah of Islam, indeed the world today has been “divided into two camps and two trenches, with no third camp present: The camp of Islam and faith, and the camp of kufr (disbelief) and hypocrisy – the camp of the Muslims and the mujahidin everywhere, and the camp of the jews, the crusaders, their allies, and with them the rest of the nations and religions of kufr, all being led by America and Russia, and being mobilized by the jews.” ISIS proclaims «either you are with the crusade or you are with Islam» by referring to Bush’s statement «either you are with us, or you are with the WEST OF ISIS 41 terrorists» (Dabiq, 2015a, p. 54), and declares that there is not a third camp in this war, evinced in the following titles: “Two camps With No Third in Between”, “The Extinction of the Grayzone”, “The Endangered Grayzone” (Dabiq, 2015a, p. 66). The denial of a way in between and the exclusion of all ‘colors’ is the most obvious sign of that ISIS sees this struggle as strictly black and white, just as the colors of its flag. Beyond the military challenge, ISIS targets the main principles, values, and lifestyle of the West. As can be seen in the numerical results, the mostly loathed concept is democracy, followed by secularism. In Dabiq, Konstan- tiniyye, and Rumiyah, the average frequency of democracy is 8.2, 19.2 and 1.9, and of secularism is 8.5, 11.0 and 1.0, respectively. Dabiq, the most theoretical magazine, censures pluralism and civility. Both are used in the average frequency of 0.8. In other magazines, these words do not reach meaningful use. Democracy, according to ISIS, is a religion that gives supreme authority to people rather than Allah: «If the majority decide sodomy is legal, it is legal- ized even though it contradicts Allah’s Sharı¯’ah” (Dabiq, 2016b, p. 34). ISIS also damns constitutional rule because it depends on the law competing with Allah’s Shari’ah» (Dabiq, 2016b, p. 34). ISIS rejects grayness and desires to coalesce in one color. It also criticizes pluralism: «The essence of pluralism is the legalization of opposing political parties within a democratic framework allowing all parties to express themselves regardless of their beliefs publically» (Dabiq, 2016b, p. 35). Two points stand out here. The first is the legalization of opposition, and the second is the expression of different beliefs. That means there is no place in ISIS’ political culture for the opposition and different faiths. The ‘Human rights’ that do not fit in the Islamic sharia law have no place within ISIS’ system, let alone openly anti-religious trends such as apostasy, devil-worship, sodomy, and fornication (Dabiq, 2016b, p. 36). As ISIS draws a frame for its own politics, it does not accept the Western concepts of civil, civil society, and the civil-military distinction. As an organization that disaffirms opposition across the state, ISIS has a totalitarian ideology. Therefore, it ne- gates civil initiatives, which would allow political participation and expand the sphere of civil society against the state. ISIS has been especially criticized for civilian casualties, but it legitimizes them as follows: «In Islam, there is no concept of civilian-infidel, that belongs to infidels. Whether the killings are described as «civilian» or «soldier» it makes no difference to us (Konstantini- yye, 2016b, pp. 2-3). Moreover, ISIS loathes the existing world order and the values lying behind it. Dabiq magazine listed the reasons for this hatred and fighting under 42 ABDULLAH METIN the section: Why We Hate You, Why We fight you. Summing it up as follows (Dabiq, 2016c, pp. 30-32). 1. We hate you, first and foremost, because you are disbelievers; you reject the oneness of Allah ... claiming that He has a son, you fabricate lies against His prophets and messengers, and you indulge in all manner of devilish practices. 2. We hate you because your secular, liberal societies permit the very things that Allah has prohibited while banning many of the things ... You sepa- rate between religion and state ... Your secular liberalism has led you to tolerate and even support “gay rights,” to allow alcohol, drugs, fornication, gambling, and usury to become widespread, and to encourage the people to mock those who denounce these filthy sins and vices.As such, we wage war against you to stop you from spreading your disbelief and debauch- ery–your secularism and nationalism, your perverted liberal values, your Christianity and atheism – and all the depravity and corruption they en- tail. 3. In the case of the atheist fringe, we hate you and wage war against you because you disbelieve in the existence of your Lord and Creator ... You witness the extraordinarily complex makeup of created beings and the astonishing and inexplicably precise physical laws that govern the entire universe but insist that they all came about through randomness. 4. We hate you for your crimes against Islam and wage war against you to punish you for your transgressions against our religion. As long as your subjects continue to mock our faith, insult the prophets of Allah, ... burn the Quran, and openly vilify the laws of the Shari’ah. 5. We hate you for your crimes against the Muslims; your drones and fighter jets bomb, kill, and maim our people around the world ... We fight you to stop you from killing our men, women, and children, to liberate those of them whom you imprison and torture, and to take revenge for the count- less Muslims who’ve suffered as a result of your deeds. 6. We hate you for invading our lands and fight you to repel you and drive you out.

ISIS (Dabiq, 2016c, p. 33) declares that hatred will continue as long as the West keeps the values and attitudes: «our primary reason for hating you will not cease to exist until you embrace Islam. Even if you were to pay jizyah and live under the authority of Islam in corruption, we would continue to hate you. We would stop fighting you, but we would not stop hating you.» ISIS opposes not only the values of the West but also its lifestyle. The preeminent opposed concepts are sexual freedom, sodomy, alcohol, and WEST OF ISIS 43 drug. The locations targeted by ISIS attacks provide essential clues about the hatred of ISIS.

Operational Results and Analysis Table 5 includes a limited number of ISIS attacks. While ISIS had claimed many of these attacks, some of them were carried out by ISIS sympathizers. Indeed, ISIS gives its sympathizers living in Western countries a list of places to target: «large outdoor conventions and celebrations, pedestrian-congested streets, outdoor markets, festivals, parades, political rallies» (Rumiyah, 2016c, pp. 11-12).

Table 5 - Selected terror operations carried out by ISIS

Date Country Location May 2014 Belgium Jewish Museum of Belgium Oct 2014 Canada National War Memorial Feb 2015 Denmark Free Speech Forum May 2015 USA Curtis Culwell Center (exhibition cartoon images of the Prophet) Aug 2015 France Thalys Train Stade De France Football Stadium, Bataclan concert hall, Two Nov 2015 France restaurants Dec 2015 USA Inland Regional Center Jan 2016 Turkey Sultanahmet Square, targeting foreign tourists March 2016 Belgium Metro Station and Airport June 2016 USA Gay nightclub July 2016 France Promenade des Anglais (on Bastille Day) July 2016 Germany Music Festival July 2016 France Church Dec 2016 Germany Christmas Market Jan 2017 Turkey Nightclub March 2017 UK Outside the Westminster Palace April 2017 France Champs-élysées, targeting police officers May 2017 UK Manchester Arena, targeting concertgoers June 2017 UK London Bridge, targeting people in nearby bars and restaurants Sep 2017 UK Underground Station Feb 2018 Russia Kizlyar Church March 2018 France Supermarket Dec 2018 France Christmas Market Source: Compiled by the author

Prima facie, the crowded places seem to be targeted, but two features of attacked locations are notable. The first, ISIS attacks the symbolic centers 44 ABDULLAH METIN such as Champs-élysées, London Bridge, Sultanahmet Square, and Westmin- ster Palace. For example, a call for an attack is as follows: «Kill them on the streets of Brunswick, Broadmeadows, Bankstown, and Bondi. Kill them at the MCG [Melbourne Cricket Ground], the SCG [Sydney Cricket Ground], the Opera House, and even in their backyards.» (Rumiyah, 2016a, p. 17). For instance, the London attack is reported in Rumiyah as follows «Khalid Masood, carried out an operation in the city of London, the heart of Crusader territory» (Rumiyah, 2017d, p. 28). The second notable point is the similarity of the targeted locations; stadiums, concert halls, restaurants, pubs, art centers, nightclubs, festivals, parades, malls, and Christmas markets. ISIS targets these places because it considers them as centers of immorality and perversion. To illustrate, a night club is defined in Rumiyah as «known even by the common people to be a place of sin and immorality, and that its model clientele is infidel men and women and other immune men and women» (2017b, p. 15). The hate speech may also be noticed in the reporting of the attacks. The following reports provide essential information; «one of the soldiers of the Khilafah targeted a famous nightclub in Istanbul while the Christians were celebrating their pagan holidays inside» (Rumiyah, 2017a, p. 37), «... targeted the mushrikin [polytheits] during one of their parties, celebrating the European New Year» (Rumiyah, 2017b, p. 12), «...detected an explosive device in the middle of a gathering of Crusaders in the British city of Manchester at a shameless concert at Man- chester Arena» (Rumiyah, 2017f, p. 34). Additionally, a nightclub attack in the USA was commented in Dabiq (2016c, p. 30) as follows: Shortly following the blessed attack on a sodomite, Crusader nightclub, American politicians were quick to jump into the spotlight and denounce the shooting, declaring it a hate crime, an act of terrorism, and an act of senseless violence. A hate crime? Yes. Muslims undoubtedly hate liberalist sodomites, as does anyone else with any shred of their fitrah (inborn human nature) still intact. An act of terrorism? Most definitely. Muslims have been commanded to terrorize the disbelieving enemies of Allah. According to ISIS, Western people have gone out of the fitrah. For example, that note is attached below the photograph of a shy-looking veiled girl «shyness, an aspect of the fitrah lacking in Western women» (Dabiq, 2016c, p. 24). The magazines strictly define Western people as morally corrupt due to the so-called deterioration of their nature, depicted with words such as dec- adence, indecency, obscenity, perversion, heathenish, and deviancy. WEST OF ISIS 45

Discussion This article, which explores the perception of the ISIS West, contributes to the literature on several points. First, while almost all of the studies in the literature analyze only English-language Dabiq and Rumiyah magazines, due to the language barrier, this study also includes the Turkish magazine Kon- staniyye. The different languages might also mirror a richness of perspectives and add value to the existing analyses. Second, unlike other studies, this study also focuses on ISIS’ targeting of the Western way of life. This underscores the importance of the ‘moral’ mindset within which ISIS operates. Third, the study discusses ISIS’ attacks in the West by combining them with the content analysis of the magazines. Last but not least, it compares ISIS’ reaction to the West with the other Eastern reactions that persisted for nearly 200 years. This diachronic analysis helps contextualizing ISIS’s frame of thought throughout a very distant temporal era, yet still forming the backbone of the organization. The findings of this study are similar to those in Ingram (2016, 2017). He had asserted that ISIS’ messages are too offensive, and it denies the multi-polar world. The textual results confirm this assertation. In fact, ISIS denies all different perspectives or visions to the world and gives to the world that message: «either you are with the crusade, or you are with Islam.» Haroro’s other claim was that «ISIS’ all messaging also synchronized with the actions.» As indicated in Table 5, ISIS’ attacks in the West are not a random ones; almost all of them contain the message of hatred to the West. So, the discourse in the magazines and the attacks go hand in hand. The research findings also correspond with those of Wignell et al. (2017) and Welch (2018). They had reported that ISIS’ propaganda has changed over time. Likewise, this study revealed that the latter magazine Rumiyah, which allocates more pages for operations, is less theoretical than the former Dabiq. That seems to be directly related to the losses in the field, especially to the loss of Dabiq town. ISIS claims that world history is at a turning point, at dawn of a new era. Accordingly, Al-Baghdadi had asserted the decline of Western civilization and the rise of the Islamic giant. This assertion is as much of a challenge as it is of a big claim. In parallel with these claims, Yessiltasş and Kardasş (2015) and Al-Dayel and Anfinson (2017) identified that ISIS challenged the contemporary political order by repudiating democracy, secular law, and adopting an Islamic type of politics. As a political organization that prefers religious fel- lowship over citizenship, ISIS also derecognizes the existing national boundaries by frequently referring to the Sykes-Picot Treaty. One may suggest that ISIS desires to establish a new deal, led by Islamic civilization. No doubt that attempts to achieve such an aim would require more conflict, which has 46 ABDULLAH METIN already been discussed in Baele et al.’s study (2019) in the context of Hun- tington’s clash of civilization thesis. Exceptionally, the findings of this study seem not to correspond with those of Lorenzo-Dus, Kinzel, and Walker. They revealed that «the West was referred to almost twice as frequently in Inspire at 28.9% than it was in Dabiq at 15.2%». Basing on this finding, they suggest «ISIS were not as focused on the West as Al-Qaeda at those points in time.» They explain the method that brings out this result as follows: «we considered the lemma west, that is, the word “West” and all its morphological variants (westerner, western). The results were: 144 in Inspire and 76 in Dabiq» (2018, p. 527). There may be a methodological mistake here. That is to say, for ISIS’ basic concept of describing the West is crusader. In the magazines, the words West and crusader are used interchangeably (also see Table 1). Thus, the word West should be regarded to include the crusader. Finally, in the introduction, we had introduced the occidentalist perspective, from which the results of the research would be discussed. In our understanding, ISIS’ perception of the West is not independent of the historical background. Therefore, it is useful to explain the background of the debate briefly. Modernity, which became visible in the 17th century and an undeniable fact in the 18th century, had forced the East into making a difficult choice: either to maintain the existing structures or to adapt the modern and foreign political, economic, and social systems. In fact, if it wished to continue their existence, the East was rather obliged to comform and had no freedom of choice. Indeed, Peter the Great in Russia, Selim III in the Ottoman Empire, Muhammad Ali in Egypt, Meiji in Japan, and Abbas Mirza in Iran all took mandatory reform steps, which were perpetuated by their successors as well. The most intellectuals had also confirmed this newly established Western supremacy. In these countries, some intellectuals defended complete West- ernization; others defended partial Westernization; some others found different formulas by appropriating the technique of the West without integrating their culture and morality, and another group tried to synthesize Western civilization with their cultures and religions. For instance, Ziya Gökalp, one of Ottoman positivism’s key players, symbolized the dominant Eastern intellectual reaction towards modernization by striving to preserve culture, belief, and technique together, as declared in the formula: «I am of the Turkish nation, Islamic community (ummah), and Western civilization» (1968, p. 48). His and like-minded Eastern intellectual’s endeavors were to keep pace with the new modern order while maintaining the national identity and religious or ideological independence. WEST OF ISIS 47

As one of the most powerful empires of the time, the Ottoman reaction to modernization is worth mentioning. Several Ottoman intellectuals had reached an eclectic idea by defending Western ideologies such as liberalism (Sabahaddin Ali), socialism (Socialist Hilmi), nationalism (Ziya Gokalp) without rejecting Islam. Some others (Afghani, Abduh, Rashid Rida, Namık Kemal, Mehmed Akif) tried to reconcile Islam with the whole or part of modernity by paralleling Western democracy to the concept of mashwarah (consultancy) in Islam, rationalism to ‘aql (reason), humanism to the human praise of the Qur’an, science to ‘alm. This style was seen as apologetic because it espoused principles such as democracy, rationalism, humanism, and science as realities of the new deal. This apologetic style called out both to the West and the inside. To the outside world, it translated as the East already adopting the values the West appreciates. As for the inside, it meant not only adopting the western values, but most importantly doing so at the expense of their core values and identity. As far as we know, none of the statesmen, the intellectuals, the parties, or movement leaders ultimately had rejected Western values during the afore- said periods. However, in the 20th century, some religious, ideological, and nationalist revolts against the West have begun to appear. One of those groups were the Bolsheviks, who were not against the West per se, but against its capitalistic system. The same is true for Mao Tse-tung, who said, «I believe the United States is nothing but a paper tiger» and the Khmer Rouge in Cambodia, also hated capitalism and imperialism, but not the West itself. Also, for nationalists, the root cause of Western hatred was the phenomenon of imperialism. The attitude of the Muslim Brotherhood, founded in Egypt in 1928, can be considered as a breaking point in the revolt for against the West. Unlike anti-imperialist, nationalist, and anti-capitalist movements, the Brotherhood completely opposed the Western world order and put Islam as a social order, even beyond being a faith. In particular, its uncompromising ideologue Sayy- id Qutb took the West as references in no field. However, the political parties of the post-1950s Islamic world appeared to be more compatible with the Western values and The New World Order. They followed secular, democratic, and capitalist policies along with the Islamic discourse. Another breaking point was the Iranian Revolution of 1979. Khomeini, the leader of the revolution, abandoned the eclectic and apologizing discourse by establishing Iran on Islamic values. As for ISIS, its discourse is quite far from eclecticism. As mentioned before, for ISIS, there are just two camps; the right path of Islam and the others. In Konstantiniyye (2015a, p. 9), eclecticism is rejected with these sentences: «democracy, communism, socialism, and none of the other ideologies and 48 ABDULLAH METIN systems are incompatible with Islam. Each one is a different religion. Who- ever converts to another religion would abandon his own religion. Believing concurrently in two religions is shirk (polytheism)». It should be noted here that ISIS does not only antagonize Wester ideologies, but also opposes any different interpretations of Islam. Another feature of ISIS’ discourse is that it is not apologizing but challenging. ISIS does not accept the supremacy of the ‘enemy’ in any field. It also does not recognize the criteria in which the enemy considers itself superior. Quranic verse, «so do not weaken and do not grieve, and you will be superior if you are [true] believers» (3:139) motivates them. By this motivation, ISIS challenges Western religions, lifestyles, political values, legislations, international laws, and institutions. The most integral achievement that enables ISIS to challenge the rest of the world is the Caliphate, and the territories it controls. Its very establishment means challenging the political, economic, legal, and social order of the epoch. Henceforth, ISIS’ challenge is not only theoretical but, it has had the opportunity to carry out its policies, such as not recognizing the national borders, repudiating nationalism and nationalist symbols altogether, uphold- ing laws based on sharia, delivering municipal services,and minting its own money. The challenge and hatred of ISIS corresponds to the kind of Occiden- talism described by Buruma and Margalit. In our understanding, the hatred is mutual, even if the authors have ignored the other side of the medallion. That is precisely the point Stein (2015) has criticized; the West’s new war theory delegitimizes non-Western actors and focuses on eradicating them. There seems to be a reciprocity between ISIS’ view of the West and the West’s view of ISIS, and the values that it claims to represent. Occidentalism should neither be considered as a hate discourse against the West, nor an imagina- tion that otherizes the West, but as a discipline that studies the West. Buruma and Margalit describe Occidentalism as the so-called hatred of the Western values, and that corresponds to a parallel projection in the Western mind; Islamophobia. These two are likely interpenetrated. So, that is the question: whether radicalized organizations and individuals attack Western values, or groups of Western politicians, writers, and extremists who cannot tolerate multiculturalism cause such organizations to radicalize. In this context, further researches on the participants of ISIS from the West may give a new dimension to terrorism studies. WEST OF ISIS 49

References Abdelrahim, Y. (2019). Visual analysis of ISIS discourse strategies and types in Dabiq and Rumiyah online magazines. Visual Communication Quarterly, 26(2), 63-78. doi: 10.1080/15551393.2019.1586546. Al-Dayel, N., & Anfinson, A. (2018). “In the Words of the Enemy”: the Islamic State’s reflexive projection of statehood. Critical Studies on Terrorism, 11(1), 45-64. doi: 10.1080/17539153.2017.1338327. Baele, S., Bettiza, G., Boyd, K.A., & Coan, T.G. (2019). ISIS’s clash of civilizations: Constructing the “West” in terrorist propaganda. Studies in Conflict & Terrorism, 1-34, doi: 10.1080/1057610X.2019.1599192. Bregantini, L. (2017). Graffiti warfare of the Islamic State in the Western urban places. Sicurezza, Terrorismo e Società, 6, 21-38. Buruma, I., & Margalit, A. (2005). Occidentalism: A short history of anti-Westernism. London: Atlantic Books. Colas, B. (2017). What does Dabiq do? ISIS hermeneutics and organizational fractures within Dabiq magazine. Studies in Conflict & Terrorism, 40(3), 173-190. doi: 10.1080/1057610X.2016.1184062. Dabiq. (2014a). Issue 1: The Return of Khilafah, July. Dabiq. (2014b). Issue 2, The Flood, July. Dabiq. (2014c). Issue 3, A Call to Hijrah, September. Dabiq. (2014d). Issue 4, The Failed Crusade, October. Dabiq. (2014e). Issue 5, Remaining and Expanding, November. Dabiq. (2014f). Issue 6, Al Qa’idah of Waziristan: A Testimony from Within, De- cember. Dabiq. (2015a). Issue 7, From Hypocrisy to Apostasy: The Extinction of the Grayzone, February. Dabiq. (2015b). Issue 8, Shari’ah Alone Will Rule Africa, March. Dabiq. (2015c). Issue 9, They Plot and Allah Plots, May. Dabiq. (2015d). Issue 10, The Law of Allah or the Laws of Men, July. Dabiq. (2015e). Issue 11, From the Battles of Al-Ahza¯b to the War of Coalitions, September. Dabiq. (2015f). Issue 12, Just Terror, November. Dabiq. (2016a). Issue 13, The Rafidah from Ibn Saba’ to the Dajjal, January. Dabiq. (2016b). Issue 14, The Murtadd Brotherhood, April. Dabiq. (2016c). Issue 15, Break the Cross, July. Damonhoury, K. & Winkler, C. (2018). Picturing law and order: A visual framing analysis of ISIS’ Dabiq magazine. Arap Media & Society, 25, 1-23. Droogan, J. & Peattie, S. (2017). Mapping the thematic landscape of Dabiq magazine. Australian Journal of International Affairs, 71(6), 591-620, doi: 10.1080/10357718.2017.1303443. Göksun, Y., & Salihi, E. (2018). DEAŞ’ın Medya Stratejisi. [Media Strategy of DAESH]. Retrieved from SETA website http://www.setav.org. Hanafi, H. (1991). Muqaddima fi ‘ilm al-istighrab. Beirut: Al Muassasah Al- Jami’iyyah li Al- Dirasat wa Al-Nashr wa Al-Tavzi. 50 ABDULLAH METIN

Hegghammer, T. & Nesser, P. (2015). Assessing the Islamic State’s commitment to attacking the West. Perspectives on Terrorism. 9(4), 14-30. Ingram, H. (2016). An analysis of Islamic State’s Dabiq magazine. Australian Journal of Political Science, 51(3), 458-477 doi: 10.1080/10361146.2016.1174188. Ingram, H. (2017). An analysis of Inspire and Dabiq: Lessons from AQAP and Islam- ic State’s propaganda war. Studies in Conflict & Terrorism, 40(5), 357-375 doi: 10.1080/1057610X.2016.1212551. Ingram, H. (2018). Islamic State’s English-language magazines, 2014-2017: Trends, & implications for CT-CVE strategic communications. The International Centre for Counter-Terrorism. Retrieved 19 July 2019, from https://icct.nl/publications/ doi: 10.19165/2018.1.03. Islamic State News. (2014a). Issue 1, June. Islamic State News. (2014b). Issue 2, June. Islamic State News. (2014c). Issue 3, June. Islamic State Report. (2014a). Issue 1, June. Islamic State Report. (2014b). Issue 2, June. Islamic State Report. (2014c). Issue 3, June. Islamic State Report. (2014d). Issue 4, June. Gökalp, Z. (1968). The Principles of Turkism. (R. Devereux, Trans.). Leiden: E.J. Brill. (Original work published 1923). Konstantiniyye. (2015a). Issue 1, June. Konstantiniyye. (2015b). Issue 2, August. Konstantiniyye. (2015c). Issue 3, October. Konstantiniyye. (2015d). Issue 4, December. Konstantiniyye. (2015e). Issue 5, February. Konstantiniyye. (2016a). Issue 6, May. Konstantiniyye. (2016b). Issue 7, September. Korkmaz, S.C. (2016). Terörün propagandası: DAEŞ terör örgütü ve Konstantiniyye dergisi. [Propaganda of terror: DAESH terrorist organization and Konstantiniye magazine]. (Report No. 204). Retrieved from ORSAM website http://www.orsam. org.tr. Lakomy, M. (2020). Between the “camp of falsehood” and the “camp of truth”: exploitation of propaganda devices in the “Dabiq” online magazine. Studies in Conflict &Terrorism, 1-27 doi:10.1080/1057610X.2020.1711601. Macdonald, S. & Lorenzo-Dus, N. (2019). Visual jihad: Constructing the “good Muslim” in online jihadist magazines. Studies in Conflict & Terrorism, 1-25 doi: 10.1080/1057610X.2018.1559508. Metin, A. (2013). Oksidentalizm. Pınar Yayincilik. Metin, A. (2020). Occidentalism: An Eastern Reply to Orientalism. Bilig, 93, 181- 202 doi.org/10.12995/bilig.9308. Lorenzo-Dus, N., Kinzel, A., & Walker, L. (2018). Representing the West and “non-believers” in the online jihadist magazines Dabiq and Inspire. Critical Stud- ies on Terrorism. 11(3), 521-536. doi: 10.1080/17539153.2018.1471081. Rumiyah. (2016a). Issue 1, September. WEST OF ISIS 51

Rumiyah. (2016b). Issue 2, October. Rumiyah. (2016c). Issue 3, November. Rumiyah. (2016d). Issue 4, December. Rumiyah. (2017a). Issue 5, January. Rumiyah. (2017b). Issue 6, February. Rumiyah. (2017c). Issue 7, Establishing the Islamic State, March. Rumiyah. (2017d). Issue 8, April. Rumiyah. (2017e). Issue 9, The Ruling on the Belligerent Christians, May. Rumiyah. (2017f). Issue 10, The Jihad in East Asia, June. Rumiyah. (2017g). Issue 11, The Ruling on Ghanimah, Fay, and Ihtibab, July. Rumiyah. (2017h). Issue 12, August. Rumiyah. (2017i). Issue 13, Allah Cast Terror into Their Hearts, September. Stein, A. (2015). Mirror, mirror: How framing conflicts through propaganda serves to legitimize violence and challenge existing perspectives in the case of Daesh and the West. (Unpublished master’s thesis). Utrecht University, the Netherlands. Qutb, S. (2016). Milestones. (A. B. Al-Mehri, Trans.). Birmingham: Maktabah Book- sellers and Publishers. (Original work published 1964). Vergani, M., & Bliuc, A. (2015). The evolution of the ISIS’language: a quantitative analysis of the language of the first year of Dabiq magazine. Sicurezza, Terrorismo e Società, 2 (2), 7-20. Welch, T. (2018). Theology, heroism, justice, and fear: an analysis of ISIS propaganda magazines Dabiq and Rumiyah. Dynamics of Asymmetric Conflict, 11(3), 186-19. doi: 10.1080/17467586.2018.1517943. Whiteside, C. (2016). Lighting the path: the evolution of the Islamic State media enterprise (2003-2016). The International Centre for Counter-Terrorism. Retrieved 2 January 2021, from https://icct.nl/publications/ doi: 10.19165/2016.1.14. Wignell, P., Tan, S., O’Halloran, K.L., & Lange, R. (2017). A mixed methods empirical examination of changes in emphasis and style in the extremist magazines Dabiq and Rumiyah. Perspectives on Terrorism, 11 (2), 2-20. Winkler, C.K., Damanhoury, K., Dicker, A. & Lemieux, A.F. (2016). The medium is terrorism: Transformation of the about to die trope in Dabiq. Terrorism and Political Violence, 1-21 doi: 10.1080/09546553.2016.1211526. Yesşiltasş, M., & Kardasş, T. (2015). The new Middle East, ISIL and the 6th revolt against the West. Insight Turkey, 17 (3), 73-91. Zelin, A.Y. (2015). Picture or it didn’t happen: A snapshot of the Islamic State’s official media output. Perspectives on Terrorism, 9(4), 85-97.

Sicurezza, terrorismo e società 13 (2021)

EU economic losses in the haze of jihad Daniele Maria Barone

Daniele Maria Barone is an Italian Coast Guard officer and analyst at ITSTIME. He previously worked as a project manager and digital communication specialist in the private sector. He graduated in Marketing & Communication at IULM University, obtained a master’s degree in International Relations at ASERI Graduate School of Economics and International Relations – Catholic University of the Sacred Heart, and specialized in counter-terrorism studies by earning an Executive Certificate at the International Institute for Counter-Terrorism (ICT) – Herzliya. Given his experience in both corporate and institutional communication, homeland security, and geopolitics, his research interests are cyber-jihad, terrorism financing, and terrorist organizations’ communication strategies.

Abstract The consequences of the terrorist threat go far beyond intangible factors. Behind the casualties, the symbolic and communicative charge brought by the perception of a jihadist looming threat, reverberates in concrete impacts on the economy of a State, turning fear into costs or variations in economic standards at different levels. In these terms, it is fundamental to analyze the direct and indirect economic consequences of terrorist attacks in Europe, to quantify their repercussions and which sectors should be accurately be monitored to efficiently prevent and counter the destabilization spread by these violent events. From this perspective, based on previous researches and surveys in different sectors (i.e. socio-economic, marketing, policy-making) this paper is aimed at suggesting which areas could be better monitored to depict the economic consequences of terrorism in the EU and highlight which elements of the phenomenon are still over or underestimated.

Keywords Jihad, terrorist attack, European Union, economy

Introduction Jihadist terrorist attacks perpetrated on European soil during 2020 have heightened fears that a new terror wave could be building across the EU.1

1 H. Warrell, S. Jones, E. Solomon, W. Mallet (November 6, 2020) Deadly attacks heighten fears of new European terror wave. The Financial Times. https://www.ft.com/content/076e1b00- 2d54-449a-bab5-09920a10f4f7. 54 DANIELE MARIA BARONE

The multi-faceted outcomes of these dramatic events2 are reflected in both the short and long term in different internal and external aspects of EU member states, causing, to mention a few, the emergence of a culture of fear which affects political3 and voter priorities,4 a renovated interest by the media in Islamist-inspired terrorism, and put the fight against homegrown and international terrorism at the top of the agenda of European policy-makers.5 Nevertheless, the consequences of the terrorist threat go far beyond intangible factors6. Behind the casualties, the symbolic and communicative charge brought by the perception of a jihadist looming threat, reverberates in concrete impacts on the economy of a State, turning fear into costs or variations in economic standards at different levels.7 In this respect, the approximate total losses incurred in real GDP terms by EU member states due to terrorist events, from 2004 to 2016, is €180bn. While, a single jihadist attack, as the one that happened in Paris in November 2015, approximately costs to the national economy €2.bn8. An analysis of the direct and indirect economic consequences of terrorist attacks in Europe could help to create a framework based on measurable data that could be used to prevent and respond effectively to the destabilization spread in all sectors by these violent events. From this perspective, based on previous researches and surveys in the various sector (i.e. socio-economic, marketing, policy-making) this paper aims

2 GLOBAL TERRORISM INDEX 2019 BRIEFING. https://www.visionofhumanity.org/ wp-content/uploads/2020/10/GTI-2019-briefingweb.pdf. 3 I.H. Indridason (March 2018) Does Terrorism Influence Domestic Politics? Coalition Forma- tion and Terrorist Incidents. Journal of Peace Research (JPR). https://journals.sagepub.com/ doi/10.1177/0022343307087183. 4 Z. Brzezinski (March 25, 2007) Terrorized by ‘War on Terror’. The Washington Post. https:// www.washingtonpost.com/wp-dyn/content/article/2007/03/23/AR2007032301613.html. 5 European Council - Council of the European Union. Response to the terrorist threat and recent terrorist attacks in Europe. https://www.consilium.europa.eu/en/policies/fight-against-terrorism/response-terrorist-threat. 6 T. Brück, F. Schneider, M. Karaisl (June 30, 2007) A Survey on the Economics of Security with Particular Focus on the Possibility to Create a Network of Experts on the Economic Analysis of Terrorism and Anti-Terror Policies and on the Interplay between the Costs of Terrorism and of Anti-Terror Measures – the State of Play of Research. DIW Berlin For the European Commis- sion, Directorate General Justice, Freedom and Security. https://ec.europa.eu/home-affairs/ sites/homeaffairs/files/doc_centre/terrorism/docs/sececon_full_report_en.pdf. 7 T. Krieger, D. Meierrieks (January 2019) The Economic Consequences of Terrorism for the European Union. Albert-Ludwigs-Universität Freiburg https://www.econstor.eu/bitstream/10419/191637/1/104712761X.pdf. 8 J. Karaian (November 26, 2015) The Paris attacks will cost the French economy more than $2 billion. Quarttz. https://qz.com/559902/the-paris-attacks-will-cost-the-french-economy-more- than-2-billion. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 55 to suggest which areas could be better monitored to have a clear picture of the economic consequences of terrorism in the EU and highlight which elements of the phenomenon are still over or underestimated.

1. Human drivers of insecurity and consumer behavior adaptation patterns The civilian population is the first and most vulnerable segment affected by the perception of the jihadist terrorism threat. Although there is not a large literature on the correlation between jihadist terrorism and its economic consequences on citizens, studies and surveys on the proportionality between insecurity and consumption can help to draw a pattern of possible impacts that the perception of terrorism generates on consumer behavior. With these premises, the psychological repercussions of a terrorist attack can trigger two opposing consumption impulses. The first impulse is related to the fact that experiencing loss of control brings to the abandonment of entrenched habits and changing methods of purchase in order to feel safe. The second impulse is related to the perception of increased awareness of mortality, which sparks an impulse to enjoy limited and uncertain life to the fullest, developing in materialistic consumption behavior.9 These aspects have been firstly monitored in the United States after the 9/11 terrorist attack, which brought American citizens to suffer psychological trauma that increased impulsive consumption and sedentary activities.10 In fact, the period between September 2001 and March 2002 in the US was characterized by a 67% stock jump for electronic retailers along with an increased sales at home furnishings companies and discount chains11. In Israel, researchers found that concerns with frequent terrorism increase people’s desire for control and may lead to avoidant behaviors, depending on consumers’ perceptions of whether they have some control over the odds of becoming a casualty in the case of a terror attack. Then, when individuals perceive their control to be low, they change their preferences and consump-

9 U. Dholakia (December 1, 2015) How Terrorist Attacks Influence Consumer Behaviors. Psychology Today. https://www.psychologytoday.com/us/blog/the-science-behind-behavior/201512/how-terrorist-attacks-influence-consumer-behaviors. 10 M.B. Perrine, K.E. Schroder, R. Forester, P. McGonagle-Moulton, F. Huessy (2004) The impact of the 11 September 2001, terrorist attacks on alcohol consumption and distress: Reactions to a national trauma 300 miles from Ground Zero. Journal of Studies on Alcohol and Drugs. https://www.jsad.com/doi/abs/10.15288/jsa.2004.65.5. 11 J. Chartier (September 11, 2002) Goodbye, cocoon boom?. CNN Money. https://money.cnn. com/2002/08/26/news/9-11retail. 56 DANIELE MARIA BARONE tions, disrupting their normal buying habits drastically as shopping in stores and malls and migrate to online buying.12

1.1 The consequences of a jihadist attack on EU citizens In the EU the number of terrorist attacks (not only jihadist) fell to 119 in 2019, the fewest number of attacks in years. Thus, even though terrorism still remains a global security threat, the EU is recording its lowest number of incidents since 2012.13 Nonetheless, since 2004, attacks in Madrid, London, Paris, Brussels, Nice, Berlin, Vienna, and other European cities, combined with the extensive coverage of terrorist attacks through media and social media channels, has led to an exponential growth of eyewitnesses of terror attacks. So, even those EU citizens not directly involved in attacks may be psychologically affected and likely to assume the abovementioned consumption patterns.14 In this context, a paper produced by RAND Corporation at the request of the European Parliamentary Research Service (EPRS)15 reports that consumer purchasing habits remained relatively stable across the EU and sometimes even increased in the aftermath of a terrorist attack that occurred on Euro- pean soil. However, although there is no clear indication of the mechanisms behind this increase, it is believed that terrorist attacks may heighten awareness of mortality,16 generating, same as reported after 9/11 in the US, an impulse to acquire and collect materialistic possessions. In this regard, studies have found that materialistic behavior leads to negative psychological effects on

12 M. Herzenstein, S. Horsky, S. Posavac (2015) Living with Terrorism or Withdrawing in Terror: Perceived Control and Consumer Avoidance. Journal of Consumer Behaviour. https://ssrn.com/ abstract=2663516. 13 (2019) Number of failed, foiled or completed terrorist attacks in the European Union (EU) from 2010 to 2019, by affiliation. Statista. https://www.statista.com/statistics/746562/number- of-arrested-terror-suspects-in-the-european-union-eu. 14 M. Hafner, E. Disley, S. Grand-Clement, K. Cox, B. Baruch. The cost of terrorism in Europe. RAND Corporation. https://www.rand.org/randeurope/research/projects/the-cost-of-terrorism- in-europe.html. 15 P. Bakowski, W. Van Ballegooij (May 2018) The Fight Against Terrorism: Cost of Non-Eu- rope Report. RAND Corporation at the request of European Parliamentary Research Ser- vice (EPRS) https://www.europarl.europa.eu/RegData/etudes/STUD/2018/621817/EPRS_ STU(2018)621817_EN.pdf. 16 E.C. Hirschman (June 1990) Secular Immortality and the American Ideology of Affluence. Journal of Consumer Research. https://www.jstor.org/stable/2626822?seq=1. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 57 individuals, emphasizing stinginess, and jealousy. Moreover, this tendency to overspend is likely to increase people’s debts.17 Regarding the consumption variations, research of 1999 “Terror Manage- ment and Marketing: He Who Dies With the Most Toys Wins”18, demonstrated that luxury items are evaluated more favorably by individuals who are subtly reminded of their own impending mortality. This reaction, in general, is related to a trend towards saving less and consume more in the present time, inducing a distortion of consumers’ choices on investment, savings, and consumption. In these terms, the research by RAND Corporation found that individuals tend to report lower levels of all the abovementioned variables in European countries that experience relatively more terrorism and last only in the short term. Nonetheless, these consequences can be amplified in terms of duration or negative economic impact due to counter-terrorism measures applied in the aftermath of a terrorist attack. In fact, besides the sense of mortality, the consumption growth is also related to the positive correlation between terrorist acts and people’s life sat- isfaction, happiness, trust in other people,19 as well as in communities and national political institutions. In this regard, CT measures can give the perception of a limitation to personal freedom and, in some cases, bring a detrimental impact on the fundamental rights of suspects, particular groups and communities, and society at large. Then, even with less evidence, from this perspective, there are reasons to consider how these variations can decrease labour productivity and ethnic-gaps in labor markets, impacting negatively on social and labour market improvements. Another aspect related to the workforce is that workers affected by the attacks have to go on sick leave during a certain period of time, causing im-

17 M.L. Richins (September 2011) Materialism, transformation expectations, and spending: Implications for credit use. Journal off Public Policy Marketing. https://journals.sagepub.com/ doi/full/10.1509/jppm.30.2.141?casa_token=IDn3TGYpXxwAAAAA%3AUWhrmlXfc5I-inz- JkjnUFh5hxS6EiWfTU58pIIGqC0kEgc9Pef6bWgBwymIuWAl6kVr1mLMr8yHr. 18 N. Mandel, S.J. Heine (1999) Terror Management and Marketing: He Who Dies With the Most Toys Wins. Advances in Consumer Research Volume 26. https://www.acrwebsite.org/ volumes/8314/volumes/v26/NA-26. 19 A.E. Clark, O. Doyle, E. Stancanelli (August 25, 2017) The Impact of Terrorism on Well-being: Evidence from the Boston Marathon Bombing. UCD GEARY INSTITUTE FOR PUB- LIC POLICY DISCUSSION PAPER SERIES. https://www.ucd.ie/geary/static/publications/ workingpapers/gearywp201708.pdf. 58 DANIELE MARIA BARONE portant wage losses that, apart from being compensated by social benefits, should be taken into account when assessing the costs of the terrorist acts20. In these terms, the total costs related to fatalities and injuries caused by terrorism in the EU from 2004 to 2019, expressed as the average income per worker, multiplied by the average life expectancy, is estimated to be about €4.7 billion. More than half the cost of fatalities and injuries occurred since 2013 until 2019 (about €2.5 billion).

1.2 Strengthen social resilience by including targets of jihadist attacks in the focus In this context, direct or indirect consequences of terrorist activity on citizens are likely to disrupt in the short term crucial production inputs like capital and labour, while the effects of increasing risks and fear seem to affect a number of industries and sectors of the economy. So, understand the negative impact on the population is crucial to prevent the micro- and macro-economic effects of jihad on the private sector. In the counter-terrorism field, improving the knowledge on the economic repercussion of terrorism in the EU could enlarge the range of effectiveness of security measures in both the short and long-term. Beyond resulting in more relevant, coherent, effective, and efficient action in the fight against terrorism, this point of view, by taking care of those affected directly or indirectly by terrorism, reduces the material and imma- terial impacts of jihad, aiding the dissipation of fear in the short term, while preventing ethnic social divisions, which is one of the long-term outcomes of jihadist terrorist attacks, stepping toward a resilient pan-European path of social inclusion.

2. Estimating the impact of terrorism in the private sector Researches and surveys, so far, highlight how the negative impact of jihad on the EU economy creates a trickle-down effect on people and fields of business that can vary with the maturity of an economy but also with the nature and target of the attack. In this context, security economic literature proves that terrorism effects are amplified not only by the single terrorist attacks but by the perception of

20 M. Buesa, A. Valino, J. Heijs, T. Baumert, J. Gonzalez Gomez (February 2006) THE ECO- NOMIC COST OF MARCH 11: MEASURING THE DIRECT ECONOMIC COST OF THE TERRORIST ATTACK ON MARCH 11, 2004 IN MADRID. Instituto de Análisis Indus- trial y Financiero. Universidad Complutense de Madrid. http://citeseerx.ist.psu.edu/viewdoc/ download?doi=10.1.1.319.8266&rep=rep1&type=pdf. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 59 the threat of terrorism, generating an economic impact also in the form of counter-measures that economic agents, policy-makers, and consumers at all levels take. So far, the main focus of studies or policy-makers are still exclusively related to the negative impacts caused by perpetrators and don’t include impacts resulting from responses to terrorism. Thus, in this context, an analysis of the direct and indirect economic consequences of terrorist attacks in Europe could help to create a framework based on measurable data that could be used to prevent and respond effectively to the destabilization spread in all sectors by these violent events. Regarding the private sector, substantial costs arise to those sectors directly hit by terrorist attacks, and each category is differently affected by jihadist terrorist activity.

2.1 Tourism There are multiple risks facing tourism that contribute to the formation of the perception of risk. In particular, security issues (i.e. uncontrollable risks), like terrorist attacks, are perceived by travelers as more important than safety issues (i.e. controllable risks), like a fire in the hotel.21 However, according to the World Travels & Tourism Council, among other sorts of incidents, terrorist or security-related incidents have the shortest average recovery time of 11.5 months (minimum 2 months).22 Considering that each country has its own distinctiveness which varies the influence of terrorism, depending on whether it is a rich, large and diversi- fied economy, or a small, poor and more specialized economy, according to data from Eurostat23 on arrivals and nights spent of non-residents at tourist establishments, terror attacks in the EU tend to have a short-lived effect only and that tourism levels, on the average, tend to normalise within one to three months.24

21 R. Carballo, C.J. Leòn, M.. Carballo (October 9, 2017) The perception of risk by international travellers. Worldwide Hospitality and Tourism Themes Vol 9 No. 5. https://www.emerald.com/insight/content/doi/10.1108/WHATT-07-2017-0032/full/html?skipTracking=true. 22 (November 4, 2019) Travel & Tourism Industry is More Resilient Than Ever According to New Research by WTTC and Global Rescue. World Travels & Tourism Council. https://wttc. org/News-Article/Travel-Tourism-Industry-is-More-Resilient-Than-Ever-According-to-New- Research-by-WTTC-and-Global-Rescue. 23 https://ec.europa.eu/eurostat/web/tourism/data/database. 24 M.Nikšic´ Radic´, D. Dragicˇevic´, M. Barkiđija Sotošek (2018). The tourism-led terrorism hypothesis – evidence from Italy, Spain, UK, Germany and Turkey. Journal of International Stud- ies. https://www.jois.eu/files/16_539_Niksic%20Radic.pdf. 60 DANIELE MARIA BARONE

As previously mentioned, terrorism can have different sorts of impacts on tourism, with consequences lying outside state control. For instance, the effect of terrorist attacks with high lethality on tourism may be demonstrated by the case of the Brussels bombings attack that was committed on March 22, 2016, aimed at Brussels airport in Zaventem and Maalbeek metro station and resulted in 32 fatalities and more than 300 wounded persons. The most consistent impact of this attack was that, even though CT measures and damages forced the closing of most of Brussels airport for a few months, logically impacting negatively on the number of travelers in the city, data confirm a decrease between 10% to 30%25 in arrivals and night spent of non-residents all over Belgium for the next 6 months after the attack26. Moreover, once Brussels airport started working again in full capacity, tourism firstly recovered in other regions, as Flanders or Wallonia, before fully restoring in Brussels, starting with domestic tourism before attracting again international tourists.27 About the indirect territorial impact of terrorism on tourism, researchers found28 that visitors from the UK and from non-European countries started cancelling reservations in Belgium even before the attacks in Brussels took place, precisely after the attacks in Paris in 2015 (40% of hotel bookings were cancelled over the weekend of the security clampdown).29 This effect was probably generated by the news circulating about the search in Belgium for those responsible for the Paris attacks. Another indirect consequence to take into account is that the economic impact of jihadist activity in tourism goes far beyond the actors and services that are directly linked with this sector (e.g. hotels and catering, airlines, guid- ed tours, etc.); it affects also those who supply goods and services to the firms operating in the tourism industry, generating an economic loss that, even

25 https://www.toerismevlaanderen.be/sites/toerismevlaanderen.be/files/assets/documents_KEN- NIS/cijfers/Voorlopige%20cijfers/2016_Tabellen-9m.pdf. 26 T. Zeman, R. Urban (2019) The Negative Impact of Terrorism on Tourism: Not Just a Problem for Developing Countries?. DETUROPE – THE CENTRAL EUROPEAN JOURNAL OF REGIONAL DEVELOPMENT AND TOURISM Vol. 11 Issue 2 2019. http://www.deturope. eu/img/upload/content75-91.pdf. 27 D. Vanneste, P. Tudorache, F. Teodoroiu, T. Steenberghen (2017) The impact of the 2016 terrorist attacks in Brussels on tourism. Belgeo. https://journals.openedition.org/belgeo/20688#ftn9. 28 D. Vanneste, P. Tudorache, F. Teodoroiu, T. Steenberghen (2017) The impact of the 2016 terrorist attacks in Brussels on tourism. Belgeo. https://journals.openedition.org/belgeo/20688#ftn9. 29 A. Walker (December 2, 2015) Paris attacks: Assessing the economic impact. BBC. https:// www.bbc.com/news/business-34965000. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 61 within a few months, can generate a consistently negative impacts even at a national level.30

2.2 Transports The transports sector is directly subjected to the consequences of terrorist acts and this impact can give insights on how other sectors may be paralyzed by the fear of the incumbent terrorism threat and CT measures put in place by authorities after a terrorist attack. According to a report by International Air Transport Association (IATA),31 terrorist attacks in Western Europe in late 2015 and early 2016 reduced Eu- ropean airlines’ international passenger traffic by an estimated 1.6% in the following year compared to what it would have been in the absence of such events, reducing European airlines’ 2016 revenues by around US$2.5bln. According to the report, the RPK (Revenue Passenger Kilometers: a way of calculating the number of kilometers travelled by paying customers)32 fell below its trend level following the Paris attacks in November 2015. Then it started to rise again immediately afterward in seasonally adjusted terms, but the upward trend was interrupted following the Brussels bombing in March 2016. Same as the effect of jihadist attacks on the tourism industry, for airlines, the impact seems to be only temporary (a few months) but, given that European airlines’ international traffic accounts for around 24% of the whole industry RPKs, the impact was felt at a global level too33. Terrorist attacks also have a negative impact on city transports, disrupting labour and private companies. For instance, in the case of the bombings of the London public transport system on July 7, 2005, some firms reported that they had to find alternative means of transport for their employees unwilling

30 M. Ehrenfreund (November 18, 2015) How do economies recover after terrorist attacks? World Economic Forum. https://www.weforum.org/agenda/2015/11/how-do-economies-recover-after-terrorist-attacks. 31 D. Oxley (May 2017) Estimating the impact of recent terrorist attacks in Western Europe. IATA. https://www.iata.org/en/iata-repository/publications/economic-reports/the-impact-of-recent-terrorist-attacks-in-western-europe. 32 Revenue Passenger Kilometres (RPK) is a way of calculating the number of kilometres travelled by paying customers, by multiplying the number of paying passengers by the distance travelled. Source Aeroflot Glossary https://ir.aeroflot.com/fileadmin/user_upload/files/eng/ glossary_eng.pdf. 33 (2009) TERRORISM AND INTERNATIONAL TRANSPORT: TOWARDS RISK-BASED SECURITY POLICY - Round Table 144. The OECD and the International Transport Forum: Joint Transport Research Centre. https://www.itf-oecd.org/sites/default/files/docs/09rt144.pdf. 62 DANIELE MARIA BARONE to use public transport into central London. For smaller firms, this constituted the principal cost of the attack34.

2.3 Insurance sector In a report redacted by the global insurance company, Marsh, which assesses the terrorist threat in Europe in 2018-2019 it is claimed that according to the insurance sector “the threat of Islamist extremism remains high in Europe ... Religious extremist attacks in the EU will likely target the entertainment and hospitality sectors and public spaces frequented by tourists”.35 Besides this perspective, the truth is that terrorism insurance is considered to be a difficult product to construct and price. In fact, to provide relief for insurers offering terrorism insurance and to support the supply of insurance policies that include terrorism insurance, several euro area and other countries have developed government and insurance industry-wide programs for terror coverage36. For instance, in Ger- many, terrorism insurance is generally included in policies. To reduce the vulnerability of insurers, in 2002, a specialist company covering terror-related property damage called EXTREMUS was created by the Government and the Association of German Insurers37. The primary objective of the program is to protect medium-sized companies against property and business interruption losses caused by terrorism. Its annual capacity amounts to €10 bn whereby only the first €2.5 bn are carried by EXTREMUS itself. The remaining €7.5 bn are covered by a state guar- antee38. The insurance sector has also adapted to the latest terrorist attacks involving motor vehicles.

34 T. Brück, F. Schneider, M. Karaisl (June 30, 2007) A Survey on the Economics of Security with Particular Focus on the Possibility to Create a Network of Experts on the Economic Analysis of Terrorism and Anti-Terror Policies and on the Interplay between the Costs of Terrorism and of Anti-Terror Measures – the State of Play of Research. DIW Berlin For the European Commis- sion, Directorate General Justice, Freedom and Security. https://ec.europa.eu/home-affairs/ sites/homeaffairs/files/doc_centre/terrorism/docs/sececon_full_report_en.pdf. 35 (May 2019) 2019 Terrorism Risk Insurance Report. Marsh. https://www.mmc.com/content/ dam/mmc-web/insights/publications/2019/may/2019-terrorism-risk-insurance-report.pdf. 36 ECB Financial Stability Review (December 2007) https://www.ecb.europa.eu/pub/financial-stability/fsr/focus/2007/pdf/ecb~7585877f4b.fsrbox200712_18.pdf. 37 GERMANY TERRORISM RISK INSURANCE PROGRAMME. OECD. https://www. oecd.org/daf/fin/insurance/Germany-Terrorism-Risk-Insurance.pdf. 38 H. Schaloske (April 26, 2019) Terrorism insured – a German view. Clyde&Co. https://www. clydeco.com/en/insights/2019/04/terrorism-insured-a-german-view. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 63

Also, in this case, each EU member state has its Insurance Code for these dramatic events. For instance, in France is stipulated that the insurer shall not be responsible for loss or damage resulting from an intentional act of the insured.39 As terrorist attacks are considered as part of the “ordre public” the French insurance policies, to ensure indemnification of victims of acts of terrorism for their bodily injuries, since 1995 has established a special fund, Fonds de Garantie des Victimes des Actes de Terrorisme et d’autres Infrac- tions,40 which indemnifies all victims of terrorist acts committed on French territory.

2.4 Indirect costs on local economies Soft targets in general (e.g. shopping centers, clubs, restaurants, schools, gatherings, entertainment centers, etc.) are places that are typical of a large concentration of population combined with a low level of security and, compared to hard targets, not permanently protected41. Although Governments, including at the local level, bear the primary responsibility for protecting soft targets against terrorist attacks42, the private owners or operators usually are the only subjects related to their security needs and reduce their vulnerabilities.43 In fact, in the days after 2015 Paris attacks, Securitas, a provider of security agents, received so many calls from department stores, museums and other outlets scrambling to hire thousands of guards and intensify screening that had to accelerate hiring to meet the demand. Same happened at Visiom, a French maker of metal detectors, where orders from sports stadiums, concert halls and large stores unprecedentedly increased since the Paris attacks44. This can generate economic losses on small local businesses, because most of the abovementioned effects of a jihadist attack (e.g. impacts on consumer behavior, transports, tourism) reverberate on them which suffer the

39 (2018) Terrorist attacks through the use of motor vehicles in selected European countries. Swiss Re. https://www.swissre.com/dam/jcr:3f9290a5-6c14-4a68-aba1-93d34c4348f5/swiss_re_terror_acts_ motor-vehicles_2018.pdf. 40 https://www.fondsdegarantie.fr/fgti/fonctionnement. 41 P. Benˇová, S. Hošková-Mayerová, J. Navrátil (2017) Terrorist attacks on selected soft targets. Journal of Security and Sustainability Issues. http://jssidoi.org/jssi/papers/papers/view/354. 42 United Nations Office of Counter-Terrorism. Vulnerable targets. https://www.un.org/counterterrorism/vulnerable-targets. 43 (November 11, 2016) Economic impact of Paris attacks. DW. https://www.dw.com/en/economic-impact-of-paris-attacks/av-36354136. 44 L. Alderman (January 31, 2016) Terror Threats Thaw Budgets Across Europe. The New York Times. https://www.nytimes.com/2016/02/01/business/international/europe-training-financial-firepower-on-terrorism.html. 64 DANIELE MARIA BARONE consequences of being considered either as targets or as places to avoid in the aftermath of a jihadist attack. The indirect impact of terrorist activity on the stability of local economies is different from the impact they suffer for crime risk: shoppers or customers can avoid most violent crimes by carefully selecting safer places to shop, but they cannot reduce their risk of being attacked by terrorists unless they avoid public places altogether. Moreover, it is reasonable to assume that, following a terrorist attack in a given area, potential investors and existing firms alike may be more averse to local investment due to the increased risk of future terrorism, whether real or perceived, and the subsequent loss of capital or business activity.45 All these elements cause enormous difficulties to small businesses or entire sectors in achieving recovery. As an example, the repercussion estimated on the live music sector, in 2015, after a series of jihadist attacks in Paris where 130 people died and 89 of the victims were attacked at the Bataclan concert hall, brought ticket sales in Paris fall 80% compared to the year before and several shows were cancelled as a safety precaution. But the repercussions extended globally, impacting the whole live events sector. A survey released a few weeks after the attack by digital marketing platform SpinGo, looked at how the Paris terror attacks had impacted public opinion in the US on attending live events. It found 1 in 3 Americans were worried about a violent attack happening at a live event.46

2.5 There is still room for improvement In the abovementioned events, appropriate and proportional security measures, effective crisis management, and emergency communication are key elements to improve in order to mitigate the effects of terrorism at both micro/macro-economic level and, as a consequence, on society as a whole. So far, in the EU research field, unfortunately, much knowledge is based on theoretical reasoning with only limited and highly fragmented empirical evidence. The major cause of this gap is the restricted availability of data on the behavior of targets of jihadist attacks, dramatically reducing the possibility

45 R.T. Greenbaum, L. Dugan, G. LaFree (April 2006) The Impact of Terrorism on Italian Employment and Business Activity. Urban Studies, Vol. 44. https://ccjs.umd.edu/sites/ccjs. umd.edu/files/pubs/2COMPLIANT%20-%20The%20Impact%20of%20Terrorism%20on%20 Italian%20Employment%20and%20Business%20Activity.pdf. 46 L. Graham (December 4, 2015) Music venues will need more security in light of the Paris terror attacks. CNBC. https://www.cnbc.com/2015/12/04/music-venues-will-need-more-security-in-light-of-the-paris-terror-attacks.html. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 65 of improvements in this field. Then, given political and economic inter-de- pendencies in the EU, the previously mentioned economic repercussions of terrorism can stretch beyond national economies, echoing across the continent. Hence, introducing new European standing mechanisms to review the implementation of counterterrorism policy and support of the victims in the EU is crucial to guarantee a quick response to recover in the aftermath of a terrorist attack.

3. Government spending: the political cost of counter- terrorism Unsurprisingly, the share of government expenditure grows when terror attacks occur as public spending on defense and security increases.47 As a consequence, countries have to raise taxes or shift their budget spending to potentially less growth-enhancing defense and security expenditures, which could harm long-term growth.48 This may happen because public resources are shifted from output-enhancing to non-productive expenditures.49 However, an action bias by the government50 is likely if the relevant actors will be able to obtain credit for responding to the risk. Even though not all the costs of CT measures are available on public records, there is evidence that, until 2008, an additional transnational terrorist incident per 1 million inhabitants in a Western European country has led

47 EU Parliament. REVIEW OF THE FRAMEWORK DECISION ON TERRORISM. Eu- ropean Agenda on Security, Terrorism and Radicalization. LEGISLATIVE TRAIN10.2020 17 CIVIL LIBERTIES, JUSTICE AND HOME AFFAIRS - LIBE. https://www.europarl.europa. eu/legislative-train/api/stages/report/current/theme/civil-liberties-justice-and-home-affairs- libe/file/review-of-the-framework-decision-on-terrorism. 48 T. Brück, F. Schneider, M. Karaisl (June 30, 2007) A Survey on the Economics of Security with Particular Focus on the Possibility to Create a Network of Experts on the Economic Analysis of Terrorism and Anti-Terror Policies and on the Interplay between the Costs of Terrorism and of Anti-Terror Measures – the State of Play of Research. DIW Berlin For the European Commis- sion, Directorate General Justice, Freedom and Security. https://ec.europa.eu/home-affairs/ sites/homeaffairs/files/doc_centre/terrorism/docs/sececon_full_report_en.pdf. 49 T. Krieger, D. Meierrieks (January 2019) The Economic Consequences of Terrorism for the European Union. Albert-Ludwigs-Universität Freiburg https://www.econstor.eu/bitstream/10419/191637/1/104712761X.pdf. 50 C.R. Sunstein, R. Zeckhauser (2008) Overreaction to Fearsome Risks. John M. Olin Program in Law and Economics Working Paper No. 446. 66 DANIELE MARIA BARONE to an average increase of government expenditure by 0.17%, while reduced economic growth by about 0.4%51.

3.1 The political aftermath of 2015 Paris attacks Immediately after November 13, 2015 Paris attacks, French president Holland declared “We will be merciless toward the barbarians of Islamic State group ... the country must take appropriate action” and, as for Bush’s 2001 “war on terror”, to stress the international effort to fight Islamic-inspired terrorism, he declared he would “destroy the Islamic State”.52 In this frame, he also announced that France would increase its defense budget by close to €4bn over four years, in response to extremist threats after the Paris jihadist attacks.

3.2 Militaristic approach: a necessary disproportionate response This declaration immediately sparked police operations across the country that brought to 23 arrests and dozens of weapons seized in a series of raids on suspected Islamist militants53, meanwhile, at an international level, the French Defense Ministry sent 12 French aircraft, including 10 fighter jets, to lead an air raid coordinated with American forces, and destroyed two Daesh targets in Raqqa.54 Another immediate response of the French Government in terms of military recruitment was the following: keep all the defense personnel (since 3/4 of the volunteers were on fixed-term contracts) and increase to 16,000 recruitments in 2016, while developing five waves instead of three Army’s advertising campaigns in 2015. The unexpected result, in only a week after November 13 Paris attacks, was an extraordinary increase of visitors to French army’s website, sengager. fr, from 2,000 to 20,000 and the tripling of the requests for information and

51 K. Gaibulloev, T. Sandler (July 17, 2008) Growth Consequences of Terrorism in Western Eu- rope. Kylos Volume 61, Issue 3. https://onlinelibrary.wiley.com/toc/14676435/2008/61/3. 52 S. Lucas (November 17, 2015) Paris attacks: how effective has the military response been?. The Conversation. https://theconversation.com/paris-attacks-how-effective-has-the-military-response-been-50804. 53 (November 16, 2015) Paris attacks: Many arrested in raids across France. BBC News. https:// www.bbc.com/news/world-europe-34830233. 54 A. Rubin, A. Barnard (November 15, 2015) France Strikes ISIS Targets in Syria in Retali- ation for Attacks. The New York Times. https://www.nytimes.com/2015/11/16/world/europe/ paris-terror-attack.html. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 67 recruitments: from 500 to about 1,500 per day.55 An unprecedented phenomenon which brought to receive a total of approximately 160,000 applications in 2015 (against 120,000 in 2014)56. Furthermore, public opinion on the military in France improved in every respect. In fact, in a slowly positive trend started in 1990 (and since the terrorist attack, on July 25, 199557, when 8 people were killed and 84 wounded),58 positive opinions on the French military branch increased to 87% in 2016, making France the EU country with the highest level of confidence in the military sector, ahead of Germany, Spain, and Italy, where the average stood at 73% in November 201659. In this respect, since France, in 2016, had an estimated 2,000 French nationals having traveled to the conflict zone, a survey by the Pew Research Centre in 2016 highlighted that 91% of French citizens interviewed thought Daesh was a major threat to the country (to become 88% in 2017).60 Indeed, on March 17, after January 2015 terrorist attack, in an attempt to fight domestic terrorists, France’s Interior Minister announced that the Government had cut welfare benefits to 290 French citizens who had left the country to join jihadist groups in Iraq and Syria.61 In this context, France military expenditure, after a constant decrease in 2010-2013 (from 56 to 53bn$), due to the enforcement of austerity policies

55 N. Gilbert (November 19, 2015) Ruée des jeunes Français vers les armées. Le Monde. https://www.lemonde.fr/attaques-a-paris/article/2015/11/19/ruee-des-jeunes-francais-vers-les- armees_4813438_4809495.html?utm_campaign=Echobox&utm_medium=Social&utm_ source=Twitter#meter_toaster. 56 F. Garza (November 21, 2015) The French military has seen a surge in applications after the Paris attacks. Quartz. https://qz.com/556517/the-french-military-has-seen-a-surge-in-applications-after-the-paris-attacks. 57 C.R. Whitney (December 4, 1996) 2 Die as Terrorist Bomb Rips Train at a Paris Station. The New York Times https://www.nytimes.com/1996/12/04/world/2-die-as-terrorist-bomb-rips- train-at-a-paris-station.html. 58 É. Jolly, O. Passot (July 2018) Instability and Uncertainty. Strategic Review of Security and Defence Challenges from a French Perspective - FRANCE AND POLAND FACING THE EVOLUTION OF THE SECURITY ENVIRONMENT. Institut de recherche stratégique de l’École militaire - issue 59. 59 Ministère des Armées (2017) La perception de la défense dans l’opinion publique européenne et chez les jeunes. Annuaire statistique de la défense. 60 J. Poushter, D. Manevich (August 1, 2017) Globally, People Point to ISIS and Climate Change as Leading Security Threats. Pew Research Center. https://www.pewresearch.org/ global/2017/08/01/globally-people-point-to-isis-and-climate-change-as-leading-security-threats. 61 Counter Extremism Project. France: Extremism & Counter-Extremism. https://www.counterextremism.com/countries/France. 68 DANIELE MARIA BARONE in the EU for 2010 debt crisis and a slightly increase in 2014 (54.5bn$), increased from 2015 until 2017 (56.6bn$ until 60.4bn$).62 In fact, in the immediate aftermath of 2015 Paris attacks, France spent nearly 1 million euros a day on the heightened security and the increased costs for security represented a roughly 3% growth, taking overall spending to €131 billion. In that same period, the jihadist threat unbalanced also the austerity policies that spread across the EU after 2010 debt crisis. Besides guaranteeing aid to France after the French Government decision to activate Article 42.7 of the Treaty of the European Union (TEU), according to which “If a Member State is the victim of armed aggression on its territory, the other Member States shall have towards it an obligation of aid and assistance by all the means in their power, in accordance with Article 51 of the United Nations Charter”,63 in 2016, European leaders put security spending as a priority. In the first place, the EU Commission, authorized France to receive special treatment under budget deficit rules to strengthen security programs, even after having admonished France the previous year for failing to meet deficit reduction pledges. Indeed, France had originally planned steep cuts in defense spending, forced to save much-needed cash despite the need to ensure security. As part of these cuts, some 34,000 jobs were due to be slashed in the 2014-2019 period but turned to 15,500 after the attacks on Charlie Hebdo magazine64. Then, the dire need to respond to this wage of fear caused by terrorist attacks perpetrated all over EU brought other Member States to shift towards a security approach. For instance, Germany hired more police and intelligence officers, and German Defense Minister proposed to increase military spending by about $141bn, over 15 years. Also, part of €12.1bn budget surplus was diverted to managing the wave of refugees flooding into the country.65

62 France Military Expenditure 2010 - 2020. Trading Economics. https://tradingeconomics. com/france/military-expenditure. 63 A. Marrone, D. Fattibene (January 2016) Defence Budgets and Cooperation in Europe: De- velopments, Trends and Drivers. Istituto Affari Internazionali (IAI). https://www.iai.it/sites/default/files/pma_report.pdf. 64 M. Barreaux (April 29, 2015) Paris Attacks Spur France To Boost Budget. Defense News. https://www.defensenews.com/2015/04/29/paris-attacks-spur-france-to-boost-budget. 65 L. Alderman (January 31, 2016) Terror Threats Thaw Budgets Across Europe. The New York Times. https://www.nytimes.com/2016/02/01/business/international/europe-training-financial -firepower-on-terrorism.html. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 69

3.3 Deradicalization programs: political and economic costs Another relevant aspect of EU Member States budget expenditure in the aftermath of terrorist attacks was in the field of deradicalization programs.66 In 2015, the France government announced that in the deradicalization sector 2,680 new jobs would be created and raised the budget by €425mn to the fight against terrorism. The first effort in the developments of counter-narratives led to the launch of stop-djihadisme.gouv.fr website, along with related accounts on Twitter and Facebook. The campaign aimed to highlight the penalties for the promotion of terrorism or other terrorist activities and support the military and stabilization operations of France and its allies in war zones, but rarely engaged directly with jihadist narratives, except during specific campaigns, such as #Toujo- ursLeChoix #AlwaysTheChoice67. Despite its large reach (8 citizens on 10) #ToujoursLeChoix campaign also generated suspicion, due to its link to the reporting body of radical behavior, and even provoked counter-campaigns and mockery by some jihadists with the #NoChoice campaign.68 In the meantime, at a European level, in July 2015 was established the EU Internet Referral Unit (EU IRU)69 a special unit at Europol, which increased its number of staff employed in 2015-2019 from approximately 950 to 1,300 people70, aimed to detect and investigate malicious contents on the internet and in social media in order to monitor terrorism online. The unit comprises a team of experts with multiple and diverse knowledge and skills (e.g. experts in religiously inspired terrorism, translators, ICT developers, and law enforcement, etc.). Until 2017, when its annual budget was €4.5mn71, the EU IRU

66 EU Commission - Research and Innovation (March 29, 2019) Practicies Project Objective H2020-SEC-06-FCT-2016 Research and Innovation Action (RIA) Partnership against violent radicalization in cities Project Number: 740072. https://ec.europa.eu/research/participants/documents/downloadPublic?documentIds=080166e5c39cd363&appId=PPGMS. 67 N. Hénin (March 2, 2018) “Prevent to Protect”: Analysis and Perspective on the French Pro- gram to Counter Terrorism and Radicalization. European Eye on Radicalization. https://eeradicalization.com/prevent-to-protect-analysis-and-perspective-on-the-french-program-to-counter-terrorism-and-radicalization. 68 L. Bindner (February 1, 2018) Jihadists’ Grievance Narratives against France. International Center for Counter-terrorism - The Hauge (ICCT). https://www.jstor.org/stable/resrep17482?- seq=17#metadata_info_tab_contents. 69 EU INTERNET REFERRAL UNIT - EU IRU. https://www.europol.europa.eu/about-europol/eu-internet-referal-unit-eu-iru. 70 (2019) Number of staff employed by Europol from 2001 to 2019. Statista. https://www.statista.com/statistics/1178667/europol-staff-levels. 71 EU Toghter We Project. https://europa.eu/euprotects/our-safety/awareness-prevention-how- eu-combating-radicalisation-across-europe_en. 70 DANIELE MARIA BARONE has assessed in total 42.066 pieces of content and, on average, the content flagged for referrals has been removed in 86% of the cases. In May 2016, in France, the deradicalization plan adopted in 2014 was replaced by the PART - Plan d’action contre la radicalisation et le terrorisme. An approximately €100mn plan for countering jihadism ideology. It provided 50 new measures that introduced, among other, new priorities as the development of applied research in terms of counter-arguments by involving France’s Islamic community, the improvement of detecting signs of radicalization and terrorist networks at the earliest possible stage, in an attempt to “prevent terrorists from procuring arms and financing”72, and create a common culture of safety73. As part of this action plan, in July 2016, the French government allocated, in a 2-years plan, €40mln to establish new de-radicalization centers across the country. €2.5mln of this budget went to Pontourny, the first French deradicalization center opened in the small village of Beaumont-en-Véron, as the first of 12 others around the country.74 It has to be taken into account that, in France, in that period, as more money was being invested in anti-radicalization measures, more individuals got interested in the matter. This phenomenon created the so-called business of radicalization, that caused the emergence of many self-proclaimed specialists, usually not very able to address the phenomenon.75 This lack of preparation brought to the end of this project in less than a year. The radicalization issue in Pontourny was addressed on the premise that one ideology could replace another and based on the voluntary participation of allegedly radicalized subjects. Furthermore, it caused disorders among the residential areas nearby the center, due to citizens worried for their safety.76 This approach highlighted a lack of knowledge and investments in preventing programs, showing that, differently from the military approach, which generates much more consensus in the short term, de-radicalization is

72 (May 10, 2016) Eliminating jihadism is the great challenge of our generation. https://www. gouvernement.fr/en/eliminating-jihadism-is-the-great-challenge-of-our-generation. 73 https://www.gouvernement.fr/reagir-attaque-terroriste. 74 E. Souris, S. Singh (November 23, 2018) Want to Deradicalize Terrorists? Treat Them Like Everyone Else. Foreign Policy. https://foreignpolicy.com/2018/11/23/want-to-deradicalize-terrorists-treat-them-like-everyone-else-counterterrorism-deradicalization-france-sri-lanka-pontourny-cve. 75 H. Mechaï (July 14, 2019) The ‘deradicalisation’ business: How French attacks spawned a counter-extremism industry. Middle East Eye. https://www.middleeasteye.net/news/deradicalisation-business-how-french-attacks-spawned-counter-extremism-industry. 76 S. Fillon (September 2, 2017) What we can learn from France’s failed deradicalization center. La Stampa. https://www.lastampa.it/esteri/la-stampa-in-english/2017/09/02/news/what-we- can-learn-from-france-s-failed-deradicalization-center-1.34412986. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 71 part of a prevention work that requires time and vision that can’t exclusively favor a more securitized rather than a preventive approach.77 In September 2017, Macron focused on new programs and pledged additional resources to address conditions that terrorists exploit for recruitment.78 The plan was fulfilled in February 201879 and, among its innovations, included applied scientific research and knowledge sharing with countries facing the same subject, as well as deradicalization and disengagement in schools and prisons. The 2018 program did not, however, include a social or economic component in favor of disadvantaged cities identified as fertile grounds for radicalization.80

3.4 EU-funded programs and budget In July 2017, through its different funding programs, the EU Commission provided financial support, amounting to more than €300mn, to a large number of projects, within and outside the EU, tackling radicalization81. Moreover, the EU established the Internal Security Fund (ISF), an instru- ment for financial support for police cooperation, which committed between 2014 and 2020 a total amount of €3.8bn. It is composed of two instruments, ISF Borders and Visa (ISF-B&V), aimed at achieving a uniform and high level of control of the external borders by supporting integrated borders management,82 and ISF Police (ISF-P), aimed at enhancing the capacity of the EU member States and the Union for managing effectively security-related risk and crisis83. The ISF-P and the EU Commission fund also research projects on radicalization as the Radical-

77 B.T. Said, H. Fouad (September 2018) Countering Islamist Radicalisation in Germany: A Guide to Germany’s Growing Prevention Infrastructure. International Center for Counter-Ter- rorism - The Hauge. https://icct.nl/app/uploads/2018/09/ICCT-Said-Fouad-Countering-Isla- mist-Radicalization-in-Germany-Sept2018.pdf. 78 (2017) 2017 Country Report on Terrorism for France. US Embassy & Consulate in France. https://fr.usembassy.gov/2017-country-report-on-terrorism-for-france. 79 (February 23, 2018) «Prévenir Pour Protééger» Plan national de prévention de la radicalisation. https://www.gouvernement.fr/sites/default/files/contenu/piece-jointe/2018/02/2018-02-23 -cipdr-radicalisation.pdf. 80 J. Jacquin (February 23, 2018) Le gouvernement lance un plan tous azimuts de prévention de la radicalisation. Le Monde. https://www.lemonde.fr/societe/article/2018/02/23/le-gouvernement-lance-un-plan-tous-azimuts-de-prevention-de-la-radicalisation_5261486_3224.html. 81 European Parliament (May 2018) The return of foreign fighters to EU soil. https://www. europarl.europa.eu/RegData/etudes/STUD/2018/621811/EPRS_STU(2018)621811_EN.pdf. 82 Internal Security Fund - Borders and Visa. https://ec.europa.eu/home-affairs/financing/fundings/security-and-safeguarding-liberties/internal-security-fund-borders_en. 83 https://ec.europa.eu/home-affairs/financing/fundings/security-and-safeguarding-liberties/internal-security-fund-police_en. 72 DANIELE MARIA BARONE ization Awareness Network (RAN), which has earmarked a budget of €25mn over 2015-201984. About creating a common counter-terrorism approach across the EU, between 2002 and 2009, Europol’s budget increased from €53 million to €68 million and, in 2016, was over €100 million. In this frame, in January 2016, a European Counter-Terrorism Centre (ECTC), a platform by which member states can increase information sharing and operational cooperation, was launched within Europol, following a decision from the Justice and Home Affairs Council of 20 November 201585. Furthermore, since July 2016 Cepol was established, the EU Agency for Law Enforcement Training. The agency, with an annual budget approximately between €8/10mn86, operates with the aim to facilitate cooperation and knowledge sharing among law enforcement officials of the EU Member States and from third countries on EU priorities in the field of security.87 To facilitate professional networking among EU and partners, Cepol implemented the EU/MENA Counter-Terrorism Training Partnership, which basically consists of training activities and a platform for police and other law enforcement specialists to exchange know-how, latest crime developments, and counter-measures.88 The EU-funded project, which budget amounted to € 6.5 million in 2019, has led Cepol to collaborate with the authorities of countries such as Algeria, Jordan, Lebanon, Morocco, Tunisia, and Turkey on issues such as cybersecurity, the fight against online extremism and to terrorism.89

3.5 The dire need for unpopular, supranational, and long-term decisions in counter-terrorism As seen in France, the mass psychological effects of terrorism brings citizens to demand an immediate reaction of the government to a terrorist attack. Because of this, governments tend to respond with traditional counter-terrorism policies that try to reduce the perceived terrorist threat by increasing the direct costs of terrorism to highlight the visibility of military deployment.

84 https://ec.europa.eu/home-affairs/what-we-do/networks/radicalisation_awareness_network_en. 85 https://www.europol.europa.eu/about-europol/european-counter-terrorism-centre-ectc. 86 Budget, Cepol (2019) https://www.cepol.europa.eu/sites/default/files/Annual%20Budget%20 2019.pdf. 87 https://www.cepol.europa.eu/who-we-are/european-union-agency-law-enforcement-training/about- us. 88 (2017) User guide FOR the CEPOL CT 2 EXCHANGE PROGRAMME. Cepol. 89 (November 10, 2020) Revealed: The EU Training Regime Teaching Neighbours How to Spy. Privacy International. https://privacyinternational.org/long-read/4289/revealed-eu-training-regime-teaching-neighbours-how-spy. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 73

Even though the literature suggests that terrorist threats and public spending on CT are linked in a cause and effect relationship, increased spending is not always followed by a reduced incidence of terrorism.90 On the contrary, repressive measures, in the long-term, usually lead to socio-economic costs because of the consequences of restrictions to political rights and civil liberties that are implemented in the hope of countering terrorism. The outcomes of these necessary measures may also disincentivize business activities.91 These actions should be combined with policies that enhance deradicalization programs which, contrariwise to repressive ones, may take effect in the long run and also require a multidisciplinary and complex approach. Thus, immediately after a terrorist attack, may not be overly popular among the public opinion or policy-makers. However, while CT remains mainly a national policy matter, it is more and more becoming an area of higher priority at the EU level, which is developing and improving over the years. A supranational design of CT measures is more likely to effectively counter international terrorism by overlapping security know-how and information sharing unbalances among EU Member States, providing a democratically legitimized and coordinated long-term vision of terrorism issues, and establishing an appropriate international legal framework on terrorism.

4. Global challenges As analyzed in the previous articles, the impact of a terrorist attack can affect a country’s peace dividends92 and, as a consequence, its whole economy.93 In addition, according to rough calibrations, an increase in public military-security spending by 1% of GDP and private security spending by 0.5% of GDP would reduce output by about 0.7% in five years.94

90 O.E. Danzell, S. Zidek (August 24, 2013) Does counterterrorism spending reduce the incidence and lethality of terrorism? A quantitative analysis of 34 countries. Dedense & Security Analysis. Volume 29. https://www.tandfonline.com/doi/abs/10.1080/14751798.2013.820970. 91 T. Krieger, D. Meierrieks (January 2019) The Economic Consequences of Terrorism for the European Union. Albert-Ludwigs-Universität Freiburg https://www.econstor.eu/bitstream/10419/191637/1/104712761X.pdf. 92 Peace dividend is the possibility of a State, which is no longer at war, to reduce military spending. 93 E. Fieser, M. Bristow (March 8, 2019) What Peace Dividend? Terror Attacks on Colom- bia Pipelines Double. Bloomberg. https://www.bloomberg.com/news/articles/2019-03-08/ what-peace-dividend-terror-attacks-on-colombia-pipelines-double. 94 P. Lenain, M. Bonturi, V. Koen (July 2002) IV. Economic consequences of terrorism. Pub- lic spending on security threatens fiscal consolidation. OECD. http://www.oecd.org/economy/ 74 DANIELE MARIA BARONE

With these premises, the primary consequence of tighter security is the reduction of the level of productivity as, for instance, waiting times lengthen at airports or borders, and public financial support to strategic industries and protectionist measures could also distort competition and reduce productivity growth.95 Moreover, the economic impact of transnational terrorism, as Islamic-inspired terrorism, spreads in more than one country. This international aspect can stem from the victims, targets, institutions, supporters, terrorists, or im- plications96. Indeed, in an economically interconnected world, terrorist incidents have the potential to generate an international network of consequences on the rules of the economy, reverberating in the perception of globalization of both private and public entities.97 In Europe, macroeconomic repercussions of jihadist terrorist attacks need to get monitored by acknowledging interdependencies among member-states, their links to other countries, and how the EU as a whole connects to the rest of the world. In this respect, the analysis needs to focus on the most relevant fields affected by terrorist attacks that, by definition, require interactions among different countries.

4.1 Effects on trade in the aftermath of large-scale jihadist attacks In most developed countries, terrorism generally does not affect the entire macroeconomic environment. For instance, terror attacks that occurred in the EU in 2015, 2016, and 2017 appear to have had no significant influence on foreign exchange markets or the value of any member-states’ currency, very differently from what happened to currency pairs98 in previous attacks that occurred in Western countries. This finding suggests that market partici- outlook/1935314.pdf; https://www.oecd-ilibrary.org/economics/the-economic-consequences-of-terrorism_511778841283. 95 K.R. Ahern (February 2018) The Importance of Psychology in Economic Activity: Evidence from Terrorist Attacks. NBER - National Bureau of Economic Research. https://www.nber.org/ papers/w24331. 96 T. Sandler, W. Enders (2007) ECONOMIC CONSEQUENCES OF TERRORISM IN DEVELOPED AND DEVELOPING COUNTRIES: AN OVERVIEW. University of Texas - Dallas. https://personal.utdallas.edu/~tms063000/website/Econ_Consequences_ms.pdf. 97 S.B. Blomberg, G.D. Hess, A. Weerapanac (April 15, 2004) Economic conditions and terrorism. European Journal of Political Economy. https://bit.ly/36M6qwv. 98 Price quote of the exchange rate for two different currencies traded in Foreign exchange markets. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 75 pants have probably learned how to better assess such events, thus, react more calmly and rationally to them, not treating them as unexpected events likely to significantly affect the foreign exchange market.99 Nonetheless, by affecting various sectors, terrorism still has the potential to impact relations among states and, even in developed countries, become a primary consideration in formulating investment decisions.100 The first sector affected by the symptoms of an altered relation with foreign countries after terrorist incidents is trade. In this field, so far, existing studies report a variety of findings on the effects of terrorism. For instance, one set of studies, by analyzing annual panel data sets of aggregate bilateral trade flows, find that terrorism has a statistically significant and robust negative effect on trade, quite similar to civil wars101, because terrorism may divert government expenditures from more productive public investment to less productive security activities, thereby reducing economic growth, export production, and import demand.102 Other studies highlight possible variations in the terrorism-trade nexus at a product level; by analyzing trade in primary commodities and manufactured goods separately, their results suggest that the reduction in total trade induced by terrorist incidents is caused by a decline in trade of manufactured goods while, in a multi-sector model, trade in primary commodities may even increase after a terrorist attack, by shifting from a terrorism-impacted manufac- turing sector to a less-impacted primary sector, thereby lowering costs in the latter. In particular, the 2018 study by Bandyopadhyay, Sandler, and Younas

99 C. Hassapis, S. Katsikides,S. Markoulis (November 5, 2018) Terror Attacks, Foreign Exchange Markets and Class Dynamics. InTech Open. https://www.intechopen.com/ books/classes-from-national-to-global-class-formation/terror-attacks-foreign-exchange-markets-and-class-dynamics. 100 D. Wagner (February 2006) The Impact of Terrorism on Foreign Direct Investment. IRMI. https://www.irmi.com/articles/expert-commentary/the-impact-of-terrorism-on-foreign-direct- investment#5. 101 A. Abadie, J. Gardeazabal (March 2003) The Economic Costs of Conflict: A Case Study of the Basque Country. American Economic Review Vol 93. NO. 1. https://www.aeaweb.org/ articles?id=10.1257/000282803321455188. 102 Blomberg, Hess, Orphanides examined a pooled cross section of 177 countries from 1968 to 2000 and found that if a country experienced transnational terrorist incidents on its soil in each year of the sample period, then per capita income growth fell by 1.587% points over the entire sample period. S.B. Blomberg, G.D. Hess, A. Weerapanac (April 15, 2004) Economic conditions and terrorism. European Journal of Political Economy. https://bit.ly/36M6qwv. 76 DANIELE MARIA BARONE asserts that domestic terrorism reduces manufactured exports and increases primary exports, while transnational terrorism reduces primary exports.103 A recent study focused on the effects of three large-scale terrorist incidents in France (January 2015, November 2015, and July 2016), thus, concentrat- ing the analysis on the incidents that received massive public attention rather than observable outcomes as the number of casualties or fatalities, which still represents the most popular approach to weight attacks in the empirical literature, documents an immediate and lasting decline in cross-border trade after a mass terrorist attack. The reduction in trade mainly takes place along the intensive margin (i.e. exports per exporting firm),104 with particularly strong effects for partner countries with low border barriers to France, for firms with less frequent trade activities, and for homogeneous products (i.e. products with the same physical characteristics and quality as similar products from other suppliers). The study identifies the casualty of these patterns mainly in the increase in trade costs due to stricter security measures.105 In this respect, a variable constructed by the World Bank, ImportTime, in its “Doing Business project106” measures the time burden of procedures faced by importers. By using ImportTime variable, researchers found that terrorist attacks in a neighboring country cause a 4% decrease in bilateral trade and that about half of this reduction is caused by the time to import increases, proving that stricter trade-related counter-terrorism regulations depress trade through increased time delays107. Indeed, the just-in-time supply chain management system depends to a large degree on the efficiency of border crossings. A strong increase in secu-

103 By using augmented gravity model’s variables applied to bilateral trade, for a world sample of 151 countries over the period 1995–2012, Bandyopadhyay, Sandler, and Younas found that both domestic and transnational terrorism have a detrimental effect on manufactured imports. S. Bandyopadhyay,T. Sandler, J. Younas (April 17, 2018) Trade and terrorism: A disaggregated approach. Journal of Peace Research Volume: 55 issue: 5. https://journals.sagepub.com/doi/ full/10.1177/0022343318763009#_i24. 104 A. Fernandes, P.J. Klenow, S. Meleshchuk, M. Denisse Pierola, A. Rodriguez-Clare (De- cember 7, 2018) The Intensive Margin in Trade. International Monetary Fund. https://www. imf.org/en/Publications/WP/Issues/2018/12/07/The-Intensive-Margin-in-Trade-46389. 105 V. Nitsch, I. Rabaud (November 24, 2019) Under Attack: Terrorism and International Trade in France, 2014-16. Document de Recherche du Laboratoire d’Économie d’Orléans Working Paper Series, Economic Research Department of the University of Orléans (LEO), France DR LEO 2019-12. https://hal.archives-ouvertes.fr/hal-02411649/document. 106 http://www.doingbusiness.org. 107 C.S. Pham, H. Doucouliagos (June 2017) An Injury to One Is an Injury to All: Terrorism’s Spillover Effects on Bilateral Trade. IZA Institute of Labor Economics - Initiated by Deutsche Post Foundation. http://ftp.iza.org/dp10859.pdf. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 77 rity measures at borders may increase the ad valorem tax (a tax based on the assessed value of an item, such as import duty taxes on goods from abroad) of trading internationally by 1% to 3%, leading to a significant drop in international trade, negatively affecting openness, productivity, and medium-term output growth.108 In this respect, Pham and Doucouliagos, according to synthetic data representing a sample of a nation that imports from 88 exporters, calculated that each additional terrorist attack in a neighboring country reduces bilateral trade by nearly 0.013% on average which translates into a reduction of approximately $6.4mn in its total trade. In these terms, on average, due to the increase of trade both economic and time costs, a terrorist attack would be able to affect bilateral trade up to five years after the event.

4.2 Taking the foreign investor perspective The consequences of terrorist attacks could bring investors and market analysts to reassess expectations related to the economy of one country109 and reduce the expected return to investment.110 This assessment is likely to influence the actions of market participants and the way financial markets react to the specific event111, including the time they will require to feel reassured by increasing uncertainty. According to the FDI Confidence Index, annually published by the con- sulting firm Kearney, even in a strong economy as Belgium, foreign direct investments (FDI) flows fell dramatically in 2016 due to the jihadist terrorist attacks, causing a GDP growth holding steady at 1.4% annually for the next 2 years instead of 2%.112

108 P. Lenain, M. Bonturi, V. Koen (July 2002) IV. Economic consequences of terrorism. Pub- lic spending on security threatens fiscal consolidation. OECD. http://www.oecd.org/economy/ outlook/1935314.pdf; https://www.oecd-ilibrary.org/economics/the-economic-consequences-of-terrorism_511778841283. 109 A.H. Chen, T.F. Siems (2004) The effects of terrorism on global capital markets. European Journal of Political Economy. https://www.sciencedirect.com/science/article/pii/S0176268003001022?ca- sa_token=Yb5kn2pKRY8AAAAA:EZyIGHeOGWzzYkvFnKYg-FWLCA1WAL8ttSHykGnF8udi- uXFR35NgtWk2y6Iqj6QkJDFYAsBq1g. 110 A. Abadie, J. Gardeazabal (October 9, 2007) Terrorism and the world economy. European Economic Review 52. https://economics.mit.edu/files/11864. 111 (March 22, 2016) Terror attack in Brussels sends stock markets lower. The Irish Times. https://www.irishtimes.com/business/markets/terror-attack-in-brussels-sends-stock-markets- lower-1.2582961. 112 (2017) The 2017 Kearney Foreign Direct Investment Confidence Index. Kearney. https:// www.kearney.com/foreign-direct-investment-confidence-index/2017-full-report. 78 DANIELE MARIA BARONE

Even though the behavior of foreign investors is difficult to predict and depends on several factors, including long-term objectives,113 protracted domestic terrorism or terrorist attack which cause a huge conventional or social media cover (e.g. jihadist attack in Belgium in 2016114) leads to the anticipation of future events and, among other financial forecasts, the possibility of rising costs of doing business due to expensive security measures. Thus, investors, both at home and abroad, may decide to direct their assets to safer activities in other countries,115 thus, changing their investment plans not only in terms of their amount but also in terms of their composition.116 In the aftermath of jihadist attacks, the economic threat doesn’t only come from foreign investors doubting the socio-economic stability of a country, but also from the investors that from member-states are willing to invest abroad. Arab countries may be affected by this perception of threat and uncertainty too. For instance, tensions117 over the response of the French government to the murder of teacher Samuel Paty by an Islamist extremist in northern Paris sparked dozens of protests, outside French embassies and consulates, in multiple countries (e.g. Turkey, Bangladesh, Jordan, Qatar, Iran, Mali, Mauritania, Libya, Pakistan, and Indonesia)118. This sentiment caused widespread calls for boycotting French goods in Muslim-majority countries, with the protest being supported at a political level by Turkish President Erdogan and several other Muslim leaders, targeting other European countries too119.

113 D. Wagner (February 2006) The Impact of Terrorism on Foreign Direct Investment. IRMI. https://www.irmi.com/articles/expert-commentary/the-impact-of-terrorism-on-foreign-direct- investment#5. 114 C. Fingar (August 11, 2016) Belgium minister takes the safety first route. FDI Intelligence. https://www.fdiintelligence.com/article/66478. 115 T. Sandler, W. Enders (2007) ECONOMIC CONSEQUENCES OF TERRORISM IN DEVELOPED AND DEVELOPING COUNTRIES: AN OVERVIEW. University of Texas - Dallas. https://personal.utdallas.edu/~tms063000/website/Econ_Consequences_ms.pdf. 116 Human Rights Council - Advisory Committee - Twenty-first session (July 6-10, 2018) Draft report on Negative Effects of Terrorism on the Enjoyment of Human Rights. 117 France Diplomacy (29/10/2020) Call for maximum vigilance - risk of attack. https://www.diplomatie.gouv.fr/fr/conseils-aux-voyageurs/informations-pratiques/article/appel-a-la-vigilance- maximale-risque-d-attentat-29-10-2020. 118 GardaWorld (October 29, 2020) Middle East/North Africa: Tensions over response to Is- lamist attacks in France increase threat against French nationals and interests across MENA region. https://www.garda.com/crisis24/news-alerts/394411/middle-eastnorth-africa-tensions- over-response-to-islamist-attacks-in-france-increase-threat-against-french-nationals-and-interests-across-mena-region. 119 G.Yildiz (November 6, 2020) Turkish-French Culture War over Islamist Radicalism and Islamophobia May Unite Europe against Turkey. SWP German Institute for International and EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 79

Many of the countries involved in the protests enjoy a profitable bilateral relationship with France. For instance, in 2019, Bangladesh exported goods worth $1.7 billion to France, making France its fourth biggest export market. French companies have investments in Bangladesh, from cement to energy, telecommunications, and pharmaceuticals120. The Arab boycott of French products is not only negatively affecting France regional reputation in the Middle East but is likely to reduce the revenue that the French government could derive from taxing its successful companies active in the region, as the supermarket chain Carrefour or luxury brands such as L’Oréal, Garnier, and Lancôme, heavily targeted through social media in the lists of brands to avoid. This context shouldn’t be underestimated, because a previous Muslim boycott of Danish goods in 2006, caused by the caricature of Prophet Mu- hammad published by a Danish newspaper,121 led exports to Saudi Arabia fall by 40% and by 47% in Iran.122

4.3 Preventing a reluctancy to openness that comes from within As written by Guéhenno “the nature of threats” is changing with globalization and “the threat is no longer another competing community, but rather the internal weakening of communities”.123 In this context, globalization let disorders and uncertainty outside the EU directly affect the domestic economy of member-states on issues such as mi- gration, security, trade, and the threat of cross-border conflict and lawlessness. Jihadist attacks are the tip of a complex environment and, as previously analyzed, they spread with soft or hard long-lasting consequences that are able to permeate every layer of society. These aspects are translated, in the middle/long-run, into domestic socio-economic unbalances likely to shift policy-makers and public opinion pendulum toward protectionism.

Security Affairs. https://www.swp-berlin.org/en/publication/turkish-french-culture-war-over-islamist-radicalism-and-islamophobia-may-unite-europe-against-turkey. 120 W. Rahman (October 27,2020) Huge Bangladesh rally calls for boycott of French products - Will calls for a boycott work?. BBC. https://www.bbc.com/news/world-asia-54704859. 121 H.M. Fattah (January 31, 2006) Caricature of Muhammad Leads to Boycott of Danish Goods. The New York Times. https://www.nytimes.com/2006/01/31/world/middleeast/caricature-of-muhammad-leads-to-boycott-of-danish-goods.html. 122 A. Haine (October 26, 2020) Economists shrug off boycott threat to French products from Muslim nations. The National News. https://www.thenationalnews.com/business/economy/ economists-shrug-off-boycott-threat-to-french-products-from-muslim-nations-1.1100136. 123 J. Guéhenno (December 7, 2010) The impact of globalisation on strategy. Survival - Global Politics and Strategy. https://www.tandfonline.com/doi/abs/10.1080/713660009. 80 DANIELE MARIA BARONE

This view may impact also economic initiatives aimed at promoting lasting stability in those developing and unstable countries that are fundamental to address the roots of security issues connected to jihadist terrorism. As an example, can be mentioned the protests arose all over Europe when, in 2016, the European Parliament voted in favor of a measure allowing Tu- nisia to export 70,000 tons of olive oil in the European Union in two years. That agreement was a first step towards the creation of a safer socio-economic environment, in one of the EU neighboring countries most afflicted by the foreign fighters phenomenon, helping to change the perspective of European action in the area of the Southern Mediterranean.124 Indeed, programs aimed at the de-escalation of conflicts and the long- term construction of more resilient and legitimate state structures by improving foreign economic cooperation, are key strategies to provide the best foundation for the EU’s objectives. Promoting development in, for instance, the MENA region would create an economic hinterland for the EU, increasing its scope for investment in areas that could meet future European needs, such as those in renewable energy125, providing a double benefit by effectively addressing security issues and creating a profitable mutual environment for business opportunities. So far, a lack of European consensus in these terms has prevented the EU from acquiring the influence it could otherwise have had.

5. Stuck in an affordable blame game on content moderation In November 2020, following the terrorist attacks in France, Germany, and Austria, the European Council126 stated that “access to digital information is becoming ever more crucial and the mobility of this data demands effective cross-border instruments, because otherwise terrorist networks will in many cases be a step ahead of the investigating authorities ... access to the

124 S.M. Torelli (March 16, 2016) The EU’s olive oil diplomacy: Italian fears and prospects for Tunisia. ISPI. https://www.ispionline.it/it/pubblicazione/eus-olive-oil-diplomacy-italian-fears- and-prospects-tunisia-14834. 125 J. Barnes-Dacey, A. Dworkin (December 1, 2020) Promoting European strategic sovereignty in the southern neighbourhood. European Council on Foreign Relations. https://ecfr.eu/publication/promoting-european-strategic-sovereignty-in-the-southern-neighbourhood. 126 European Council. EU’s response to the terrorist threat. https://www.consilium.europa.eu/ en/policies/fight-against-terrorism. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 81 digital information, that is essential for preventing and eliminating terrorist action must be ensured and boosted.127” It is well-known how in the field of online propaganda, radicalization128, and terrorist financing, non-incisive regulations on social media and end-to- end chats can become a barrier to an effective counter-terrorism strategy. In this field, the dilemma of taking something from privacy to improve security, that is flowing from enhancing access to online communication, might affect also the economic aspect related to the spread of these instruments. In this respect, Wojciech Wiewiórowski, European Data Protection Su- pervisor, claimed: “encryption is as critical to the digital world, as is the physical lock to the physical world”. Then, to stress the need to differentiate the approach for requesting lawful access that can be applied to different technologies or means of communication, he declared that is useless to focus only on a strict dichotomy between “confidentiality of communications can never be restricted” or “law enforcement will be unable to protect the public unless it can obtain access to all encrypted data”. To satisfy the requirement of proportionality, the legislation must lay down clear and precise rules governing the scope and application of these measures and impose that the people whose personal data is affected have sufficient guarantees that their data will be effectively protected against the risk of abuse129. It has to be taken into account that, besides ethical dilemmas, an institutional man-in-the-middle approach in these sectors may directly affect the core business of hosting service providers, causing impacts on investments, users’ behavior, and government budget spending. However, even though a 100% level of security is utopian, nowadays, with technologies and human resources currently available and EU or member states’ ongoing plans and regulations, is an overall control over social media still possible? Then, even if it was, is it directly proportional to an increase in radicalization and terrorist attack prevention?

127 European Council (November 13, 2020) Joint statement by the EU home affairs ministers on the recent terrorist attacks in Europe. https://www.consilium.europa.eu/en/press/press-releases/2020/11/13/joint-statement-by-the-eu-home-affairs-ministers-on-the-recent-terrorist-attacks- in-europe/#. 128 I. von Behr, A. Reding, C. Edwards, L. Gribbon (2013) Radicalisation in the digital era. The use of the internet in 15 cases of terrorism and extremism. RAND https://www.rand.org/content/ dam/rand/pubs/research_reports/RR400/RR453/RAND_RR453.pdf. 129 W. Wiewiórowski (November 19, 2020) The Future of Encryption in the EU. ISOC 2020 Webinar. https://edps.europa.eu/sites/edp/files/publication/2020-19-11-the_future_of_encryp- tion_eu_en.pdf. 82 DANIELE MARIA BARONE

To answer these questions, it is useful to analyze what has been done to control open-source social media platform contents in both the private and the public sector so far.

5.1 Facebook and the multifaceted cost of content monitoring End-to-end encryption is a security tool used by some apps and services (e.g. WhatsApp130, Signal131, and Telegram)132 to provide a greater level of privacy and securing communication, by applying encryption to messages before they leave the sender’s device and allowing only the device to which it is sent to decrypt it. This process makes providers’ servers act as blind routers, passing messages on without being able to read them and securing messages intercepted during transmission by a hacker or a government agency.133 So far, institutions have bypassed encryption barriers through the injec- tion of state-sponsored malware on target devices, as, for example, the Italian Legislative Decree n. 216/2017 which introduced the use of the trojan software during investigations.134 Furthermore, there are also old methods to fight increasingly sophisticated crime, as the $900,000 FBI expense to hack the San Bernadino shooter’s $350 iPhone 5.135 Or also the case of London Attack- er, Khalid Masood, that used Facebook-owned fully encrypted chat service, Whatsapp, to declare he was waging jihad in revenge against Western military action in Muslim countries in the Middle East. The message detection was made possible only because Masood’s mobile telephone was recovered after he was shot dead136. Discovering Masood’s last recorded thoughts was the key part of the investigation into what lay behind the assault. A result brought by human and technical intelligence rather than end-to-end chat monitoring.137

130 https://www.whatsapp.com/security/?lang=en. 131 https://signal.org. 132 https://core.telegram.org/api/end-to-end. 133 A. Greenberg (October 10, 2020) Facebook Says Encrypting Messenger by Default Will Take Years. Wired. https://www.wired.com/story/facebook-messenger-end-to-end-encryption-default. 134 Gazzetta Ufficiale (January 11, 2018) DECRETO LEGISLATIVO 29 dicembre 2017, n. 216. https://www.gazzettaufficiale.it/eli/id/2018/01/11/18G00002/sg. 135 CNBC (May 5, 2017) Senator reveals that the FBI paid $900,000 to hack into San Bernardi- no killer’s iPhone. https://www.cnbc.com/2017/05/05/dianne-feinstein-reveals-fbi-paid-900000- to-hack-into-killers-iphone.html. 136 (April 5, 2018) CEP To Facebook: Zuckerberg Must Explain Failure To Remove Extrem- ist Content. Counter Extremism Project. https://www.counterextremism.com/press/cep-facebook-zuckerberg-must-explain-failure-remove-extremist-content. 137 K. Sengupta (April 27, 2017) Last message left by Westminster attacker Khalid Masood uncovered by security agencies. The Independent. https://www.independent.co.uk/news/uk/crime/last-message-left-westminster-attacker-khalid-masood-uncovered-security-agencies-a7706561.html. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 83

Cases like this generated an increasing pressure from institutions to the private sector to regulate contents spread on social media. Indeed, from the chat providers point of view, end-to-end encryption doesn’t only represent a move towards users’ right to privacy but also a discharge of responsibility that allows them being no longer bound to create backdoor access to users’ messages.138 In this regard, Facebook, in contrast to its business built around the mon- etization of user data, plans to make all messages on the app fully end-to- end encrypted by default.139 Indeed, this change, which imposes a complex and long-lasting re-architecture of the entire product involving an expensive rebuilding of every feature of Facebook Messenger,140 is likely to make the company physically unable to moderate a large part of encrypted contents in users chats.141 Despite the costs of changing the messaging infrastructure and being de- prived of over 2.7 billion monthly active users’142 private conversations, Face- book’s priority seems to be that, with end-to-end encryption, the company will no longer have backdoor access to users’ messages. Thus, it won’t be forced to comply with requests from law enforcement agencies to access data. According to researchers and journalists, this move seems to be more related to the growing pressure applied on Facebook to moderate user content by Australia, the US, the EU, and the UK with the threat of sanctions, rather than to the accomplishment of the legitimate requests made by privacy ad- vocates.143

138 R. Musotto, D.S. Wall (December 16, 2020) Facebook’s push for end-to-end encryption is good news for user privacy, as well as terrorists and paedophiles. The Conversation. https:// theconversation.com/facebooks-push-for-end-to-end-encryption-is-good-news-for-user-privacy- as-well-as-terrorists-and-paedophiles-128782. 139 M. Zuckerberg (March 6, 2019) A Privacy-Focused Vision for Social Networking. https:// www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634. 140 I. Metha (October 31, 2019) Facebook is testing end-to-end encryption for secret Messen- ger calls. TNW. https://thenextweb.com/facebook/2019/10/31/facebook-is-testing-end-to-end- encryption-for-secret-messenger-calls. 141 Z. Doffman (October 6, 2019) Here Is What Facebook Won’t Tell You About Message En- cryption. Forbes. https://www.forbes.com/sites/zakdoffman/2019/10/06/is-facebooks-new-encryption-fight-hiding-a-ruthless-secret-agenda/#6ec67b3b5699. 142 J. Clement (November 24, 2020) Facebook: number of monthly active users worldwide 2008- 2020. Statista. https://www.statista.com/statistics/264810/number-of-monthly-active-facebook- users-worldwide. 143 H. Abelson, R. Anderson, S.M. Bellovin, J. Benaloh, M. Blaze, W. Diffie, J. Gilmore, M. Green, S. Landau, P.G. Neumann, R.L. Rivest, J.I. Schiller, B. Schneier, M. Specter, D.J. Weitzner (July 7, 2015) Keys Under Doormats: mandating insecurity by requiring government ac- 84 DANIELE MARIA BARONE

Indeed, content moderation is becoming an ever-growing issue for the company. In 2017, Facebook had more than 7000 content moderators144. They earned roughly $15 per hour,145 a fraction of what full-time workers earn (me- dian annual salaries for Facebook employees was $240,000 in 2017), and, after only a two-week training course,146 they started deciding if removing or escalating terrorist content, flagged either by users or algorithms, by looking at the captions as well as the images themselves.147 In May 2020, Facebook agreed to pay $52mn to current and former moderators to compensate them for PTSD148 developed on the job.149 Besides the relatively irrelevant cost for the company, this episode highlighted the its lack of consciousness on such a delicate issue as content monitoring. With global IP traffic predicted to grow at a compound annual growth rate150 of 20% from 2018-2023151, the number of Facebook content moderators nowadays has already doubled (roughly 15,000, at 20 sites globally, who speak over 50 languages combined) and they’re mostly outsourced from compa-

cess to all data and communications. https://www.schneier.com/wp-content/uploads/2016/09/ paper-keys-under-doormats-CSAIL.pdf. 144 M. Zuckerberg (May 3, 2017) https://www.facebook.com/zuck/posts/10103695315624661. 145 O. Solon (May 25, 2017) Underpaid and overburdened: the life of a Facebook moderator. The Guardian. https://www.theguardian.com/news/2017/may/25/facebook-moderator-underpaid-overburdened-extreme-content. 146 (May 24, 2017) How Facebook guides moderators on terrorist content. The Guardian. https:// www.theguardian.com/news/gallery/2017/may/24/how-facebook-guides-moderators-on-terrorist-content. 147 P.M. Barret (June 2020) Who Moderates the Social Media Giants? A Call to End Outsourc- ing. NYU Stern. https://bhr.stern.nyu.edu/tech-content-moderation-june-2020. 148 S.E. Garcia (September 25, 2018) Ex-Content Moderator Sues Facebook, Saying Violent Images Caused Her PTSD. The New York Times. https://www.nytimes.com/2018/09/25/technology/facebook-moderator-job-ptsd-lawsuit.html. 149 C. Newton (May 12, 2020) Facebook will pay $52 million in settlement with moderators who developed PTSD on the job. The Verge. https://www.theverge.com/2020/5/12/21255870/ facebook-content-moderator-settlement-scola-ptsd-mental-health. 150 Compound annual growth rate (CAGR) is the net gain or loss of an investment over a specified time period that would be required for an investment to grow from its beginning balance to its ending balance, assuming the profits were reinvested at the end of each year of the investment’s lifespan. https://www.investopedia.com/terms/c/cagr.asp. 151 Cisco Annual Internet Report (March 9, 2020) https://www.cisco.com/c/en/us/solutions/ collateral/executive-perspectives/annual-internet-report/white-paper-c11-741490.html. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 85 nies like Accenture, Cognizant,152 Arvato, and Genpact153. Moreover, once the number of moderators raised in only two years, the working conditions deteriorated and training for moderators was depleted.154 These events inevitably brought to a 10% flagging posts error rate, as Face- book has itself admitted.155 Given that reviewers have to wade through three million posts per day, that equates to 300,000 mistakes daily.156 Nevertheless, only in the second quarter of 2020 Facebook removed about 8.7 million pieces of terrorist contents (according to the company’s definition: non-state actors that engage in or advocate for violence to achieve political, religious or ideological aims).157 But researchers, nowadays as in the past,158 argue it is still impossible to gauge just how many posts escape the dragnets on a platform so large.159 In this respect, automated systems using AI and machine learning notably invoked by Facebook CEO as the future solution to Facebook’s current political problems, are certainly helping with moderation. AI classifies user-generated content based on either matching or prediction, leading to a decision

152 E. Dwoskin, N. Tiku (March 24, 2020) Facebook sent home thousands of human moderators due to the coronavirus. Now the algorithms are in charge. The Washington Post. https://www. washingtonpost.com/technology/2020/03/23/facebook-moderators-coronavirus. 153 Q. Wong (June 19, 2019) Facebook content moderation is an ugly business. Here’s who does it. CNet. https://www.cnet.com/news/facebook-content-moderation-is-an-ugly-business- heres-who-does-it. 154 D. Gilbert (January 9, 2020) Facebook Is Forcing Its Moderators to Log Every Second of Their Days. Vice News. https://www.vice.com/en/article/z3beea/facebook-moderators-lawsuit-ptsd-trauma-tracking-bathroom-breaks. 155 Cambridge Consultants (2019) USE OF AI IN ONLINE CONTENT MODERATION. Ofcom. https://www.ofcom.org.uk/__data/assets/pdf_file/0028/157249/cambridge-consultants -ai-content-moderation.pdf. 156 C. Jee (June 8, 2020) Facebook needs 30,000 of its own content moderators, says a new report. MIT Technology Review. https://www.technologyreview.com/2020/06/08/1002894/ facebook-needs-30000-of-its-own-content-moderators-says-a-new-report. 157 R. Levy (August 11, 2020) Facebook Removed Nearly 40% More Terrorist Content in Second Quarter. The Wall Street Journal. https://www.wsj.com/articles/facebook-removed-nearly-40- more-terrorist-content-in-second-quarter-11597162013. 158 CEP Staff (October 12, 2020) Updated: Tracking Facebook’s Policy Changes. Coun- ter Extremism Project. https://www.counterextremism.com/blog/updated-tracking-facebook%E2%80%99s-policy-changes. 159 D. Uberti (July 9, 2020) Why Some Hate Speech Continues to Elude Facebook’s AI Ma- chinery. The Wall Street Journal. https://www.wsj.com/articles/facebooks-artificial-intelligence-doesnt-eliminate-objectionable-content-report-finds-11594287000. 86 DANIELE MARIA BARONE outcome (e.g. removal, blocking, account takedown)160 theoretically making suspect contents quicker to process to human moderators, at a later stage.161 Using a technique called Whole Post Integrity Embeddings (WPIE) Face- book’s systems ingest deluges of information, including images, videos, text titles and bodies (that can translate between 100 languages)162, comments, text in images from optical character recognition, transcribed text from audio recordings, user profiles, interactions between users, external context from the web, and knowledge base information. Then, fusion models combine the representations to create millions of embeddings, which are used to train learning models that flag content for each category of violations.163 In early January 2020, the company also released software that turns speech into text in real-time, opening up the possibility of better captioning of live video164. Nonetheless, not every content can be classified, even by humans. Some posts have many shades of meaning or are very context-dependent, making it crucial to find the right balance between technology and human expertise. In 2018, when Facebook stated that 99% of terrorist content on the platform were deleted, the Counter Extremism Project found that some of the most prolific Islamist extremists remained active on Facebook165. Nowadays, for instance, the Islamist preacher who reportedly played a role in radicaliz- ing Bataclan suicide bomber,166 Oman Mostefai, through sermons at a Paris mosque, continues, at the time of reporting, to have an active presence online, including on his official Facebook page. Same as Yusuf al-Qaradawi,

160 R. Gorwa, R. Binns, C. Katzenbach (February 28, 2020) Algorithmic content moderation: Technical and political challenges in the automation of platform governance. Sage Journals. https://journals.sagepub.com/doi/full/10.1177/2053951719897945. 161 J. Vincent (February 27, 2019) AI won’t relieve the misery of Facebook’s human moderators. The Verge. https://www.theverge.com/2019/2/27/18242724/facebook-moderation-ai-artificial-intelligence-platforms. 162 J. Khan (November 19, 2020) Facebook’s A.I. is getting better at finding malicious content— but it won’t solve the company’s problems. Fortune. https://fortune.com/2020/11/19/facebook- ai-content-problems-artificial-intelligence. 163 K. Wiggers (November 13, 2020) Facebook’s redoubled AI efforts won’t stop the spread of harmful content. Venture beat. https://venturebeat.com/2020/11/13/facebooks-redoubled-ai-efforts-wont-stop-the-spread-of-harmful-content. 164 Facebook AI (January 13, 2020) Online speech recognition with wav2letter@anywhere. https://ai.facebook.com/blog/online-speech-recognition-with-wav2letteranywhere. 165 (April 5, 2018) CEP To Facebook: Zuckerberg Must Explain Failure To Remove Extrem- ist Content. Counter Extremism Project. https://www.counterextremism.com/press/cep-facebook-zuckerberg-must-explain-failure-remove-extremist-content. 166 A. Robertson (June 27, 2017) Terror suspect arrested in Birmingham and facing extradition to Spain is imam father-of-eight who preached to Bataclan bomber before Paris attacks. The Daily Mail. https://www.dailymail.co.uk/news/article-4646058/Police-arrest-ISIS-supporter-Birming- ham.html. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 87 banned from entering the United States, the United Kingdom, and France due to his declaration of support for suicide bombings and incitement of Islamist violence who still keeps, at the time of writing, his official Facebook page, as well as a few Facebook fan accounts.

5.2 Preventing social media exploitation: public sector plans

The Impact Assessment167 of the “Proposal for a Regulation of the Europe- an Parliament and of the Council on preventing the dissemination of terrorist content online”168 states that terrorist content online is a multifaceted security challenge due to a complex legal framework at the member state level. This situation is complicated by the fact that Article 3 of the EU’s 2000 e-commerce directive, created before the advent of peer-to-peer internet technology and social media169, establishes the principle of the country of origin, which ensures that providers of online services are subject to the law of the member state in which they are established and not the law of the member states where the service is accessible.170 However, the Directive on electronic commerce does not preclude a court of a Member State from ordering a hosting provider, such as Facebook, to remove identical and, in certain circumstances, equivalent comments previously declared to be illegal.171 Anyway, State monitoring and flagging illegal content online are marred with difficulties. For instance, France’s most important element in the fight against online radicalization and terrorist propaganda is PHAROS system (platform

167 European Commission (September 12, 2018) COMMISSION STAFF WORKING DOC- UMENT IMPACT ASSESSMENT Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on preventing the dissemination of terrorist content onlinehttps://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=SWD:2018:0408:FIN :EN:PDF. 168 F. Théron (March 2020) Terrorist content online Tackling online terrorist propaganda. Eu- ropean Parliamentary Research Service (EPRS) https://www.europarl.europa.eu/RegData/ etudes/BRIE/2020/649326/EPRS_BRI(2020)649326_EN.pdf. 169 Organization for Security and Co-operation in Europe Office of the Representative on Free- dom of the Media (October 15, 2020) LEGAL REVIEW OF THE AUSTRIAN FEDERAL ACT ON MEASURES TO PROTECT USERS ON COMMUNICATIONS PLATFORMS [KOMMUNIKATIONSPLATTFORMEN-GESETZ – KOPI-G]. OSCE. https://www.osce. org/files/f/documents/7/8/467292_1.pdf. 170 European Commission. E-Commerce Directive. https://ec.europa.eu/digital-single-market/ en/e-commerce-directive. 171 Court of Justice of the European Union (October 3, 2019) PRESS RELEASE No 128/19. https://curia.europa.eu/jcms/upload/docs/application/pdf/2019-10/cp190128en.pdf. 88 DANIELE MARIA BARONE for harmonization, reports, analysis, and checking of digital content)172. The platform, which now has 28 investigators (police and gendarmes), was established in 2009, for an initial investment of €100,000,173 recently proposed to be increased to €500,000,174 within the central office for the fight against crime linked to information and communication technologies (OCLCTIC), placed within the sub-directorate of the fight against cybercrime of the central directorate of the judicial police. Investigators at PHAROS monitor various information and communication services in France and produced more than 228,000 reports in 2019.175 Moreover, as part of a European Union-wide testing campaign, this unit notified Twitter, Facebook, and Youtube of 796 contents, of which 512 were withdrawn. Unfortunately, the 16 October Samuel Paty murder exposed many of the drawbacks of French and social media platform counter-terrorism efforts online. A student’s parent expressed via Facebook and WhatsApp his disapproval of Paty’s teaching methods and produced a video against him. The content was quickly disseminated online, but not flagged immediately,176 even though Paty had filed a complaint to the police after he was made aware of threats coming from social media177 and an NGO reported the attacker’s Twitter account to authorities in July 2020.178

172 (04/02/2020) Lutte contre terrorisme - Moyens de l’OCLCTIC. Assemblée nationale. https:// questions.assemblee-nationale.fr/q15/15-26385QE.htm. 173 J.V. Placé (October 22, 2013) Police, gendarmerie: what investment strategy?. Sénat. https:// www.senat.fr/rap/r13-091/r13-091_mono.html. 174 Session of December 3, 2020. Sénat. https://www.senat.fr/basile/visio.do?id=d4893622020 1203_20&idtable=d48936220201203_20|d48936220201119_6&_c=pharos&rch=ds&de=20 191229&au=20201229&dp=1+an&radio=dp&aff=65702&tri=p&off=0&afd=ppr&afd=ppl& afd=pjl&afd=cvn. 175 B. Saragerova (November 29, 2020) France: Towards stronger counter-terrorism regulation online. Global Risk Insights. https://globalriskinsights.com/2020/11/france-towards-stronger-counter-terrorism-regulation-online. 176 E. Braun, L. Kayali (October 19, 2020) French terror attack highlights social media policing gaps. Politico. https://www.politico.eu/article/french-terror-attack-sheds-new-light-on-social- media-policing-gaps/?utm_source=Tech+Against+Terrorism&utm_campaign=32d761c344- EMAIL_CAMPAIGN_2019_03_24_07_51_COPY_01&utm_medium=email&utm_ term=0_cb464fdb7d-32d761c344-162374915. 177 LCI (October 18, 2020) Pourquoi Samuel Paty n’a-t-il pas fait l’objet d’une protection po- licière? https://www.lci.fr/police/professeur-decapite-pourquoi-samuel-paty-n-a-t-il-pas-fait-l-objet-d-une-protection-policiere-2167627.html. 178 A. Zemouri (October 17, 2020) Le père qui avait diffusé la vidéo hostile au professeur d’histoire en garde à vue. Le Point. https://www.lepoint.fr/societe/le-pere-qui-avait-diffuse-la-video- hostile-au-professeur-d-histoire-en-garde-a-vue-17-10-2020-2396817_23.php#. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 89

In Austria, in the wake of the January 2015179 Charlie Hebdo attacks in Par- is, the government announced the allocation of a €290mn plan to fight jihadist terror. €126m went into hiring new personnel with special skills, including specialists in cybersecurity, crime-fighting, and forensics; €34m targeting special IT technology upgrades, such as the Schengen Information System database and evidence collection software; €12m was allocated to either online or offline deradicalization efforts, including awareness education.180 In December 2020, the National Council passed a comprehensive legislative package, including the Communications Platforms Act and the Hate- on-the-Net Fight Act, which already passed in autumn 2020, to curb hate speech, threats, and other illegal content on large social media platforms such as Facebook. The majority of the legislative package takes effect on January 1, 2021, with social platform operators having until the end of March 2021 to implement the new protection measures.181 In particular, the Austrian law is based on Germany’s Network Enforce- ment Act (NetzDG), which states that users notice potentially illegal content, report it, and platforms must then decide whether it is illegal, in which case it must delete the content within 24 hours of reporting. According to NetzDG, online platforms face fines of up to €50 million for systemic failure to delete illegal content182. Besides these measures and investments since 5 years, due to the sheer volume of content, there are no plans for preventive government control, thus courts will only be able to check afterward whether the platform has acted illegally.183

5.3 A multidisciplinary, long term, and cooperative strategy So far, as mostly in every aspect of counter-terrorism, a multidisciplinary approach is the only way to understand the online extremist environment and effectively counter the spread of jihadist propaganda and detect dangerous subjects through social media.

179 Parlamentskorrespondenz Nr. 152 (February 02, 2015) Nationalrat beschließt neues Is- lamgesetz. Österreichisches Parlament. https://www.parlament.gv.at/PAKT/PR/JAHR_2015/ PK0152/index.shtml. 180 (January 21, 2020) Austria’s €290m plan to fight terror. The Local. https://www.thelocal. at/20150121/austrias-290m-plan-to-fight-terror. 181 Counter Extremism Project. Austria: Extremism & Counter-Extremism. https://www.counterextremism.com/countries/Austria. 182 CEPS Project. The Impact of the German NetzdG law. https://www.ceps.eu/ceps-projects/ the-impact-of-the-german-netzdg-law. 183 P. Grüll (July 4, 2020) Austria’s online hate speech law prompts question marks about ‘overblocking’. EURACTIV. https://www.euractiv.com/section/data-protection/news/austrias-law- against-online-hate-speech-question-marks-in-the-home-stretch. 90 DANIELE MARIA BARONE

Cooperation through the acceptance of responsibilities between the public and private sector is the best method to counter the spread of terrorism online and create a resilient environment. To date, not all projects are frustrated over the lack of factual data. At an EU level, together with Europol, providers of online services developed a database of hashes, allowing content identified as harmful to be tagged electronically, preventing it from reappearing. The database contains over 300,000 unique hashes of known terrorist videos and images.184 This made the Check-the-Web (CtW), accessible only to Law Enforce- ment: an electronic reference library of jihadist terrorist online propaganda. It contains structured information on original statements, publications, videos, and audios produced by jihadi terrorist groups and their supporters. An operational tool not only to identify new content, groups, or media outlets but also new trends and patterns in terrorist propaganda, as well as operational leads for attributing crimes to perpetrators.185 With an annual budget186 of about €150mn, an increased of over €62 mn since 2010,187 of which roughly €1mn are spent on research and developments projects and €700,000 for the maintenance costs for Europol’s de- cryption platform188, Europol is succeeding in countering extremism online through repressive operations, analysis of the jihadist online environment, and cooperation with the private sector. For instance, the16th Referral Action Day, an operation that was joined by 9 online service providers as Telegram, Google, Files.fm, Twitter, and Instagram, which pushed away from Telegram a significant portion of key actors within the Daesh network and, most importantly, established further cooperation with global private firms operating in the social media environment.189

184 European Commission. A Counter-Terrorism Agenda for the EU and a stronger mandate for Europol: Questions and Answers.https://ec.europa.eu/commission/presscorner/detail/en/ qanda_20_2325. 185 Europol (October 13, 2020) EU IRU TRANSPARENCY REPORT 2019. https://www.europol.europa.eu/publications-documents/eu-iru-transparency-report-2019. 186 EU Budget 2020 – Europol Position Paper. https://www.europarl.europa.eu/cmsdata /186846/7-Europol-Paper-EU-Budget-2020-original.pdf. 187 D. Clark (October 12, 2020) Annual budget of Europol in the European Union from 2010 to 2020. Statista. https://www.statista.com/statistics/1178070/europol-budget. 188 STATEMENT OF REVENUE AND EXPENDITURE OF THE EUROPEAN UNION AGENCY FOR LAW ENFORCEMENT COOPERATION FOR THE FINANCIAL YEAR 2020 – AMENDING BUDGET NO 2. https://www.europol.europa.eu/about-europol/finance-budget. 189 (November 22, 2019) REFERRAL ACTION DAY AGAINST ISLAMIC STATE ONLINE TERRORIST PROPAGANDA. Europol. https://www.europol.europa.eu/newsroom/news/ referral-action-day-against-islamic-state-online-terrorist-propaganda. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 91

Europol, taken as an example, stresses the fact that, in terms of terrorist attack prevention, not in every case adding more data to the databases helps to find potential attackers. There is a lot of work that can still be done, at a public and private level, in understanding the online environment and all of its communication aspects, improving technology, investing in public awareness to report terrorist contents to authorities or online service providers, and investing in content moderators recruitment and training. In this framework, not only one actor could be held accountable. Each one could and can do something more by renouncing a little bit of ego to counter a wide-spread and still not effectively assessed threat.

6. Impacts on modern finance The exploitation of cryptocurrency for terrorism purposes is an evolving threat. Since 2012, jihadist groups have improved in this sector by shifting from a bottom-up experimental approach (from activists to small groups) until growing, over the years, as a legitimized financing modus operandi pro- moted and used directly by international jihadist groups190. These funding methods are more and more expanding in the EU too. Since 2012, the sending of cash through the hawala or money transfer services from the EU to collectors located in Middle-eastern conflict zones was the main vector for transferring funds to jihadists. The constant monitoring of these networks has led terrorist organizations to seek more opacity, calling for cryptocurrencies through public online crowdfunding campaigns or hidden networks.191 The exploitation of digital assets by jihadist groups spreads as fast as cryptocurrencies are becoming more popular among users and investors for legitimate use,192 urging states to a twofold and quick adaptation. On the one hand, promote and profit from fin-tech evolution by encouraging digital asset use

190 US Department of Justice - Office of Public Affairs (August 13, 2020) Global Disruption of Three Terror Finance Cyber-Enabled Campaigns - Largest Ever Seizure of Terrorist Organiza- tions’ Cryptocurrency Accounts. The United States Department of Justice. https://www.justice. gov/opa/pr/global-disruption-three-terror-finance-cyber-enabled-campaigns. 191 D.M. Barone (November 2019) The decentralized finance-violent extremism nexus: ideologies, technical skills, strong and weak points. Sicurezza, Terrorismo e Società. http://www. sicurezzaterrorismosocieta.it/wp-content/uploads/2019/11/The-decentralized-finance-violent- extremism-nexus_ideologies-technical-skills-strong-and-weak-points-Daniele-Barone.pdf. 192 D.M. Barone (September 2, 2020) US multiagency operation dismantled part of al-Qaeda’s cryptocurrency network. What we learned so far and what to expect. ITSTIME. https://www. itstime.it/w/us-multiagency-operation-dismantled-part-of-al-qaedas-cryptocurrency-network- what-we-learned-so-far-and-what-to-expect-by-daniele-m-barone. 92 DANIELE MARIA BARONE and investments throughout a regulated ecosystem, on the other hand, apply stricter and potentially disincentive measures.

6.1 Crypto-market: from the world to the EU - from the EU to member states To date, bitcoin’s market cap stands at more than $575bn and, if its volatile market value drops substantially, according to JPMorgan it could climb by 4.6 times, matching the $2.7tn of private sector gold investment. In particular, the forecast expects that bitcoin could rally as high as $146,000.193 Indeed, along with bitcoin, the cryptocurrency market is growing faster and faster globally, with altcoins as Ethereum that have raised their market value until €107tn, Monero, €2tn, and Zcash, €563bn.194 With these premises, cryptocurrency is expected to be an ever-growing global phenomenon that national rules may struggle to contain, especially through stricter measures aimed at disincentivize investments in this field to benefit the conventional banking system. For instance, in the past, Chinese regulators banned initial coin offer- ings (ICO),195 shut down local cryptocurrency trading exchanges, and limited bitcoin mining, but activity has continued through alternative channels in China despite the crackdown196. In some countries, cryptocurrency has been evolving as an alternative method of payment or store of value precisely because of the community’s distrust in the banking system. According to ING statistics, in 2018 nearly one in five (18%) in Turkey say they own cryptocurrency where 53% (and volumes roughly quadrupled over the past years)197 of the interviewed people claimed that cryptocurrency is the

193 R. Browne (January 5, 2020) JPMorgan says bitcoin could rise to $146,000 long term as it competes with gold. CNBC. https://www.cnbc.com/2021/01/05/jpmorgan-bitcoin-price-could- rise-to-146k-as-it-competes-with-gold.html. 194 Today’s Cryptocurrency Prices by Market Cap. CoinMarketCap. https://coinmarketcap.com/ it. Viewed on January 8, 2020. 195 ICO is technically an acronym that stands for “Initial Coin Offering”, an expression used in analogy with the stock market lexicon, where “Initial Public Offering” (IPO) means a public offering of shares in a company that intends to be listed on a regulated market for the first time. However, unlike IPOs, ICOs are not regulated and those who invest in an ICO do not get shares in exchange, but tokens (i.e. a unit of the new cryptocurrency that is launched). 196 (January 15, 2018) Any rule on Bitcoin must be global, Germany’s central bank says. Reuters. https://www.reuters.com/article/us-bitcoin-regulations-germany-idUSKBN1F420E. 197 L. Cuen (August 2020) Istanbul or ‘Coinstantinople’? Inside Turkey’s Bitcoin Bull Market. Coindesk. https://www.coindesk.com/inside-turkey-bitcoin-bull-market. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 93 future of spending online and the future of investment198. In the Middle East, Turkey is followed by Iran and Egypt. Then, in 2020 an incredibly high rate of cryptocurrency ownership has been registered in Nigeria199 and, since 2018, the same happened in many other politically unstable States in Africa.200 Focusing on the EU, in the top ten countries of the Global Crypto Adop- tion Index no EU member-state is included.201 France is the first mentioned, ranked 21st202, leading the way with Germany, with a quantifiable value on blockchain higher than $7.5bn. Regarding the appeal of digital assets at an onboarding or investors level, researches found that, in the EU, cryptocurrency is still perceived as a bor- derline method of payment, with 25% of European investors thinking that certain digital assets are too much free from government intervention to be considered as appealing. This perception has anecdotal evidence because, despite the upward trending number of institutions adopting digital assets, some reticence remains related to price volatility (53%), concerns around market manipulation (47%), and lack of fundamentals to gauge appropriate value (45%).203 Moreover, the lack of cohesion across jurisdictions makes it hard for cryptocurrency companies to be comfortable with doing business in the EU market, with some countries embracing transformative technologies with top-down initiatives,204 while others remaining to simple investor protection warnings. As happened in Germany after they passed stricter requirements

198 IPSOS for ING - International Survey (June 2018) Cracking the code on cryptocurrency. https://think.ing.com/uploads/reports/ING_International_Survey_Mobile_Banking_2018.pdf. 199 K. Buchholz (August 2020) How Common is Crypto?. Statista. https://www.statista.com/ chart/18345/crypto-currency-adoption. 200 P. Rao (April 2018) Africa could be the next frontier for cryptocurrency. Africa Renewal. https://www.un.org/africarenewal/magazine/april-2018-july-2018/africa-could-be-next-frontier-cryptocurrency. 201 Created by Chainalysis to quantify the differences in adoption between countries across the globe, by measuring cryptocurrency activity while accounting for each country’s population (as the country’s total number of internet users) and economy size (i.e. purchasing power pari- ty per capita). The 2020 Geography of Cryptocurrency Report Analysis of Geographic Trends in Cryptocurrency Adoption, Usage, and Regulation (September 2020). Chainalysis. 202 https://markets.chainalysis.com/#geography-index. 203 (September 6, 2020) Growing Number of Institutional Investors Believe That Digital Assets Should Be a Part of Their Investment Portfolios, According to New Research from Fidelity Digital Assets. Fideli- ty Investments. https://newsroom.fidelity.com/press-releases/news-details/2020/Growing-Number-of- Institutional-Investors-Believe-That-Digital-Assets-Should-Be-a-Part-of-Their-Investment-Portfolios- According-to-New-Research-from-Fidelity-Digital-Assets/default.aspx. 204 Digitals Wien. A digital pilot and research project for playful rewards for climate-friendly behaviour. https://digitales.wien.gv.at/site/en/projekt/culture-token/?ref=hackernoon.com. 94 DANIELE MARIA BARONE for crypto businesses which forced some companies to stop doing business in the country or the Estonian plans, aimed to create a national cryptocurrency “estcoins”205 and normalize ICO, that was swiftly shut down by European Central Bank and local banking authorities.206 So far, the EU anti-money-laundering AML regulatory regime targeting cryptocurrencies was enacted via Directive (EU) 2018/843,207 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. The Directive was enacted on the basis of the overall EU project to harmonize measures regarding the establishment of the internal market and was mostly applied to the intermediaries involved in cryptocurrency transactions. In particular, it stated that “to combat the risks related to the anonymity, national Financial Intelligence Units (FIUs) should be able to obtain information allowing them to associate virtual currency addresses to the identity of the owner of virtual currency.” However, the margin of discretion allowed to member states’ national legislative implementation, has caused an asymmetrical harmonization. Nowadays, the EU Blockchain Observatory & Forum,208 an initiative sponsored by the European Commission which reports on the state of blockchain in the EU, has introduced a framework for ranking countries on a three-stage regulatory maturity curve.209 It designed an uneven framework. In this field, the EU is divided among countries where blockchain and digital assets regulation is generally absent (e.g. Belgium, Bulgaria, and Hungary), countries that have adopted wider regulatory schemes that relate to know-your-custom- er (KYC)/AML and investor protection (e.g. Italy, Austria, and Spain), and countries that have adopted specific legislation that pertains to digital assets, developing a national strategy to exploit them (e.g. France, Germany, and Malta).210

205 C. O’Brien (December 9, 2017) Estonia planning its own cryptocurrency, called ‘estcoin’, in bid to become global ICO hub. Venture Beat. https://venturebeat.com/2017/12/19/estonia-wants- its-own-cryptocurrency-called-estcoin-in-bid-to-become-global-ico-hub/?ref=hackernoon.com. 206 O. Ummelas (June 1, 2018) Estonia Scales Down Plan to Create National Cryptocurrency. Bloomberg. https://www.bloomberg.com/news/articles/2018-06-01/estonia-curbs-cryptocurrency-plan-that-drew-rebuke-from-draghi. 207 Official Journal of the European Union (May 30, 2018) https://eur-lex.europa.eu/legal- content/EN/TXT/PDF/?uri=CELEX:32018L0843. 208 EU Blockchain Observatory & Forum. https://www.eublockchainforum.eu. 209 (November 20, 2020) EU Blockchain Ecosystem Developments. EU Blockchain Ob- servatory & Forum. https://www.eublockchainforum.eu/sites/default/files/reports/EU%20 Blockchain%20Ecosystem%20Report_final_0.pdf. 210 L. Dionysopulos (November 26, 2020) At the brink of a tectonic shift, EU countries that do crypto-regulation right. Medium. https://lambisdion.medium.com/at-the-brink-of-a-tectonic- shift-eu-countries-that-do-crypto-regulation-right-3e8d4cd6d8da. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 95

In this context, the European Commission has recently put forward plans to regulate crypto-assets211, in a bid to reduce market fragmentation in this field by lowering risks for investors, while also giving legal certainty to those issuing these assets, to benefit consumers and businesses.212 In particular, it will provide rules on digital asset custody and capital requirements, while also stipulating what the relationship between the token issuer and the token holder will be, including laying out a procedure for investors to file complaints against projects.213

6.2 Upsetting national plans in the aftermath of terrorist attacks On September 2020, more than 360 men from the France Direction centrale de la police judiciaire (DCPJ) and the Direction générale de la sécu- rité intérieure (DGSI), coordinated by the Parquet national antiterroriste (PNAT), dismantled a vast network of terrorist financing by cryptocurrencies benefitting French jihadists still settled in Syria.214 Active since 2019, the terrorist financing network was based on the purchase of cryptocurrency coupons, of a value between €10 and €150, in France. Then the references were transmitted by secure messaging to jihadists in Syr- ia and these coupons were finally credited to accounts opened from abroad by jihadists who were in charge of converting them into cryptocurrencies on exchange platforms. According to prosecutors, two French jihadists, both 25, were the architects of the network, working from northeastern Syria215 as members of Hayat Tahrir Al-Sham since 2013.216

211 European Commission (September 24, 2020) Digital Finance Package: Commission sets out new, ambitious approach to encourage responsible innovation to benefit consumers and businesses. https://ec.europa.eu/commission/presscorner/detail/en/IP_20_1684. 212 S. Amaro (September 24, 2020) The EU announces its first ever plan to regulate cryptocurrencies. CNBC. https://www.cnbc.com/2020/09/24/eu-valdis-dombrovskis.html. 213 P. Baker (September 24, 2020) EU Proposes Full Regulatory Framework for Cryptocurren- cies. CoinDesk. https://www.coindesk.com/eu-proposes-full-regulatory-framework-for-cryptocurrencies. 214 C. Cornevin (September 29, 2020) Vaste filière de financement du terrorisme démantelée: 29 interpellés en France. Le Figaro. https://www.lefigaro.fr/actualite-france/vaste-filiere-de- financement-du-terrorisme-demantelee-29-interpelles-en-france-20200929. 215 (September 29, 2020) France arrests 29 in anti-terror Syria financing sting. France 24. https://www.france24.com/en/20200929-france-arrests-29-in-anti-terror-syria-financing-sting. 216 (October 03, 2020) 8 charged in French cryptocurrency scheme to finance jihadis. ABC News. https://abcnews.go.com/International/wireStory/charged-french-cryptocurrency-scheme-finance-jihadis-73403002. 96 DANIELE MARIA BARONE

The coupons to buy cryptocurrency in France were available at licensed tobacco outlets.217 There are about 24,000 in France offering various small payments services, with no identification legally required,218 such as cashcard top-ups and money coupons, and (since a 2019 deal with a French fintech company) cryptocurrencies. A blind-spot for authorities that facilitated the perpetration of this illicit network for more than a year. This episode raised interest in terrorism financing by cryptocurrencies and brought France Minister of the Economy and Finance to declare that “cryptocurrencies pose a real problem of terrorist financing”. Nonetheless, in the aftermath of this event, no additional measure to regulate cryptocurrencies business was provided by the government.219 Apparently the approach changed in December 2020 when, in the aftermath of the recent terrorist attacks in France, France’s Council of Ministers planned a series of measures to tighten the surveillance of cryptocurrency, requiring full KYC measures for all crypto transactions and mandatory regis- tration for all crypto-to-crypto exchanges220. In particular, the new regime provides that French Digital Asset Service Providers have to register with the French Financial Market Authority (Au- torité des marchés financiers, AMF). Otherwise, they will no longer be able to offer their services to new customers.221 Thus, on the one hand, the AMF must verify that senior managers and shareholders are of good repute and competence through obtaining documents such as identification, a CV, and a statement that they are not the subject of a criminal conviction or a prohibition to engage in an activity. On the other hand, obtaining an AMF license for the provision of certain services is optional, providing a degree of flexibility that could potentially pose certain

217 (January 8, 2019) French ‘Tabac’ shops diversify, selling bitcoin for cash. Reuters. https:// www.reuters.com/article/us-france-bitcoin-tobacco-idUSKCN1P21ZN. 218 Keplerk. Points of sales. https://www.bykep.com/en/store-locator. 219 P.R. DeMichelis (December 21, 2020) Le secteur des cryptomonnaies en pleine effervescence cette année. Les Echos. https://investir.lesechos.fr/placements/vie-pratique/actualites/ le-secteur-des-cryptomonnaies-en-pleine-effervescence-cette-annee-1940574.php. 220 Y. Khatri (December 8, 2020) France is on the verge of imposing mandatory KYC rules for all crypto transactions, industry sources say. The Block. https://www.theblockcrypto.com/ post/87001/france-crypto-rules-mandatory-kyc-crypto-to-crypto. 221 (December 8, 2020) Bitcoin Daily: France Eyes Strict Rules For Crypto Transactions; Mes- sari Report Says US Last Hurdle For Bitcoin. Pymnts. https://www.pymnts.com/blockchain/ bitcoin/2020/bitcoin-daily-france-eyes-strict-rules-crypto-transactions-messari-report-says-united-states-last-hurdle. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 97 risks, leaving these services still unregulated and exposing investors to financial loss without the option of compensation.222 The other set of measures that will be implemented is related to strict KYC rules. All crypto transactions worth more than €0 will have to go through full KYC processes and require two government identification forms: a SEPA223 transfer accompanied by an ID. The previous limit for KYC checks was €1,000, applying only to crypto-to-fiat (i.e. government-issued currency) transactions. So, these measures would help to ban anonymous accounts from crypto exchanges but also bring repercussions to investors.224

6.3 Stricter rules could decrease investments (and the security level) In France, as in other EU member states, stricter regulations on cryptocurrency businesses could bring three options to the table of players: come up to new standards, consider relocating their operations away from the EU, not serving EU customers.225 AML/KYC measures can quickly and, in some cases, incoherently re- shape the FinTech sector, hampering future growth. Same as in the US, with the recently Notice of Proposed Rulemaking (NPRM) submitted by the U.S. Department of the Treasury to the Federal Register, that would require cryptocurrency businesses to submit reports, keep records, and verify the identity of customers. By responding to the NPRM, Chainalysis gave an overall picture of the importance of proportionality of AML/KYC measures concerning the cryptocurrency landscape and monitoring methods available in this sector.226 According to the company, regulations on cryptocurrency shouldn’t be the mirror of measures applied to banks and other financial institutions. For instance, by taking into account that cryptocurrency transactions are automatically logged on public blockchains, law enforcement can already

222 J. Galea New Regime for French Digital Asset Service Providers. BlockGeeks. https:// blockgeeks.com/guides/new-regime-for-french-digital-asset-service-providers. 223 Single Euro Payments Area (SEPA): is a fast and cheap payment method that allows transferring of Euros between EU residents’ bank accounts. SEPA allows to buy cryptocurrency directly using a bank account in Europe and in Euros. 224 K. Helmes (December 13, 2020) France Approves New Cryptocurrency Measures to Fight Anonymous Transactions. Bitcoin.com. https://news.bitcoin.com/france-new-cryptocurrency- measures-fight-anonymous-transactions. 225 K. Barnato (May 2, 2016) Will terror attacks end bitcoin free-for-all in Europe? CNBC. https://www.cnbc.com/2016/05/02/will-terror-attacks-end-bitcoin-free-for-all-in-europe.html. 226 (January 7, 2021) Chainalysis’ Formal Response to Treasury’s Proposed Rules Regarding Un- hosted Cryptocurrency Wallets. Chainalysis. https://blog.chainalysis.com/reports/chainalysis- response-to-treasury-proposed-rules-unhosted-cryptocurrency-wallets. 98 DANIELE MARIA BARONE view transactions facilitated by cryptocurrency businesses, making currency transaction reports redundant and useless in this field. Moreover, the response to the NPRM stresses the fact that 62% of the illicit cryptocurrency traced by Chainalysis is cashed out at exchanges with functional compliance programs, including AML/KYC measures. Thus, is crucial to focus on vulnerabilities stemming from other platforms used to move illicit funds, first of all, mixers and non-compliant exchanges operating in high-risk jurisdictions. Another relevant issue is related to the privacy and security provided by a single governmental central database of users’ data and cryptocurrency transactions. In the case of a hacker attack, it would provide illicit actors with a list of targets, their location, and how much cryptocurrency they hold. Hence, measures applied without understanding the technology behind cryptocurrencies could turn into a double-edged sword. In the EU, future events related to jihadist terrorism and fin-tech could push governments to propose stricter measures. This approach would provide an immediate sense of control over cryptocurrency businesses while becoming counterproductive in the long-term both at a security and economic level by lowering investments, number of users, and privacy. However, the current institutional awareness developing in this sector can be assessed as a good start. Nonetheless, it is fundamental for institutions to engage with representatives from the private sector to discuss how regulation can be tailored to reflect cryptocurrency technology. This cooperation is the best way to effectively avoid that cryptocurrencies evolve through legislative and economic grey zones, where risks can increase exponentially while jihadist funding can proliferate undisturbed.

Conclusions This analysis highlights how counter-terrorism is not a short-term plan. Indeed, interacting with a complex phenomenon as jihad applying a short- range view on political, economic, security, and psychological level, can be counterproductive and likely to start a chain reaction able to amplify, instead of efficiently countering, the impact of terrorist attacks. Hence, the global approach of jihadist groups feeds on the ecosystem in which its ideology is established, generating a wave of repercussions, which are still not fully quantifiable. As analyzed, a strategy aimed at containing the effects of jihadist terrorism in the EU cannot be limited to a physical and visible response but has to be developed taking into account the global approach of jihadist groups. A multi-disciplinary intervention could be able to prevent the exploitation of weaknesses and grey legislative and social zones. These plans should EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 99 be primarily focused on providing long-lasting and supra-national initiatives for social inclusion, to prevent jihadist groups from exploiting marginaliza- tion, and synergic cooperation between public and private sectors, improving monitoring methods over new technologies while promoting and encouraging digitalization without repression or the proliferation of opaque legislative areas. This perspective highlights the fact that counter-terrorism may require in the short period unpopularity, not displaying visible and consensus-driven measures, but should be aimed at creating, in the long-run, a socio-cultural and economic environment of awareness that can be flexible and open. The making of a resilient national and supra-national context, that will not crumble when interacting with non-state actors, which proliferate through its destabilization.

References A. Abadie, J. Gardeazabal (October 9, 2007) Terrorism and the world economy. Euro- pean Economic Review 52. https://economics.mit.edu/files/11864. A.E. Clark, O. Doyle, E. Stancanelli (August 25, 2017) The Impact of Terrorism on Well-being: Evidence from the Boston Marathon Bombing. UCD GEARY INSTI- TUTE FOR PUBLIC POLICY DISCUSSION PAPER SERIES. https://www. ucd.ie/geary/static/publications/workingpapers/gearywp201708.pdf. A. Fernandes, P.J. Klenow, S. Meleshchuk, M. Denisse Pierola, A. Rodriguez-Clare (December 7, 2018) The Intensive Margin in Trade. International Monetary Fund. https://www.imf.org/en/Publications/WP/Issues/2018/12/07/The-Intensive-Margin- in-Trade-46389V. Nitsch, I. Rabaud (November 24, 2019) Under Attack. A. Greenberg (October 10, 2020) Facebook Says Encrypting Messenger by De- fault Will Take Years. Wired. https://www.wired.com/story/facebook-messenger-end-to-end-encryption-default. A. Haine (October 26, 2020) Economists shrug off boycott threat to French products from Muslim nations. The National News. https://www.thenationalnews.com/ business/economy/economists-shrug-off-boycott-threat-to-french-products-from- muslim-nations-1.1100136. A. Marrone, D. Fattibene (January 2016) Defence Budgets and Cooperation in Eu- rope: Developments, Trends and Drivers. Istituto Affari Internazionali (IAI). https:// www.iai.it/sites/default/files/pma_report.pdf. A. Robertson (June 27, 2017) Terror suspect arrested in Birmingham and facing extradition to Spain is imam father-of-eight who preached to Bataclan bomber before Paris attacks. The Daily Mail. https://www.dailymail.co.uk/news/article-4646058/ Police-arrest-ISIS-supporter-Birmingham.html. A. Rubin, A. Barnard (November 15, 2015) France Strikes ISIS Targets in Syria in Re- taliation for Attacks. The New York Times. https://www.nytimes.com/2015/11/16/ world/europe/paris-terror-attack.html. 100 DANIELE MARIA BARONE

A. Walker (December 2, 2015) Paris attacks: Assessing the economic impact. BBC. https://www.bbc.com/news/business-34965000. A. Zemouri (October 17, 2020) Le père qui avait diffusé la vidéo hostile au professeur d’histoire en garde à vue. Le Point. https://www.lepoint.fr/societe/ le-pere-qui-avait-diffuse-la-video-hostile-au-professeur-d-histoire-en-garde-a- vue-17-10-2020-2396817_23.php#. A.H. Chen, T.F. Siems (2004) The effects of terrorism on global capital markets. Eu- ropean Journal of Political Economy. https://www.sciencedirect.com/science/ article/pii/S0176268003001022?casa_token=Yb5kn2pKRY8AAAAA:EZyIGHe- OGWzzYkvFnKYg-FWLCA1WAL8ttSHykGnF8udiuXFR35NgtWk2y6Iqj6Qk- JDFYAsBq1g. B. Saragerova (November 29, 2020) France: Towards stronger counter-terrorism regulation online. Global Risk Insights. https://globalriskinsights.com/2020/11/ france-towards-stronger-counter-terrorism-regulation-online. B.T. Said, H. Fouad (September 2018) Countering Islamist Radicalisation in Ger- many: A Guide to Germany’s Growing Prevention Infrastructure. International Center for Counter-Terrorism - The Hauge. https://icct.nl/app/uploads/2018/09/ ICCT-Said-Fouad-Countering-Islamist-Radicalization-in-Germany-Sept2018. pdf. C. Cornevin (September 29, 2020) Vaste filière de financement du terrorisme démantelée: 29 interpellés en France. Le Figaro. https://www.lefigaro.fr/actualite-france/vaste-filiere-de-financement-du-terrorisme-demantelee-29-interpelles-en-france-20200929. C. Fingar (August 11, 2016) Belgium minister takes the safety first route. FDI Intelli- gence. https://www.fdiintelligence.com/article/66478. C. Hassapis, S. Katsikides, S. Markoulis (November 5, 2018) Terror Attacks, Foreign Exchange Markets and Class Dynamics. InTech Open. https://www.intechopen. com/books/classes-from-national-to-global-class-formation/terror-attacks-foreign-exchange-markets-and-class-dynamics. C. Jee (June 8, 2020) Facebook needs 30,000 of its own content moderators, says a new report. MIT Technology Review. https://www.technologyreview. com/2020/06/08/1002894/facebook-needs-30000-of-its-own-content-moderators- says-a-new-report. C. Newton (May 12, 2020) Facebook will pay $52 million in settlement with moderators who developed PTSD on the job. The Verge. https://www.theverge. com/2020/5/12/21255870/facebook-content-moderator-settlement-scola-ptsd-mental-health. C. O’Brien (December 9, 2017) Estonia planning its own cryptocurrency, called ‘estcoin’, in bid to become global ICO hub. Venture Beat. https://venturebeat. com/2017/12/19/estonia-wants-its-own-cryptocurrency-called-estcoin-in-bid-to- become-global-ico-hub/?ref=hackernoon.com. C.R. Sunstein, R. Zeckhauser (2008) Overreaction to Fearsome Risks. John M. Olin Program in Law and Economics Working Paper No. 446. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 101

C.S. Pham, H. Doucouliagos (June 2017) An Injury to One Is an Injury to All: Ter- rorism’s Spillover Effects on Bilateral Trade. IZA Institute of Labor Economics - Initiated by Deutsche Post Foundation. http://ftp.iza.org/dp10859.pdf. C.R. Whitney (December 4, 1996) 2 Die as Terrorist Bomb Rips Train at a Paris Station. The New York Times https://www.nytimes.com/1996/12/04/world/2-die- as-terrorist-bomb-rips-train-at-a-paris-station.html. Cambridge Consultants (2019) USE OF AI IN ONLINE CONTENT MODER- ATION. Ofcom. https://www.ofcom.org.uk/__data/assets/pdf_file/0028/157249/ cambridge-consultants-ai-content-moderation.pdf. CEP Staff (October 12, 2020) Updated: Tracking Facebook’s Policy Changes. Coun- ter Extremism Project. https://www.counterextremism.com/blog/updated-tracking-facebook%E2%80%99s-policy-changes. CEPS Project. The Impact of the German NetzdG law. https://www.ceps.eu/ceps-projects/the-impact-of-the-german-netzdg-law. Cisco Annual Internet Report (March 9, 2020) https://www.cisco.com/c/en/us/ solutions/collateral/executive-perspectives/annual-internet-report/white-paper-c11-741490.html. CNBC (May 5, 2017) Senator reveals that the FBI paid $900,000 to hack into San Bernardino killer’s iPhone. https://www.cnbc.com/2017/05/05/dianne-feinstein-reveals-fbi-paid-900000-to-hack-into-killers-iphone.html. Counter Extremism Project. Austria: Extremism & Counter-Extremism. https://www. counterextremism.com/countries/Austria. Counter Extremism Project. France: Extremism & Counter-Extremism. https://www. counterextremism.com/countries/France. Court of Justice of the European Union (October 3, 2019) PRESS RELEASE No 128/19. https://curia.europa.eu/jcms/upload/docs/application/pdf/2019-10/cp190128en.pdf. D. Clark (October 12, 2020) Annual budget of Europol in the European Union from 2010 to 2020. Statista. https://www.statista.com/statistics/1178070/europol-budget. D. Gilbert (January 9, 2020) Facebook Is Forcing Its Moderators to Log Every Sec- ond of Their Days. Vice News. https://www.vice.com/en/article/z3beea/facebook-moderators-lawsuit-ptsd-trauma-tracking-bathroom-breaks. D. Oxley (May 2017) Estimating the impact of recent terrorist attacks in Western Europe. IATA. https://www.iata.org/en/iata-repository/publications/economic-reports/the-impact-of-recent-terrorist-attacks-in-western-europe. D. Uberti (July 9, 2020) Why Some Hate Speech Continues to Elude Face- book’s AI Machinery. The Wall Street Journal. https://www.wsj.com/articles/ facebooks-artificial-intelligence-doesnt-eliminate-objectionable-content-report-finds-11594287000. D. Vanneste, P. Tudorache, F. Teodoroiu, T. Steenberghen (2017) The impact of the 2016 terrorist attacks in Brussels on tourism. Belgeo. https://journals.openedition. org/belgeo/20688#ftn9. 102 DANIELE MARIA BARONE

D. Wagner (February 2006) The Impact of Terrorism on Foreign Direct Investment. IRMI. https://www.irmi.com/articles/expert-commentary/the-impact-of-terrorism-on-foreign-direct-investment#5. D.M. Barone (November 2019) The decentralized finance-violent extremism nexus: ideologies, technical skills, strong and weak points. Sicurezza, Terrorismo e Società. http://www.sicurezzaterrorismosocieta.it/wp-content/uploads/2019/11/ The-decentralized-finance-violent-extremism-nexus_ideologies-technical-skills- strong-and-weak-points-Daniele-Barone.pdf. D.M. Barone (September 2, 2020) US multiagency operation dismantled part of al-Qaeda’s cryptocurrency network. What we learned so far and what to expect. ITSTIME. https://www.itstime.it/w/us-multiagency-operation-dismantled-part-of- al-qaedas-cryptocurrency-network-what-we-learned-so-far-and-what-to-expect-by- daniele-m-barone. Digitals Wien. A digital pilot and research project for playful rewards for climate-friendly behaviour.. https://digitales.wien.gv.at/site/en/projekt/culture-token/?ref=hackernoon.com. E. Braun, L. Kayali (October 19, 2020) French terror attack highlights social media policing gaps. Politico. https://www.politico.eu/article/french-terror-attack-sheds-new-light- on-social-media-policing-gaps/?utm_source=Tech+Against+Terrorism&utm_cam- paign=32d761c344-EMAIL_CAMPAIGN_2019_03_24_07_51_COPY_01&utm_ medium=email&utm_term=0_cb464fdb7d-32d761c344-162374915. E. Dwoskin, N. Tiku (March 24, 2020) Facebook sent home thousands of human moderators due to the coronavirus. Now the algorithms are in charge. The Washington Post. https://www.washingtonpost.com/technology/2020/03/23/facebook-moderators-coronavirus. E. Fieser, M. Bristow (March 8, 2019) What Peace Dividend? Terror Attacks on Co- lombia Pipelines Double. Bloomberg. https://www.bloomberg.com/news/articles/2019-03-08/what-peace-dividend-terror-attacks-on-colombia-pipelines-double. É. Jolly, O. Passot (July 2018) Instability and Uncertainty. Strategic Review of Security and Defence Challenges from a French Perspective - FRANCE AND POLAND FACING THE EVOLUTION OF THE SECURITY ENVIRONMENT. Institut de recherche stratégique de l’École militaire - issue 59. E. Souris, S. Singh (November 23, 2018) Want to Deradicalize Terrorists? Treat Them Like Everyone Else. Foreign Policy. https://foreignpolicy.com/2018/11/23/ want-to-deradicalize-terrorists-treat-them-like-everyone-else-counterterrorism-deradicalization-france-sri-lanka-pontourny-cve. E.C. Hirschman (June 1990) Secular Immortality and the American Ideology of Afflu- ence. Journal of Consumer Research. https://www.jstor.org/stable/2626822?seq=1. ECB Financial Stability Review (December 2007) https://www.ecb.europa.eu/pub/ financial-stability/fsr/focus/2007/pdf/ecb~7585877f4b.fsrbox200712_18.pdf. EU Blockchain Observatory & Forum. https://www.eublockchainforum.eu. EU Budget 2020 – Europol Position Paper. https://www.europarl.europa.eu/cmsdata /186846/7-Europol-Paper-EU-Budget-2020-original.pdf. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 103

EU Commission - Research and Innovation (March 29, 2019) Practicies Project Objective H2020-SEC-06-FCT-2016 Research and Innovation Action (RIA) Part- nership against violent radicalization in cities Project Number: 740072. https:// ec.europa.eu/research/participants/documents/downloadPublic?document- Ids=080166e5c39cd363&appId=PPGMS. EU INTERNET REFERRAL UNIT - EU IRU. https://www.europol.europa.eu/ about-europol/eu-internet-referal-unit-eu-iru EU Parliament. REVIEW OF THE FRAMEWORK DECISION ON TERRORISM. European Agenda on Security, Terrorism and Radicalization. LEGISLATIVE TRAIN10.2020 17 CIVIL LIBER- TIES, JUSTICE AND HOME AFFAIRS - LIBE. https://www.europarl.europa. eu/legislative-train/api/stages/report/current/theme/civil-liberties-justice-and- home-affairs-libe/file/review-of-the-framework-decision-on-terrorism. EU Toghter We Project. https://europa.eu/euprotects/our-safety/awareness-prevention-how-eu-combating-radicalisation-across-europe_en. European Commission (September 12, 2018) COMMISSION STAFF WORKING DOCUMENT IMPACT ASSESSMENT Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on preventing the dissemination of terrorist content online: https://eur-lex.europa.eu/LexUriServ/ LexUriServ.do?uri=SWD:2018:0408:FIN:EN:PDF. European Commission (September 24, 2020) Digital Finance Package: Commission sets out new, ambitious approach to encourage responsible innovation to benefit consumers and businesses. https://ec.europa.eu/commission/presscorner/detail/ en/IP_20_1684. European Commission. A Counter-Terrorism Agenda for the EU and a stronger mandate for Europol: Questions and Answers.https://ec.europa.eu/commission/presscorner/detail/en/qanda_20_2325. European Commission. E-Commerce Directive. https://ec.europa.eu/digital-single-market/en/e-commerce-directive. European Council - Council of the European Union. Response to the terrorist threat and recent terrorist attacks in Europe. https://www.consilium.europa.eu/en/policies/fight-against-terrorism/response-terrorist-threat. European Council (November 13, 2020) Joint statement by the EU home affairs ministers on the recent terrorist attacks in Europe. https://www.consilium.europa.eu/ en/press/press-releases/2020/11/13/joint-statement-by-the-eu-home-affairs-ministers-on-the-recent-terrorist-attacks-in-europe/#. European Council. EU’s response to the terrorist threat. https://www.consilium.europa.eu/en/policies/fight-against-terrorism. European Parliament (May 2018) The return of foreign fighters to EU soil. https://www.europarl.europa.eu/RegData/etudes/STUD/2018/621811/EPRS_ STU(2018)621811_EN.pdf. Europol (October 13, 2020) EU IRU TRANSPARENCY REPORT 2019. https://www. europol.europa.eu/publications-documents/eu-iru-transparency-report-2019. 104 DANIELE MARIA BARONE

F. Garza (November 21, 2015) The French military has seen a surge in applications after the Paris attacks. Quartz. https://qz.com/556517/the-french-military-has- seen-a-surge-in-applications-after-the-paris-attacks. F. Théron (March 2020) Terrorist content online Tackling online terrorist propaganda. European Parliamentary Research Service (EPRS) https://www.europarl.europa. eu/RegData/etudes/BRIE/2020/649326/EPRS_BRI(2020)649326_EN.pdf. Facebook AI (January 13, 2020) Online speech recognition with wav2letter@anywhere. https://ai.facebook.com/blog/online-speech-recognition-with-wav2letteranywhere. France Diplomacy (29/10/2020) Call for maximum vigilance - risk of attack. https:// www.diplomatie.gouv.fr/fr/conseils-aux-voyageurs/informations-pratiques/article/ appel-a-la-vigilance-maximale-risque-d-attentat-29-10-2020. G. Yildiz (November 6, 2020) Turkish-French Culture War over Islamist Radical- ism and Islamophobia May Unite Europe against Turkey. SWP German In- stitute for International and Security Affairs. https://www.swp-berlin.org/en/ publication/turkish-french-culture-war-over-islamist-radicalism-and-islamophobia-may-unite-europe-against-turkey. GardaWorld (October 29, 2020) Middle East/North Africa: Tensions over response to Islamist attacks in France increase threat against French nationals and interests across MENA region. https://www.garda.com/crisis24/news-alerts/394411/middle-eastnorth-africa-tensions-over-response-to-islamist-attacks-in-france-increase- threat-against-french-nationals-and-interests-across-mena-region. Gazzetta Ufficiale (January 11, 2018) DECRETO LEGISLATIVO 29 dicembre 2017, n. 216. https://www.gazzettaufficiale.it/eli/id/2018/01/11/18G00002/sg. GERMANY TERRORISM RISK INSURANCE PROGRAMME. OECD. https:// www.oecd.org/daf/fin/insurance/Germany-Terrorism-Risk-Insurance.pdf. GLOBAL TERRORISM INDEX 2019 BRIEFING. https://www.visionofhumanity. org/wp-content/uploads/2020/10/GTI-2019-briefingweb.pdf. H. Abelson, R. Anderson, S.M. Bellovin, J. Benaloh, M. Blaze, W. Diffie, J. Gilmore, M. Green, S. Landau, P.G. Neumann, R.L. Rivest, J.I. Schiller, B. Schneier, M. Specter, D.J. Weitzner (July 7, 2015) Keys Under Doormats: mandating insecurity by requiring government access to all data and communications. https://www.schneier.com/wp-content/uploads/2016/09/paper-keys-under-doormats-CSAIL.pdf. H. Mechaï (July 14, 2019) The ‘deradicalisation’ business: How French attacks spawned a counter-extremism industry. Middle East Eye. https://www.middleeasteye.net/news/deradicalisation-business-how-french-attacks-spawned-counter-extremism-industry. H. Schaloske (April 26, 2019) Terrorism insured – a German view. Clyde&Co. https:// www.clydeco.com/en/insights/2019/04/terrorism-insured-a-german-view. H. Warrell, S. Jones, E. Solomon, W. Mallet (November 6, 2020) Deadly attacks heighten fears of new European terror wave. The Financial Times. https://www. ft.com/content/076e1b00-2d54-449a-bab5-09920a10f4f7. H.M. Fattah (January 31, 2006) Caricature of Muhammad Leads to Boycott of Dan- ish Goods. The New York Times. https://www.nytimes.com/2006/01/31/world/ middleeast/caricature-of-muhammad-leads-to-boycott-of-danish-goods.html. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 105

Human Rights Council - Advisory Committee - Twenty-first session (July 6-10, 2018) Draft report on Negative Effects of Terrorism on the Enjoyment of Human Rights. I.H. Indridason (March 2018) Does Terrorism Influence Domestic Politics? Coalition Formation and Terrorist Incidents. Journal of Peace Research (JPR). https://journals.sagepub.com/doi/10.1177/0022343307087183. I. Metha (October 31, 2019) Facebook is testing end-to-end encryption for secret Messenger calls. TNW. https://thenextweb.com/facebook/2019/10/31/facebook- is-testing-end-to-end-encryption-for-secret-messenger-calls. I. von Behr, A.Reding, C. Edwards, L. Gribbon (2013) Radicalisation in the digital era - The use of the internet in 15 cases of terrorism and extremism. RAND https:// www.rand.org/content/dam/rand/pubs/research_reports/RR400/RR453/RAND_ RR453.pdf. Internal Security Fund - Borders and Visa. https://ec.europa.eu/home-affairs/financing/ fundings/security-and-safeguarding-liberties/internal-security-fund-borders_en. IPSOS for ING - International Survey (June 2018) Cracking the code on cryptocurrency. https://think.ing.com/uploads/reports/ING_International_Survey_Mobile_Bank- ing_2018.pdf. J. Barnes-Dacey, A. Dworkin (December 1, 2020) Promoting European strategic sovereignty in the southern neighbourhood. European Council on Foreign Relations. https:// ecfr.eu/publication/promoting-european-strategic-sovereignty-in-the-southern-neighbourhood. J. Chartier (September 11, 2002) Goodbye, cocoon boom?. CNN Money. https:// money.cnn.com/2002/08/26/news/9-11retail. J. Clement (November 24, 2020) Facebook: number of monthly active users worldwide 2008-2020. Statista. https://www.statista.com/statistics/264810/number-of-monthly-active-facebook-users-worldwide. J. Galea New Regime for French Digital Asset Service Providers. BlockGeeks. https:// blockgeeks.com/guides/new-regime-for-french-digital-asset-service-providers. J. Guéhenno (December 7, 2010) The impact of globalisation on strategy. Sur- vival - Global Politics and Strategy. https://www.tandfonline.com/doi/ abs/10.1080/713660009. J. Jacquin (February 23, 2018) Le gouvernement lance un plan tous azimuts de prévention de la radicalisation. Le Monde. https://www.lemonde.fr/societe/ article/2018/02/23/le-gouvernement-lance-un-plan-tous-azimuts-de-prevention-de-la-radicalisation_5261486_3224.html. J. Karaian (November 26, 2015) The Paris attacks will cost the French economy more than $2 billion. Quarttz. https://qz.com/559902/the-paris-attacks-will-cost-the- french-economy-more-than-2-billion. J. Khan (November 19, 2020) Facebook’s A.I. is getting better at finding malicious content—but it won’t solve the company’s problems. Fortune. https://fortune. com/2020/11/19/facebook-ai-content-problems-artificial-intelligence. J. Poushter, D. Manevich (August 1, 2017) Globally, People Point to ISIS and Cli- mate Change as Leading Security Threats. Pew Research Center. https://www. 106 DANIELE MARIA BARONE

pewresearch.org/global/2017/08/01/globally-people-point-to-isis-and-climate- change-as-leading-security-threats. J. Vincent (February 27, 2019) AI won’t relieve the misery of Facebook’s human moderators. The Verge. https://www.theverge.com/2019/2/27/18242724/facebook-moderation-ai-artificial-intelligence-platforms. J.V. Placé (October 22, 2013) Police, gendarmerie: what investment strategy?. Sénat. https://www.senat.fr/rap/r13-091/r13-091_mono.html. K. Barnato (May 2, 2016) Will terror attacks end bitcoin free-for-all in Europe? CNBC. https://www.cnbc.com/2016/05/02/will-terror-attacks-end-bitcoin-free-for-all-in- europe.html. K. Buchholz (August 2020) How Common is Crypto?. Statista. https://www.statista. com/chart/18345/crypto-currency-adoption. K. Gaibulloev, T. Sandler (July 17, 2008) Growth Consequences of Terrorism in Western Europe. Kylos Volume 61, Issue 3. https://onlinelibrary.wiley.com/ toc/14676435/2008/61/3. K. Helmes (December 13, 2020) France Approves New Cryptocurrency Meas- ures to Fight Anonymous Transactions. Bitcoin.com. https://news.bitcoin.com/ france-new-cryptocurrency-measures-fight-anonymous-transactions. K. Sengupta (April 27, 2017) Last message left by Westminster attacker Khalid Masood uncovered by security agencies. The Independent. https://www.independent. co.uk/news/uk/crime/last-message-left-westminster-attacker-khalid-masood-uncovered-security-agencies-a7706561.html. K. Wiggers (November 13, 2020) Facebook’s redoubled AI efforts won’t stop the spread of harmful content. Venture beat. https://venturebeat.com/2020/11/13/facebooks- redoubled-ai-efforts-wont-stop-the-spread-of-harmful-content. K.R. Ahern (February 2018) The Importance of Psychology in Economic Activity: Ev- idence from Terrorist Attacks. NBER - National Bureau of Economic Research. https://www.nber.org/papers/w24331. Keplerk. Points of sales. https://www.bykep.com/en/store-locator. L. Alderman (January 31, 2016) Terror Threats Thaw Budgets Across Europe. The New York Times. https://www.nytimes.com/2016/02/01/business/international/ europe-training-financial-firepower-on-terrorism.html. L. Alderman (January 31, 2016) Terror Threats Thaw Budgets Across Europe. The New York Times. https://www.nytimes.com/2016/02/01/business/international/ europe-training-financial-firepower-on-terrorism.html. L. Bindner (February 1, 2018) Jihadists’ Grievance Narratives against France. Inter- national Center for Counter-terrorism - The Hauge (ICCT). https://www.jstor. org/stable/resrep17482?seq=17#metadata_info_tab_contents. L. Cuen (August 2020) Istanbul or ‘Coinstantinople’? Inside Turkey’s Bitcoin Bull Market. Coindesk. https://www.coindesk.com/inside-turkey-bitcoin-bull-market. L. Dionysopulos (November 26, 2020) At the brink of a tectonic shift, EU countries that do crypto-regulation rightMedium.https://lambisdion.medium.com/at-the- brink-of-a-tectonic-shift-eu-countries-that-do-crypto-regulation-right-3e8d4cd- 6d8da. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 107

L. Graham (December 4, 2015) Music venues will need more security in light of the Paris terror attacks. CNBC. https://www.cnbc.com/2015/12/04/music-venues- will-need-more-security-in-light-of-the-paris-terror-attacks.html. LCI (October 18, 2020) Pourquoi Samuel Paty n’a-t-il pas fait l’objet d’une protection policière? https://www.lci.fr/police/professeur-decapite-pourquoi-samuel-paty-n-a- t-il-pas-fait-l-objet-d-une-protection-policiere-2167627.html. M. Barreaux (April 29, 2015) Paris Attacks Spur France To Boost Budget. Defense News. https://www.defensenews.com/2015/04/29/paris-attacks-spur-france-to-boost-budget. M. Buesa, A. Valino, J. Heijs, T. Baumert, J. Gonzalez Gomez (February 2006) THE ECONOMIC COST OF MARCH 11: MEASURING THE DIRECT ECONOMIC COST OF THE TERRORIST ATTACK ON MARCH 11, 2004 IN MADRID. Instituto de Análisis Industrial y Financiero. Universi- dad Complutense de Madrid. http://citeseerx.ist.psu.edu/viewdoc/download?- doi=10.1.1.319.8266&rep=rep1&type=pdf. M. Ehrenfreund (November 18, 2015) How do economies recover after terrorist attacks? World Economic Forum. https://www.weforum.org/agenda/2015/11/ how-do-economies-recover-after-terrorist-attacks. M. Hafner, E. Disley, S. Grand-Clement, K. Cox, B. Baruch. The cost of terrorism in Europe. RAND Corporation. https://www.rand.org/randeurope/research/projects/ the-cost-of-terrorism-in-europe.html. M. Herzenstein, S. Horsky, S. Posavac (2015) Living with Terrorism or Withdrawing in Terror: Perceived Control andConsumer Avoidance. Journal of Consumer Be- haviour. https://ssrn.com/abstract=2663516. M. Nikšic´ Radic´, D. Dragicˇevic´, M. Barkiđija Sotošek (2018). The tourism-led terrorism hypothesis – evidence from Italy, Spain, UK, Germany and Turkey. Journal of International Studies. https://www.jois.eu/files/16_539_Niksic%20Radic.pdf. M. Zuckerberg (May 3, 2017) https://www.facebook.com/zuck/posts/10103695315624661. M. Zuckerberg (March 6, 2019) A Privacy-Focused Vision for Social Networking. https:// www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634. M.B. Perrine, K.E. Schroder, R. Forester, P. McGonagle-Moulton, F. Huessy (2004) The impact of the 11 September 2001, terrorist attacks on alcohol consumption and distress: Reactions to a national trauma 300 miles from Ground Zero. Jour- nal of Studies on Alcohol and Drugs. https://www.jsad.com/doi/abs/10.15288/ jsa.2004.65.5. M.L. Richins (September 2011) Materialism, transformation expectations, and spending: Implications for credit use. Journal of Public Policy Marketing. https:// journals.sagepub.com/doi/full/10.1509/jppm.30.2.141?casa_token=IDn3T- GYpXxwAAAAA%3AUWhrmlXfc5I-inzJkjnUFh5hxS6EiWfTU58pIIGqC0kEg- c9Pef6bWgBwymIuWAl6kVr1mLMr8yHr. Ministère des Armées (2017) La perception de la défense dans l’opinion publique européenne et chez les jeunes. Annuaire statistique de la défense. N. Gilbert (November 19, 2015) Ruée des jeunes Français vers les armées. Le Monde. https://www.lemonde.fr/attaques-a-paris/article/2015/11/19/ruee-des-jeunes-fran- 108 DANIELE MARIA BARONE

cais-vers-les-armees_4813438_4809495.html?utm_campaign=Echobox&utm_ medium=Social&utm_source=Twitter#meter_toaster. N. Hénin (March 2, 2018) “Prevent to Protect”: Analysis and Perspective on the French Program to Counter Terrorism and Radicalization. European Eye on Rad- icalization. https://eeradicalization.com/prevent-to-protect-analysis-and-perspective-on-the-french-program-to-counter-terrorism-and-radicalization. N. Mandel, S.J. Heine (1999) Terror Management and Marketing: He Who Dies With the Most Toys Wins. Advances in Consumer Research Volume 26. https:// www.acrwebsite.org/volumes/8314/volumes/v26/NA-26. O. Solon (May 25, 2017) Underpaid and overburdened: the life of a Facebook moderator. The Guardian. https://www.theguardian.com/news/2017/may/25/facebook-moderator-underpaid-overburdened-extreme-content. O. Ummelas (June 1, 2018) Estonia Scales Down Plan to Create National Cryptocur- rency. Bloomberg. https://www.bloomberg.com/news/articles/2018-06-01/estonia- curbs-cryptocurrency-plan-that-drew-rebuke-from-draghi. O.E. Danzell, S. Zidek (August 24, 2013) Does counterterrorism spending reduce the incidence and lethality of terrorism? A quantitative analysis of 34 countries. Dedense & Security Analysis. Volume 29. https://www.tandfonline.com/doi/abs/ 10.1080/14751798.2013.820970. Official Journal of the European Union (May 30, 2018) https://eur-lex.europa.eu/ legal-content/EN/TXT/PDF/?uri=CELEX:32018L0843. Organization for Security and Co-operation in Europe Office of the Representative on Freedom of the Media (October 15, 2020) LEGAL REVIEW OF THE AUSTRIAN FEDERAL ACT ON MEASURES TO PROTECT USERS ON COMMUNICA- TIONS PLATFORMS [KOMMUNIKATIONSPLATTFORMEN-GESETZ – KO- PI-G]. OSCE. https://www.osce.org/files/f/documents/7/8/467292_1.pdf. P. Baker (September 24, 2020) EU Proposes Full Regulatory Framework for Cryp- tocurrencies. CoinDesk. https://www.coindesk.com/eu-proposes-full-regulatory-framework-for-cryptocurrencies. P. Bakowski, W. Van Ballegooij (May 2018) The Fight Against Terrorism: Cost of Non-Europe Report. RAND Corporation at the request of European Parliamen- tary Research Service (EPRS) https://www.europarl.europa.eu/RegData/etudes/ STUD/2018/621817/EPRS_STU(2018)621817_EN.pdf. P. Benˇ ová, S. Hošková-Mayerová, J. Navrátil (2017) Terrorist attacks on selected soft targets. Journal of Security and Sustainability Issues. http://jssidoi.org/jssi/papers/ papers/view/354. P. Grüll (July 4, 2020) Austria’s online hate speech law prompts question marks about ‘overblocking’. EURACTIV. https://www.euractiv.com/section/data-protection/ news/austrias-law-against-online-hate-speech-question-marks-in-the-home- stretch. P. Lenain, M. Bonturi, V. Koen (July 2002) IV. Economic consequences of terrorism. Public spending on security threatens fiscal consolidation. OECD. http://www. oecd.org/economy/outlook/1935314.pdf - https://www.oecd-ilibrary.org/economics/the-economic-consequences-of-terrorism_511778841283. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 109

P. Rao (April 2018) Africa could be the next frontier for cryptocurrency.Africa Renewal. https:// www.un.org/africarenewal/magazine/april-2018-july-2018/africa-could-be-next-frontier-cryptocurrency. P.M. Barret (June 2020) Who Moderates the Social Media Giants? A Call to End Outsourcing. NYU Stern. https://bhr.stern.nyu.edu/tech-content-moderation-june-2020. P.R. DeMichelis (December 21, 2020) Le secteur des cryptomonnaies en pleine effervescence cette année. Les Echos. https://investir.lesechos.fr/placements/vie-pratique/actualites/le-secteur-des-cryptomonnaies-en-pleine-effervescence-cette-annee-1940574.php. Parlamentskorrespondenz Nr. 152 (February 02, 2015) Nationalrat beschließt neues Islamgesetz. Österreichisches Parlament. https://www.parlament.gv.at/PAKT/PR/ JAHR_2015/PK0152/index.shtml. Q. Wong (June 19, 2019) Facebook content moderation is an ugly business. Here’s who does it. CNet. https://www.cnet.com/news/facebook-content-moderation-is- an-ugly-business-heres-who-does-it. R. Browne (January 5, 2020) JPMorgan says bitcoin could rise to $146,000 long term as it competes with gold. CNBC. https://www.cnbc.com/2021/01/05/jpmorgan- bitcoin-price-could-rise-to-146k-as-it-competes-with-gold.html. R. Carballo, C.J. Leòn, M. Carballo (October 9, 2017) The perception of risk by international travellers. Worldwide Hospitality and Tourism Themes Vol 9 No. 5. https://www.emerald.com/insight/content/doi/10.1108/WHATT-07-2017-0032/ full/html?skipTracking=true. R. Gorwa, R. Binns, C. Katzenbach (February 28, 2020) Algorithmic content moderation: Technical and political challenges in the automation of platform governance. Sage Journals. https://journals.sagepub.com/doi/full/10.1177/2053951719897945. R. Levy (August 11, 2020) Facebook Removed Nearly 40% More Terrorist Content in Second Quarter. The Wall Street Journal. https://www.wsj.com/articles/facebook- removed-nearly-40-more-terrorist-content-in-second-quarter-11597162013. R. Musotto, D.S. Wall (December 16, 2020) Facebook’s push for end-to-end encryption is good news for user privacy, as well as terrorists and paedophiles. The Conversation. https://theconversation.com/facebooks-push-for-end-to-end-encryption-is-good-news- for-user-privacy-as-well-as-terrorists-and-paedophiles-128782. R.T. Greenbaum, L. Dugan, G. LaFree (April 2006) The Impact of Terrorism on Ital- ian Employment and Business Activity. Urban Studies, Vol. 44. https://ccjs.umd. edu/sites/ccjs.umd.edu/files/pubs/2COMPLIANT%20-%20The%20Impact%20 of%20Terrorism%20on%20Italian%20Employment%20and%20Business%20Ac- tivity.pdf. S. Amaro (September 24, 2020) The EU announces its first ever plan to regulate cryptocurrencies. CNBC. https://www.cnbc.com/2020/09/24/eu-valdis-dombrovskis. html. S. Bandyopadhyay, T. Sandler, J. Younas (April 17, 2018) Trade and terrorism: A disaggregated approach. Journal of Peace Research Volume: 55 issue: 5. https:// journals.sagepub.com/doi/full/10.1177/0022343318763009#_i24. 110 DANIELE MARIA BARONE

S. Fillon (September 2, 2017) What we can learn from France’s failed deradicalization center. La Stampa. https://www.lastampa.it/esteri/la-stampa-in-english/2017/09/02/news/what-we-can-learn-from-france-s-failed-deradicalization- center-1.34412986. S. Lucas (November 17, 2015) Paris attacks: how effective has the military response been?. The Conversation. https://theconversation.com/paris-attacks-how-effective-has-the-military-response-been-50804. S.B. Blomberg, G.D. Hess, A. Weerapanac (April 15, 2004) Economic conditions and terrorism. European Journal of Political Economy. https://bit.ly/36M6qwv. S.E. Garcia (September 25, 2018) Ex-Content Moderator Sues Facebook, Saying Violent Images Caused Her PTSD. The New York Times. https://www.nytimes. com/2018/09/25/technology/facebook-moderator-job-ptsd-lawsuit.html. S.M. Torelli (March 16, 2016) The EU’s olive oil diplomacy: Italian fears and prospects for Tunisia. ISPI. https://www.ispionline.it/it/pubblicazione/eus-olive-oil- diplomacy-italian-fears-and-prospects-tunisia-14834. Session of December 3, 2020. Sénat. https://www.senat.fr/basile/visio.do?id=d489362202012 03_20&idtable=d48936220201203_20|d48936220201119_6&_c=pharos&rch=ds& de=20191229&au=20201229&dp=1+an&radio=dp&aff=65702&tri=p&off=0&af- d=ppr&afd=ppl&afd=pjl&afd=cvn. T. Brück, F. Schneider, M. Karaisl (June 30, 2007) A Survey on the Economics of Security with Particular Focus on the Possibility to Create a Network of Experts on the Economic Analysis of Terrorism and Anti-Terror Policies and on the Interplay between the Costs of Terrorism and of Anti-Terror Measures – the State of Play of Research. DIW Berlin For the European Commission, Directorate General Jus- tice, Freedom and Security. https://ec.europa.eu/home-affairs/sites/homeaffairs/ files/doc_centre/terrorism/docs/sececon_full_report_en.pdf. T. Krieger, D. Meierrieks (January 2019) The Economic Consequences of Terrorism for the European Union. Albert-Ludwigs-Universität Freiburg https://www.econstor. eu/bitstream/10419/191637/1/104712761X.pdf. T. Sandler, W. Enders (2007) ECONOMIC CONSEQUENCES OF TERROR- ISM IN DEVELOPED AND DEVELOPING COUNTRIES: AN OVERVIEW. University of Texas - Dallas. https://personal.utdallas.edu/~tms063000/website/ Econ_Consequences_ms.pdf. T. Zeman, R. Urban (2019) The Negative Impact of Terrorism on Tourism: Not Just a Problem for Developing Countries? DETUROPE – THE CENTRAL EUROPE- AN JOURNAL OF REGIONAL DEVELOPMENT AND TOURISM Vol. 11 Issue 2 2019. http://www.deturope.eu/img/upload/content75-91.pdf. Terrorism and International Trade in France, 2014-16. Document de Recherche du Laboratoire d’Économie d’Orléans Working Paper Series, Economic Research Department of the University of Orléans (LEO), France DR LEO 2019-12. https://hal.archives-ouvertes.fr/hal-02411649/document. The 2020 Geography of Cryptocurrency Report Analysis of Geographic Trends in Cryptocurrency Adoption, Usage, and Regulation (September 2020). Chainalysis. https://markets.chainalysis.com/#geography-index. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 111

U. Dholakia (December 1, 2015) How Terrorist Attacks Influence Consumer Behav- iors. Psychology Today. https://www.psychologytoday.com/us/blog/the-science-behind-behavior/201512/how-terrorist-attacks-influence-consumer-behaviors. United Nations Office of Counter-Terrorism. Vulnerable targets. https://www.un.org/ counterterrorism/vulnerable-targets. US Department of Justice - Office of Public Affairs (August 13, 2020) Global Dis- ruption of Three Terror Finance Cyber-Enabled Campaigns - Largest Ever Seizure of Terrorist Organizations’ Cryptocurrency Accounts. The United States Depart- ment of Justice. https://www.justice.gov/opa/pr/global-disruption-three-terror-finance-cyber-enabled-campaigns. W. Rahman (October 27,2020) Huge Bangladesh rally calls for boycott of French products - Will calls for a boycott work?. BBC. https://www.bbc.com/news/world- asia-54704859. W. Wiewiórowski (November 19, 2020) The Future of Encryption in the EU. ISOC 2020 Webinar. https://edps.europa.eu/sites/edp/files/publication/2020-19-11-the_ future_of_encryption_eu_en.pdf. Y. Khatri (December 8, 2020) France is on the verge of imposing mandatory KYC rules for all crypto transactions, industry sources say. The Block. https://www.theblockcrypto.com/post/87001/france-crypto-rules-mandatory-kyc-crypto-to-crypto. Z. Brzezinski (March 25, 2007) Terrorized by ‘War on Terror’. The Washington Post. https://www.washingtonpost.com/wp-dyn/content/article/2007/03/23/AR2007 032301613.html. Z. Doffman (October 6, 2019) Here Is What Facebook Won’t Tell You About Message Encryption. Forbes. https://www.forbes.com/sites/zakdoffman/2019/10/06/is-facebooks-new-encryption-fight-hiding-a-ruthless-secret-agenda/#6ec67b3b5699. (04/02/2020) Lutte contre terrorisme - Moyens de l’OCLCTIC. Assemblée nationale. https://questions.assemblee-nationale.fr/q15/15-26385QE.htm. (2009) TERRORISM AND INTERNATIONAL TRANSPORT: TOWARDS RISK- BASED SECURITY POLICY - Round Table 144. The OECD and the Interna- tional Transport Forum: Joint Transport Research Centre. https://www.itf-oecd. org/sites/default/files/docs/09rt144.pdf. (2017) 2017 Country Report on Terrorism for France. US Embassy & Consulate in France. https://fr.usembassy.gov/2017-country-report-on-terrorism-for-france. (2017) The 2017 Kearney Foreign Direct Investment Confidence Index. Kearney. https:// www.kearney.com/foreign-direct-investment-confidence-index/2017-full-report. (2017) User guide FOR the CEPOL CT 2 EXCHANGE PROGRAMME. Cepol. (2018) Terrorist attacks through the use of motor vehicles in selected European countries. Swiss Re. https://www.swissre.com/dam/jcr:3f9290a5-6c14-4a68-aba1-93d34 c4348f5/swiss_re_terror_acts_motor-vehicles_2018.pdf. (2019) Number of failed, foiled or completed terrorist attacks in the European Union (EU) from 2010 to 2019, by affiliation. Statista. https://www.statista.com/statistics/746562/number-of-arrested-terror-suspects-in-the-european-union-eu. (April 5, 2018) CEP To Facebook: Zuckerberg Must Explain Failure To Remove Ex- tremist Content. Counter Extremism Project. https://www.counterextremism. 112 DANIELE MARIA BARONE

com/press/cep-facebook-zuckerberg-must-explain-failure-remove-extremist-content. (December 8, 2020) Bitcoin Daily: France Eyes Strict Rules For Crypto Transactions; Messari Report Says US Last Hurdle For Bitcoin. Pymnts. https://www.pymnts. com/blockchain/bitcoin/2020/bitcoin-daily-france-eyes-strict-rules-crypto-transactions-messari-report-says-united-states-last-hurdle. (February 23, 2018) «Prévenir Pour Protéger» Plan national de prévention de la radicalisation. https://www.gouvernement.fr/sites/default/files/contenu/piece-jointe/2 018/02/2018-02-23-cipdr-radicalisation.pdf. (January 15, 2018) Any rule on Bitcoin must be global, Germany’s central bank says. Reuters. https://www.reuters.com/article/us-bitcoin-regulations-germany-idUSK- BN1F420E. (January 21, 2020) Austria’s €290m plan to fight terror. The Local. https://www.thelocal.at/20150121/austrias-290m-plan-to-fight-terror. (January 8, 2019) French ‘Tabac’ shops diversify, selling bitcoin for cash. Reuters. https://www.reuters.com/article/us-france-bitcoin-tobacco-idUSKCN1P21ZN. (March 22, 2016) Terror attack in Brussels sends stock markets lower. The Irish Times. https://www.irishtimes.com/business/markets/terror-attack-in-brussels-sends- stock-markets-lower-1.2582961. (May 10, 2016) Eliminating jihadism is the great challenge of our generation. https:// www.gouvernement.fr/en/eliminating-jihadism-is-the-great-challenge-of-our-generation. (May 2019) 2019 Terrorism Risk Insurance Report. Marsh. https://www.mmc.com/ content/dam/mmc-web/insights/publications/2019/may/2019-terrorism-risk-insurance-report.pdf. (May 24, 2017) How Facebook guides moderators on terrorist content. The Guardian. https://www.theguardian.com/news/gallery/2017/may/24/how-facebook-guides- moderators-on-terrorist-content. (November 10, 2020) Revealed: The EU Training Regime Teaching Neighbours How to Spy. Privacy International. https://privacyinternational.org/long-read/4289/revealed-eu-training-regime-teaching-neighbours-how-spy. (November 11, 2016) Economic impact of Paris attacks. DW. https://www.dw.com/ en/economic-impact-of-paris-attacks/av-36354136. (November 16, 2015) Paris attacks: Many arrested in raids across France. BBC News. https://www.bbc.com/news/world-europe-34830233. (November 20, 2020) EU Blockchain Ecosystem Developments. EU Blockchain Ob- servatory & Forum. https://www.eublockchainforum.eu/sites/default/files/reports/ EU%20Blockchain%20Ecosystem%20Report_final_0.pdf. (November 22, 2019) REFERRAL ACTION DAY AGAINST ISLAMIC STATE ONLINE TERRORIST PROPAGANDA. Europol. https://www.europol.europa. eu/newsroom/news/referral-action-day-against-islamic-state-online-terrorist-propaganda. (November 4, 2019) Travel & Tourism Industry is More Resilient Than Ever According to New Research by WTTC and Global Rescue. World Travels & Tourism Council. EU ECONOMIC LOSSES IN THE HAZE OF JIHAD 113

https://wttc.org/News-Article/Travel-Tourism-Industry-is-More-Resilient-Than-Ever- According-to-New-Research-by-WTTC-and-Global-Rescue. (October 03, 2020) 8 charged in French cryptocurrency scheme to finance jihadis. ABC News. https://abcnews.go.com/International/wireStory/charged-french-cryptocurrency-scheme-finance-jihadis-73403002. (September 29, 2020) France arrests 29 in anti-terror Syria financing sting. France 24. https://www.france24.com/en/20200929-france-arrests-29-in-anti-terror-syria- financing-sting. (September 6, 2020) Growing Number of Institutional Investors Believe That Digital Assets Should Be a Part of Their Investment Portfolios, According to New Research from Fidelity Digital Assets. Fidelity Investments. https://newsroom.fidelity.com/ press-releases/news-details/2020/Growing-Number-of-Institutional-Investors-Be- lieve-That-Digital-Assets-Should-Be-a-Part-of-Their-Investment-Portfolios-Ac- cording-to-New-Research-from-Fidelity-Digital-Assets/default.aspx.

Sicurezza, terrorismo e società 13 (2021)

Threat Assessment and Vulnerability Mapping for Sensitive Buildings against Terrorism in urban environments Tiziano Li Piani

Tiziano Li Piani, structural engineer and PhD in computational mechanics from the Delft Uni- versity of Technology in the Netherlands, works as an impact and blast scientist innovator at the national agency TNO-Defense, Safety and Security in The Hague. Furthermore, he is fellow and visiting researcher at several international institutions including at the Joint Research Centre of the European Commission (2020-2021). His projects deal mainly with the experimental testing, computational modelling and engineering design of structures and equipment’s exposed to catastrophic man-made threats expected during military operations or terrorist attacks. Furthermore, Tiziano has developed several counter-terrorism projects for the terrorist threat assessment and soft target vulnerability mapping for terrorist attacks in highly urbanized environments. Tiziano’s research has been internationally awarded, including winning European Commission (JRC)’s public calls and awards for best research in defense technology. He is author of book chapters and journal papers in the field of computational mechanics, material sciences and counter-terrorism.

Abstract The architectural and cultural heritage of European cities is exposed to various hazards of different nature – natural events such as floods or earthquakes but also man-made threats. The escalation of terrorist attacks conducted in urban environments against soft targets necessitates the development of guidelines for the antiterrorism design of buildings and public spaces. Counter-terrorism engineering design is challenged by the lack of definite knowledge and quantitative assessment concerning terrorist risks, including the behavior of terrorists prior and during an attack. The results of a pilot project that aimed at comprehensively addressing terrorist attack scenarios against Churches in urban settings are summarized in this chapter. The threat assessment was based on the statistical inference of patterns extracted from a sizeable database of such attacks. The statistical incidence of certain behavioral patterns enabled the quantitative elaboration of ten threat scenarios, addressing also timing and placement patterns of the attackers based on their modus operandi. Data analysis revealed inter alia that even if an attack is targeting the inside of a the building, people on the outside are also in danger, even beyond the entrance. The extension of this vulnerability area is not only determined by the type of weapons used but also depends on the social function of the public space in which the building is situated. This chapter summarizes the main results of the project and further interprets and generalizes its main findings.

Keywords Terrorism, input, target, threat encoding algorithm, space of influence. 116 TIZIANO LI PIANI

Introduction Over the last years, European countries have been exposed to an aggra- vation of the level of asymmetry of the international terrorism threat, which implies the progression of terrorist attacks inside or in the surrounding of buildings for civilian use and public spaces inserted in highly urbanized environments.1 This drift requires the urgent and massive strengthening of the national intelligence services and their coordination at an European and global levels as a preventive measure condensed in counter terrorism laws and codes.2 However, a society founded on risk assessment3 must not overlook the terrorist attack as an inescapable occurrence and its mitigation as a necessary mission.4 The frequency of attacks against soft targets5 and the observation of their effects in terms of human losses and built heritage disruptions including in some of the European capitals, urges the rethink of the approach and the update of the instruments society is equipped with to protect civilians from urban terrorism.6 Starting from a plan of reforms of the technical norms for buildings and constructions.7 A change in perspective implies that buildings for civilian use and public spaces are designed to withstand the effects of intentional attacks commonly addressed in warfare environments.8 However, protection and security guidelines applied in battle fields against man-made attacks must not be simply transferred to the contexts of buildings for civilian use in urban environments. Nevertheless, this is often what it happens in

1 F. Bekkers, R. Meessen, and D. Lassche, Hybrid Conflicts: The New Normal?, 2018. 2 S. Colaiocco, ‘Prime Osservazioni Sulle Nuove Fattispecie Antiterrorismo Introdotte Dal De- creto Legge 7 Del 2015 (First Observations on the New Antiterrorism Circumnstances Intro- duced by Decree Law #7, 2015)’, 2015, p. 11.Lorenzo Vidino and James Brandon, ‘Europe’s Experience in Countering Radicalisation: Approaches and Challenges’, Journal of Policing, Intelligence and Counter Terrorism, 7.2 (2012), 163-79 https://doi.org/10.1080/18335330.201 2.719097. 3 T. Bjorgo, Root Causes of Terrorism: Myths, Reality and Ways Forward, Routledge, 2005 https://doi.org/10.4324/9780203337653. 4 U. Beck, Risk Society: Towards a New Modernity, 2nd edn (Sage, 1986). 5 For a definition for soft target, the reader is referred to Z. Kalvach and et al., Basics of Soft Target Protection-Guidelines (Prague: Soft Target Protection Institute, 2016). 6 G. Witte and L. Morris, ‘Failure to Stop Paris Attacks Reveals Fatal Flaws at Heart of Europe- an Security’, The Washington Post (Paris (France), 28 November 2015). 7 FEMA 452: A How-To Guide to Mitigate Potential Terrorist Attacks Against Buildings (2005), 2005, p. 248 https://www.fema.gov/media-library-data/20130726-1456-20490-0832/fema429_ ch4.pdf. 8 Steven Harre-Young and others, ‘The Implications of the UK’s Counter-Terrorism Strategy on the Construction Sector’, Association of Researchers in Construction Management, AR- COM 2009 – Proceedings of the 25th Annual Conference, April 2014, 2009, 1285-94. THREAT ASSESSMENT AND VULNERABILITY 117 the design of embassies and firehouses of contemporary cities.9 Due to the nature of the hosted functions, these are some of the very few buildings in the Western cities designed to withstand the effects of explosions and impacts possibly deriving from intentional attacks, according to a plethora of norms differently developed around the world.10 Inherent design approaches e.g. of target strengthening and stand-off distances11 are simply not consistent with the principles of freedom and democracy,12 aesthetic standard,13 and economic constraints14 European cities are spatial reflection of.15 Moreover, buildings for civilian use are commonly designed only against natural dynamic loadings, such as wind and earthquakes. Wind, earthquakes, impact and blasts are all different dynamic phenomena, which are prone to determine different modes of response on the same structure.16 Abundantly simplifying the technical dissertation, the high deformation rates with respect to the natural

9 O. Wainwright, ‘Fortress London: The New US Embassy and the Rise of Counter-Terror Urbanism’, Harvard Design Magazine, 2019. 10 Reader is referred to specialist literature as in Donald O. Dusenberry, Handbook for Blast-Re- sistant Design of Buildings, Assessment (John Wiley & sons,Inc., 2010). Or Theodor Krautham- mer, Modern Protective Structures (CRC Press, 2008) https://doi.org/10.1201/9781420015423. 11 The safe stand off distance is the minimum distance between a building and an hypothesized source of explosion. Its perimeter is protected through the insertion of structural deterrence systems and target strengthening approaches. Its assessment is based on standard measures of the amount of energy released in an explosion, e.g. equivalent TNT. In T. Li Piani, ‘Structural Design and the Social Function of Space as Vulnerability Factor and Solution to the Pro- gression of the Terrorist Threat in Urban Environments (Italian)’, Security, Terrorism, Society (STS), 8.2 (2018), 7-17. 12 Alberti, De Re Aedificatoria, 1443. 13 C. Sitte, City Planning According to Artistic Principles (A Random House Book: Columbia University Studies, 1889). 14 Cost-benefit analyses are included in the design approach of the current earthquake technical codes EN 1998-1 (2004): Eurocode 8: Design of Structuresfor Earthquake Resistance – Part 1: General Rules, Seismicactions and Rules for Buildings [Authority: The EuropeanUnion Per Regulation 305/2011, Directive 98/34/EC, Directive2004/18/EC], 2004. For instance, structural design nowadays is normed to allow the production of damage on the structure during an earthquake, also in a way which obliges subsequent demolition, provided that minimum safety, operational and functional requirements are ensured during the event. 15 J. Coaffee, P. O’Hare, and M. Hawkesworth, ‘The Visibility of (In)Security: The Aesthetics of Planning Urban Defences Against Terrorism’, Security Dialogue, 40.4-5 (2009), 489-511 https://doi.org/10.1177/0967010609343299. 16 Li Piani, ‘Structural Design and the Social Function of Space as Vulnerability Factor and Solution to the Progression of the Terrorist Threat in Urban Environments (Italian)’. And J. Weerheijm, J. Mediavilla, and J. C.A.M. Van Doormaal, ‘Explosive Loading of Multi Storey RC Buildings: Dynamic Response and Progressive Collapse’, Structural Engineering and Me- chanics, 32.2 (2009), 193-212 https://doi.org/10.12989/sem.2009.32.2.193. 118 TIZIANO LI PIANI period of the structure17 caused by the abrupt release of large amounts of en- ergy18 inherent to close in explosions or ballistic impacts,19 cause severe local damages on the single structural elements, before the structure itself is dy- namically excited as during a seismic excitation.20 Thus, after decades of relative quiescence, the study of the dynamic behaviour of building materials21 has recently gained renovated attention and important advancements on the mechanical assessment of highly dynamic loadings have been accomplished in the latest years in the top research centres in the world.22 However, there is a still significant chasm with respect to the knowledge currently available on the seismic behaviour of buildings and corresponding design approaches.23 The level of sophistication reflected in codes is such that numerical simulations of three-dimensional non-linear models of the building subjected to

17 All buildings have a natural period, which is the time required for one complete oscillation of the body. 18 Pressures also of the order of billions of Pascal within durations of milliseconds. Li Piani, ‘Structural Design and the Social Function of Space as Vulnerability Factor and Solution to the Progression of the Terrorist Threat in Urban Environments (Italian)’. 19 Explosions are also not at all all the same. For instance, these can be categorized on the basis of their nature as physical, chemical and nuclear. For further information, the reader is referred to scientific works as in T. Ngo and others, ‘Blast Loading and Blast Effects on Struc- tures – An Overview’, Electronic Journal of Structural Engineering, 7 (2007), 76-91 https://doi. org/no DOI. Or. 20 Luis Pereira, ‘New Computational Approach towards the Simulation of Concrete Structures under Impulsive Loading’ (Delft University of Technology (TU Delft), 2018). 21 J. Weerheijm and P. Forquin, Response Mechanisms of Concrete under Impulsive Tensile Loading, Understanding the Tensile Properties of Concrete (Woodhead Publishing Limited, 2013) https://doi.org/10.1533/9780857097538.2.181. 22 Finite element numerical models as in T. Li Piani, J. Weerheijm, and L. J. Sluys, ‘Dynamic Simulations of Traditional Masonry Materials at Different Loading Rates Using an Enriched Damage Delay: Theory and Practical Applications’, Engineering Fracture Mechanics, 218. May (2019) https://doi.org/10.1016/j.engfracmech.2019.106576. are developed to accurately simulate the behavior of materials subjected to shock waves. Phenomenological ballistic models as in T. Li Piani, J. Weerheijm, and L. J. Sluys, ‘Ballistic Model for the Prediction of Penetration Depth and Residual Velocity in Adobe: A New Interpretation of the Ballistic Re- sistance of Earthen Masonry’, Defence Technology, 14.5 (2018), 4-8 https://doi.org/10.1016/j. dt.2018.07.017.are used to derive quick estimation of fundamental ballistic parameters during operations in the field. A comprehensive list of works and approaches used within the characterization of materials at high strain rates is available in T. Li Piani, ‘Experimental-Numer- ical Material Characterization of Adobe Masonry: Tests and Simulations on Various Types of Earthen Bricks and Mortar in Statics and Dynamics’ (Delft University of Technology – TU Delft, 2019). 23 R.K. Reitherman, ‘Five Major Themes in the History of Earthquake Engineering’, 15th World Conference on Earthquake Engineering (15WCEE), 2012. THREAT ASSESSMENT AND VULNERABILITY 119 artificial24 or synthetic25 representations of real seismograms can be developed today to design structures against earthquakes.26 The effective definition of mathematical models for the simulation of the physical reality and inherent interactions27 implies the consistent target28 properties approximation and the quantitative input29 encoding assessment.30 Under these premises, the phenomenological challenge inherent the design of soft targets against terrorist attacks arises. In fact, with respect to earthquakes or wind, a terrorist attack is not completely addressed solely by its mechanical input, that is by the result of a series of mechanical principles e.g. based on Newtonian physics.31 Instead, a terrorist attack starts with the carrier of its mechanical input, namely the attacker, who constitutes a physical entity, a psychological unit and a social atom capable or reflecting, understanding and adapting according to the nature of a human being way before hitting the structure.32 Precisely this human connotation contributes the perception of aleatory and uncertainty attributed nowadays to a possible quantitative threat assessment of the terrorist hazard, preventing its proper modelling and design in the fields of civil engineering and urban planning.33 However, the design and planning of built heritage of the city has been homo-centric for millennia and instead the compartmental- ization of competences and functions which characterizes a post-modernist

24 Based on stochastic algorithm which lay foundation on the theory of casual vibrations and wavelets Luis E. Suárez and Luis A. Montejo, ‘Generation of Artificial Earthquakes via the Wavelet Transform’, International Journal of Solids and Structures, 42.21-22 (2005), 5905-19 https://doi.org/10.1016/j.ijsolstr.2005.03.025. 25 Obtained from complex deterministic and stochastic simulations of the seismological problem of earthquake generation A. Sinvhal and H. Sinvhal, ‘Simulation of Synthetic Seismo- grams’, Seismic Modelling and Pattern Recognition in Oil Exploration, 1992, 63-90 https://doi. org/https://doi.org/10.1007/978-94-011-2570-3_4. 26 Rui Pinho, ‘Nonlinear Dynamic Analysis of Structures Subjected to Seismic Action’, in Advanced Earthquake Engineering Analysis, ed. by Alain Pecker (Vienna: Springer Vienna, 2007), pp. 63-89 https://doi.org/10.1007/978-3-211-74214-3_5. 27 Which is at the basis of the structural design against natural hazards. 28 The building. 29 The hazard. 30 Christian Hennig, ‘Mathematical Models and Reality: A Constructivist Perspective’, Foun- dations of Science, 15.1 (2010), 29-48 https://doi.org/10.1007/s10699-009-9167-x. 31 The analytical study of the motion of projectiles in fluids begins in the XVIII century, with the second book of Newton’s Principia, entitled The motion of bodies, as explained in Jose Gaite, ‘Penetration of Fast Projectiles into Resistant Media: From Macroscopic to Subatomic Projectiles’, 2017 http://arxiv.org/abs/1705.02337. 32 C. Song and others, ‘Limits of Predictability in Human Mobility’, Science, 327.November (2010). 33 National Capital Planning Commission, ‘The National Capital Urban Design and Security Plan’, October 2002, 2004, 26. 120 TIZIANO LI PIANI society has largely contributed to the disposal of the human behaviour and nature from the design equations of spaces and buildings.34 Instead, few pio- neering works in the field of Architecture have recently restored the importance of the assessment of the social practices within the spatial planning of urban environments. Similar works proved the necessity to integrate formal technical rules of design with notions deriving from ethnography, geography, economy and anthropology in order to better design spaces for people.35 This book chapter starts from the premises resumed so far. Research com- bines hard sciences tools with soft sciences theories in order to fully encode the terrorist threat for soft targets in highly urbanized environments of Euro- pean cities. This integrated approach results in the hypothesis that human behaviour can be encoded with the same rigor with which math frames earthquakes and wind or any other natural phenomena. Within a Galileian empirical approach,36 a pilot project was started in 2015.37 This was aimed at developing a full encoding paradigm of the terrorist threat of Islamic matrix for Christian Churches in Europe. The rapid escalation of IS in the Middle East and its progressive influence in the African continent were suspected to degenerate into international terrorism in the core of Europe.38 In this regards, Churches were recognized to represent a particularly attractive target for terrorists of religious inspiration39, as unfortunately confirmed at the end of the project.40. Actually, the reasoning behind the choice of Churches as targets of this counter terrorism analysis is twofold. In fact, Churches are buildings which also embody features typical of public spaces. Churches are

34 Ana Rosa C. Cavalcanti and T. Li Piani, ‘Housing by People and Their Work: Design Prin- ciples for Favelas Residents’, The Plan Journal, 2 (2019), 30. 35 Ana Rosa C. Cavalcanti, Housing Shaped by Labour: The Architecture of Scarcity in Informal Settlements (Berlin: Jovis Press, 2018). 36 Observation, hypothesis, experiment, validation or confutation. Philip P. Wiener, ‘The Tra- dition behind Galileo’s Methodology’, The University of Chicago Press, 1 (1936), 733-46. 37 T. Li Piani, Operative Guidelines for Protection of Places of Worship: A New Approach toward Security Design of Sensitive Buildings (Milan: Institute for Advanced Strategic and Political Studies, ISBN:97888940373-2-6, 2017). 38 Homeland Security Committee, ‘Terror Gone Viral: An Overview of the 75 Isis Linked Plots against the West (2014-2016)’, March, 2016. 39 Ideology plays a decisive role in ‘targets selection under strategic constraints’ in Austin I. Wright, Terrorism, Ideology and Target Selection (Princeton). 40 In 2016, the first attack on a Christian Church in Europe was conducted by ISIS affiliates A. Hussey, ‘France Church Attack: Even If You Are Not a Catholic, This Feels like a New and Deeper Wound’, The Guardian (France, 2016). In 2019, anti-Islamist attacks targeted also a mosque in New Zealand.P. Billy, ‘The New Zealand Attack Exposed How White Supremacy Has Long Flourished Online’, TIME, 2019. Muslims still constitutes the most widely targeted by terrorist attacks in the world National Consortium for the Study of Terrorism and Responses to Terrorism (START), Maryland University. THREAT ASSESSMENT AND VULNERABILITY 121 intended for Christian prayers but they are open to anyone wishing to approach it, welcoming the poor and the rich, the tourist and the prayer, at any time and independently from race and religion and social condition.41 Their intrinsic vulnerability is the result of their features of openness, inclusiveness and democracy42 which result in the spatial relationships physically established with the public space exterior to the building perimeters.43 Churches become dominant elements of the urban compost in European countries after Middle age44 and Neoclassic rationalization of the urban design lead- ed squares and towns to be planned around Churches and Palaces.45 The relationship between secular and temporal powers has been reflected in the urban equilibrium between religious and political buildings, within the heritage of ancient Roman Forum rather than of the Greek Agora.46 The physical element which guaranteed the ideological coexistence of two conceptually different entities in the same spatial domain has been represented by the parvis. The parvis is an architectural element of symbolic transition from the holy and the secular space constituted by an usually overhead plane by means of steps laid at the basement of the Church. This element defines the immunity area of the Church and delimits the public space occupied by the Church.47 The ideological nature of the Church reflected in its physical connotation of a building and of a public space embodies the true challenges of the structural antiterrorism assessment of soft targets, namely how to defend its space whilst preserving the spatial domain of the social function the terrorist attack is specifically meant to disaggregate. Design must be based on the capability to translate the future projection of current risks comprehension into economically and socially sustainable safety design and urban planning, on the basis of near past and ongoing evidence.48 The encoding paradigm of the terrorist threat for Christian Churches in the project pilot started in 2015 was based on the study of the most significant patterns emerged from

41 In Alberto Maggi, Versetti Pericolosi. Gesù e Lo Scandalo Della Misericordia (Jesus and the Scandal of Mercy), Fazi (Collana Campo dei Fiori, 2011). 42 Intrinsic public spaces. 43 K. Peinhardt and N. Storring, ‘Inclusive by Design: Laying a Foundation for Diversity in Public Space’ (Project for Public Spaces, 2019). 44 R. Krautheimer, Roma. Profilo Di Una Citta 312-1308, ed. by Dell’Elefante, Elefante (Roma, 1981). 45 Murat Z Memluk, ‘Designing Urban Squares’, in Advances in Landscape Architecture, 2013, p. 16. 46 H. Jedin, History of Church, ed. by Jaka Book, I (Milan: Jaka Book, 1972). 47 Especially in ancient times, the most important religious functions were held open air and they could also be extended to the entire square F. Bonobo, ‘Http://Francescobonomo.Blog- spot.Nl/2014/08/Il-Sagrato-Delle-Chiese.Html’, 2014. 48 J.V. Gennip, Policy Implication of Risk Society, 2005. 122 TIZIANO LI PIANI the statistical elaboration of a database created to contain quali-quantitative information regarding terrorist attacks already perpetrated against Christian Churches in the world. In the following paragraphs, the pilot experiment is extensively explained. Section 2 explains the database organization and the implemented information. Section 3 translates the main patterns statistically derived into abstract generalizations of the possible types of terrorist attacks prone to be performed against Christian Churches. Section 4 statistically addresses the vulnerability within the targeted structure and the surrounding urban environment of the Church, interpreting and generalizing its implications at an architectural and structural design levels.

1. The Database of the Terrorist Attacks on Places of Worship in the World (I.T.A.W.) The development of engineering coding of natural hazards for structures is based on the analysis and simulation of historical recurrences.49 This approach can be declined to the comprehensive encoding of man-made hazards for structures and human beings. To this end, a database was created in 2015. The Islamist Terrorist Attacks on places of Worship Database (I.T.A.W.) was ideated and organized to contain relevant information regarding terrorist attacks perpetrated by religious terrorism of Islamist matrix against Christian Churches in the world between 11th September 2001 and 1st January 2016. Several dataset of attacks already exist around the world and are used by services of national governments or international organizations for different purposes.50 The large majority of tools currently available focusses attention on the effects of the terrorist attacks in terms of human casualties and structural damage. Instead, in the I.T.A.W. database, the entire dynamics of the terrorist attack was meant to be parametrized, including the behavioral patterns exhibited by terrorists before and during the execution of the attack. For each attack, implemented information was derived from data elaboration of open sources.51 Police reports, witnesses records, media press, footages and videos were among the consulted sources used to reconstruct the entire dynamic

49 Joseph Ha, ‘Recurrence Relations for Computing Complete P and SV Seismograms’, Geo- physical Journal of the Royal Astronomical Society, 79.3 (1984), 863-73 https://doi.org/10.1111/ j.1365-246X.1984.tb02873.x. 50 W.R. Johnston, ‘Worst Terrorist Strikes Worldwide’ www.jonhnstonesarchive.net. Another source in Jewish Virtualibrary.org, ‘Terrorism against Israel: Comprehensive Listing of Fatali- ties from 1993’. Or Homeland Security Committee. 51 OSINT analysis is at the basis of the research. B Schuurman and Q. Eijkman, ‘Moving Terrorism Research Forward: The Crucial Role of Primary Sources’, International Center for Counter Terrorism-The Hague, 2013. THREAT ASSESSMENT AND VULNERABILITY 123 of the event and for each case, the derived information was validated cross- ing different sources at the same time. As a result, the database currently elaborates 102 attacks52 and is meant as a constantly updatable tool. Not all the attacks perpetrated in Churches around the world were included in the database. Some exclusion criteria were adopted in order to define a solid and consistent dataset. The following exclusion criteria were set: • Attacks happened within the implicit submissiveness or connivance of the public authority, that in a democratic society is aimed at protecting citizen’s freedom and property were excluded;53 • Attacks targeting centers of religious aggregations different than Churches were excluded;54 • Attacks suspected of being the direct consequence of personal revenges toward individuals were excluded;55 • Attacks that did not produce any damages to the building or any human victims were excluded;56 • Attacks poorly reported by public sources of information were excluded.

The database is organized into five sections and twenty-eight columns. Each column contains data or data elaborations in form of dates, numbers, initials, acronyms or entire sentences. A concise explanation for each column, provided with explicative legends, is reported in Table 1 at the end of this paragraph. If for a given column, information was not inferred, a ‘/’ is found in the corresponding cell. The first section is called ‘General Information’ and contains seven columns. It resumes general information regarding the spatial and temporal domain of the perpetrated attack, in terms of geographic location where the event took place and day and daytime in which the attack took place. The second section, named ‘Target Information’, contains five columns which provide information details regarding the building targeted by the assailants. The first column refers the Church’s name and its possible religious confession. If more than one Church was targeted within a coordinated plan of multiple attacks, the complete list of names is correspondingly reported. The presence of mitigation and deterrence defensive systems for building protection was registered in the next two columns. The first one refers the presence of whatever constructive element apt to obstacle or distance the

52 The database has been implemented using Microsoft Excel software. 53 E.g. some storming attacks involving a large portion of the local population in Nigerian villages were excluded. 54 E.g. community centers or underground Churches. 55 In order to differentiate between criminality and terrorism. 56 E.g. only planned attacks or failed attacks. 124 TIZIANO LI PIANI attacker from the direct access to the building.57 This information is accompanied by the indication on the presence of guards at protection of Church’s entrances.58 The following column indicates the religious or civil festivity in which the attack took place, if any coincided with the date of attack. The last column specifies the liturgical moment when the attack took place, including if no Mass was ongoing at the moment of the incident. The ‘Input Information’ section contains nine columns. The type of threat provided by terrorists and their operative strategy were meant to be parametrized within this section as an input for the aimed target. The first three columns are devoted at assessing some general features of the terrorists who perpetrated the attacks, in terms of numbers, genre composition and possible affiliation to terrorist groups. Next, the typology of attack is classified according to the main means of offence used by the involved terrorists to explicate their aim. In the first column, the type of weapon is specified.59 A list is provided if multiple combinations of weapons were adopted.60 In the next column, additional information on the detail of the input, including possible weapon model and brand is registered.61 The following three columns are meant to parametrize the final purpose of the terrorist mission and the corresponding strategy meant to achieve it. The first column implements ad hoc formulae to categorize the final scope of the attack with respect to the targeted building.62 Next, the planned strategy operatively adopted by the terrorists to reach the place of worship and conduct the attack is summarized in one sentence.63 Details on the assailants’ behavior, including clothing and appearance features showed in the premises of the attack were reported in the following column. The last one indicates if the attack was meant to be part of a broader terrorist plan aimed at targeting the same or multiple targets.64 The fourth section, named ‘Input-Target Interaction’’ contains five columns of information assessing the outcome of the terrorist attack. First, the exact position where the attack took place with respect to the targeted place of worship is registered. The next column reports the possible structural damages observed on

57 Also the presence of outdoor steps was conceived as a deterrent. 58 Soldiers, policemen, private security but also civilian citizen and worshipper volunteers are included in the same category. 59 E.g. belt bombs, firearms or grenades. 60 These attacks were defined as ‘hybrid’. 61 E.g. AK47. 62 Most of the attacks shared well defined categories of purposes, ranging from the production of the maximum level of human casualties to the execution of specific figures of the religious organization (e.g. the priest, the guards) or simply to desecrate religious symbols. 63 E.g. terrorists might have walked along the main street of the town or taken a bus to reach the Church. 64 Coordinated attacks are recalled if contemporarily happening or if shifted within no more than 24h hours. THREAT ASSESSMENT AND VULNERABILITY 125 the targeted building as well as for the nearby ones. The two following columns refer respectively the number of casualties and injured people reported as a consequence of the attack. Finally, the last column categorizes the victims according to their functions in the religious celebration.65 The last two columns of the database indicate if the terrorist attack was lately claimed by any specific terrorist firm, including extra notes and peculiar details emphasized by mass media.

Table 1 - Detailed explanation for the 28 columns of I.T.A.W., including legend and examples

Column#Sec. Information Legend or Example

# Ref. 1 Number of the attack, in chronological e.g. 1.2... order (referenced to the source list) Date 1 Date of attack dd / mm / yyyy Day 1 First three letters of the day of the week e.g. Mon [Monday] when the attack was perpetrated Day Time 1 Moment of the day when the attack was Exact Hour (00.00-24.00) or perpetrated Morning (8.00-12.00), Afternoon (12.00-18.00), Evening (18.00-21.00), Night (21.00-24.00) Continent 1 Geographic continent where the attack e.g. Asia was perpetrated Country 1 State where the attack was perpetrated e.g. Nigeria Location 1 Most specific geographical collocation of e.g. Kaduna the attack Symbolic Name and possible religious confession of e.g. Catholic Christ Church of Target 2 the targeted building(s) God Structural Deterrent 2 Possible presence of any structural Y (Yes) deterrents distancing the building from N (No) the attacker Human Possible presence of individuals Y (Yes) Deterrent 2 (policeman, guards, volunteers) protecting N (No) the building and its prayers at the moment of attack Festivity 2 Possible Festivity according to the e.g. Christmas Calendar of the religious confession Celebration Moment 2 Religious rite ongoing at the moment of M (Mass) the attack MS (Beginning of Mass) ME (End of Mass) P (Prayer) E (Empty Church – No rite)

65 E.g. priest, worshipper, guards etc. It is worthy referring that Christians and Muslim passersby were often involved in the effects of the attacks. 126 TIZIANO LI PIANI

Terrorist Matrix 3 Identified matrix of the terroristic cell that e.g. Boko Haram perpetrated the attack # Killers 3 Number of killers who operatively took # (Exact Number) or part in the attack (including carriers) Group (< 5 people) Mob (>= 5 people) Killer composition 3 Attackers genre M (Male) F (Female) Mx (Mixed) Type of Attack 3 Adopted mean of offence (weapon Shooting (e.g. gun fire) typology / urban warfare technique) Sidearm (e.g. knife) Suicide (e.g. belt bomb) Bombing (e.g. carbomb) e.g. Bombing&Shooting Weapon Specification of the used weapons in e.g. four AK47 Connotation 3 terms of typology, number and class of weapon Aimed Target 3 Specific target of the attack Church Guard Priest Prayer Strategy of Attack 3 Brief statement resuming the intended e.g. “To walk and enter the plan of action Church and shoot randomly” Coordinated Attack 3 Possible coordination among attacks Y (Yes) contemporary happened or shifted for N (No) a maximum of 24 hours, perpetrated against the same or different targets (also not religious but connected in aim) Details before Visual observations on the preliminary e.g. Attackers arrived on attack 3 stages of the attack according to eye motorbike witnesses Final position of Localization of the incident at the moment Inside (Exact Location) attack 4 of the attack with respect to the building’s Outside (Exact Location) perimeter e.g. Outside (at external gates) Structural Damage 4 Possible structural damages for any of the Y (Yes) (details) involved buildings N (No) #Victims 4 Number of victims # e.g. 34 #Injured 4 Numbers of injured persons # e.g. 40 Type of Victim4 Classification of the victims typology Worshipper according to their role within the religious Priest congregation Guard Passerby (not intended/ collateral victims) Claimed Attack5 Possible claims of the attack by the Y (Yes) terroristic matrix N (No) THREAT ASSESSMENT AND VULNERABILITY 127

2. Threat Assessment for Terrorist Attacks on Places of Worship General inference General inference on database information can be promptly derived using statistical analysis. In average, seven attacks per years are represented in the database. These attacks are not homogeneously distributed along the last fifteen years, with a significant increase after 2009. In fact, the number of attacks quintuples in the last luster, shifting from three incidents per year in average between 2001 and 2008 to fifteen attacks per year in between 2009 and 2016 (Figure 1).66

Figure 1 - Relative and cumulative frequency of terrorist attacks per year

Figure 2 - Number of attacks per year in Asian and African countries

66 Li Piani, Operative Guidelines for Protection of Places of Worship: A New Approach toward Security Design of Sensitive Buildings. 128 TIZIANO LI PIANI

The cruelest year is 2012, when 90% of the attacks are localized in Africa (Figure 2). Religious attacks involved only two geographic continents: Africa (fifty-four attacks) or Asia.67 However, attacks significantly targeted African countries only from 2010. The most involved countries in the database are Nigeria, Egypt and Kenya in Africa, Iraq, Pakistan and Philippines in the Asian continent (Figure 3). The most targeted cities in the world are Baghdad, Kaduna, Jos and Mosul (Figure 4).

Figure 3 - Number of attacks in the most targeted countries

Figure 4 - Number of attacks in the most targeted cities

Definite terrorist matrices are recognized behind fifty-nine attacks. More than twelve different matrices are accounted in the database, although Boko Haram, al Qaeda and Al Shabaab are the dominant ones in terms of frequen-

67 Where the Middle East is included in the classification ‘South Asia’. THREAT ASSESSMENT AND VULNERABILITY 129 cy (Figure 5). On the other hand, in 2015 ISIS is the most accredited terrorist group with two relevant attacks along the same year. All the terrorist groups strike in single continents, with the only exception of Al Qaeda and ISIS, which hit targets located in different Countries.

Figure 5 - Most frequent terrorist groups

Also analyses results characterized by low statistical incidence are prone to provide fundamental insights on terrorist threat assessment. For instance, some statistical findings suggest that Jihadist attacks on Church are not always specifically meant to maximize human casualties.68 In fact, temporal density distribution of attacks is more heterogeneous than expected (Figure 6).69 Only half of the attacks in Churches take place on Sunday and the rest is spread along weekdays. Not all the attacks target the Church when Mass is ongoing.70 Similarly, less than 20% of the attacks happen on festivity days, which are not always religious ones.

68 This observation was confirmed by the results of recent reports concerning the assessment of Jihadist terrorist activities in Western countries and terrorists target selection criteria, as in the AIVD Insight into Targets Fifteen Years of Jihadist Attacks in the West (Algemene Inlichtingen En Veiligheidsienst), 2019. 69 This apparent contradiction is based on the common assumption that terrorism against soft targets is always meant to maximize casualties. Actually, a definite agreement even on the definition for terrorism (and counter terrorism) is still lacking. Significant advancements have been made by notable scholars in the field like in Alex P. Schmid, The Routledge Handbook of Terrorism Research., ed. by Alex P. Schmid (New York and London: Routledge, 2011). Or in Scott N. Romaniuk, The Palgrave Handbook of Global Counterterrorism Policy (Pag. 20) (London: Palgrave, 2017). 70 Cases in which Church is empty are also recurrent. 130 TIZIANO LI PIANI

Figure 6 - Distribution of attacks along the week (a), according to possible ongoing rites (b) and most targeted festivities (c)

(a)

(b)

(c)

In order to interpret all the found patterns and give explanation to new ones possibly emerging from the extensive dataset, statistical elaboration can be deepened using multivariate analysis. This operation allowed the emer- sion of definite trends with high statistical incidence when information is disaggregated according to the type of weapon used to perpetrate the attack. THREAT ASSESSMENT AND VULNERABILITY 131

Patterns not only concerned the outcome of the mechanical input but were extended to the depiction of the entire dynamics of the attack, including the chosen day and daytime of attack and also the assessment of the actions performed by the attackers during the premises of the attack. Therefore, in the following, an extensive dissertation reports the main patterns characterized by high statistical incidences related to five categories of attacks unveiled. For each category, quantitative analyses’ results are reported, including the number of victims or structural damages for the buildings, followed by a concise resume of an exemplificative case.71

Sidearm Attacks Six terrorist incidents in the database are connoted by the use of sidearm in order to perpetrate the attack. They are all perpetrated during Mass72 services in the Church, with a prevalence for morning day times (three out of the four cases where the information was available). Although not a favorite day of the week was inferred, weekdays are significantly preferred, with three cases happened on Tuesday, two on Friday and only one on Sunday. Two definite strategies of action can be distinguished. In case of attacks carried out by more than two people (four cases out of six), the plan consists of entering the Church and stabbing randomly its worshippers before escaping. In two cases, the priest is specifically targeted by the assailants. On the other hand, in two cases, the attack is perpetrated by single individuals, who wait for the end of the Mass outside the building in order to stab a Christian victim while leaving the Church. In one case, the targeted victim is again the priest. In both the cases, the assailants are recognized as mentally unstable.73 Attacks perpetrated using sidearm do not reflect any peculiar terrorist matrices and the majority of incidents are not part of coordinated attacks. Weapon choice ranges between machetes and knives but also stones have been used once. The latter case coincides with the only event causing slight (not structural) damages to the building, whose windows are crushed. For the nature of the attack, no information concerning the effects of structural means of deterrence on the attacking strategy and their outcome is inferable nor worth of consideration. The possible presence of human deterrents does not prevent the attack in those two cases in which guards are referred to stand outside

71 Usually associated to the worst outcome in terms of number of victims or structural damages. 72 Including at its end (according to Table 1). 73 Despite not related to each other, both the attackers confessed they wanted to experience ‘what killing a person would be’. More information regarding the psychological reasons behind different weapons used in attacks in E. Niiler, ‘Knife vs. Gun: What a Weapon Reveals’, Seeker, 9 April 2014. 132 TIZIANO LI PIANI the Church. In both the attacks, carried out by mobs or groups, guards result among the injured persons. The average values of killed and injured people per attack respectively are 1.3 and 3.1, all Christians.

Worst Case Studio On October 22nd 2013, during an overnight service at the Gilgal Christian Worship center (Tanzania), a group of unknown men entered the building at 1.00am holding machetes and knives and started stabbing Christian, killing the priest and hurting other three prayers [Database Ref. 24].

Shooting Attacks Twenty-six attacks are perpetrated by assailants who open fire against Christians. Statistical data elaboration reveal different and specific patterns according to the possible occurrence of Mass rites at the moment of the attack. On the one hand, five cases consist of fire shooting attacks against the guards protecting the building when Church is empty and no celebrations are performed inside the building. All these cases are perpetrated during week days,74 with not a favorite time of action along the day. For all cases, the plan consists of approaching the building using flexible means of transport such as motorbikes, bikes or city cars driven by lookouts, and of executing the guards from a medium distance before running away. Two to four attackers are involved in average to these attacks. Different weapons can be used and not a predominant model is inferred. The targeted guards are killed in three cases and seriously injured in one. Furthermore, despite the average values for killed and injured persons of respectively 1.6 and 1.4 is aligned with the plau- sible number of guards at protection of the buildings, in two cases the attack fails to cause the meant victims and causes instead the death of passersby. On the other hand, the large majority of these category of attacks is perpetrated during Mass,75 with only a slight prevalence for Sundays as a week day.76 Con- sidering the attacks perpetrated on Sundays and excluding the cases where information was not reported, only one attack is perpetrated in different day times than mornings. This only case happens in an afternoon wedding cere- mony. In this regards, seven attacks are perpetrated during festivity according to the Christian calendar. Two different strategies are recognized behind this subgroup of attacks. In sixteen cases, assailants enter the Church while the celebration is ongoing and start to randomly shoot the crowd. The definite

74 Four on Tuesdays. 75 Nineteen cases out of twenty-six. 76 Twelve cases out of nineteen. THREAT ASSESSMENT AND VULNERABILITY 133 aim of executing the priest is recognized in two cases. Instead, in three cases, terrorists wait outside the building for the end of the Mass and start shooting prayers while they are leaving the building. Both strategies mainly involve the use of flexible means of transports to approach the building, similarly to the case of shooting against guards. Attackers are also frequently connoted by the use of masks or even uniforms. This subgroup of attacks is characterized by the active participation of large numbers of assailants.77 Generic guns descrip- tions are referred in eleven cases, while automatic guns and gun machines are clearly recognized in three cases. This subgroup is also characterized by a high incidence on definite terrorist firm affiliations, such as Al Shaabab and Boko Haram.78 The average values of killed and injured people due to shooting attacks are respectively 8.3 and 8.1, with no significant differences between attacks perpetrated inside or outside the Church. In four cases, the priest is among the victims. No structural damages are reported for any of the shooting attacks. All the attacks perpetrated inside Churches prove effectiveness despite the presence of guards at entrance protection.

Worst Case Studio On 7th August 2012, in Okene (Nigeria), a not precisely defined (more than six) number of Boko Haram affiliated terrorists entered a Catholic Church during Mass armed with Kalashnikov assault rifles and started shooting randomly the crowd, killing 20 prayers (including the priest) and injuring 9 people [Database Ref. 42].

Suicide Bombing Attacks Twenty attacks are perpetrated by kamikaze terrorists. Several definite trends are shared by all the cases of suicide attacks. With only one exception, these attacks happen only on Sunday morning Mass.79 The only exception is an attack perpetrated during night at New Year’s eve Mass. Suicide attacks involve single80 or couple of assailants. Definite terrorist matrices are recognized behind almost all the attacks,81 with a definite prevalence for Boko Har- am or Al Qaeda.82 Differences among attacks are due to the recipient of the

77 Minimum 2, maximum 13 people. 78 Attacks carried out by mobs corresponded mainly to Boko Haram affiliates (five cases). 79 Considering the seventeen cases out of twenty in which clear information on the possible liturgy function at the moment of the attack was inferred. 80 About 70% of the cases. 81 Seventeen cases out of twenty. 82 Boko Haram with eight attacks and Al Qaeda with three. 134 TIZIANO LI PIANI explosive used to perpetrate the attack. In twelve cases, the suicide strategy implies the collision of fast driven vehicles full of explosive and driven by the assailant against the main entrance or one of the lateral walls of the targeted building. Mainly city cars (eight cases) but also larger means of transport such as SUV or even trucks can be used against the target. In one case, a multiple attack implies the contemporary collision of two different vehicles against different sides of the same building. Actually, only a minor number of attacks ends with the explosion of the car against the target.83 More often, the car explodes outside the entrance of the Church. In the five cases connoted by the presence of structural deterrents,84 attacks mainly end with the collision of the vehicle against the external gates of the Church;85 only a truck-bomb charged with propane managed to enter the building despite the presence of structural and human impediments. In this sense, truck bombs always manage to collide the target regardless the presence of both structural and human deterrents. In the unique case characterized by a solely human deterrence and absence of structural deterrence, vehicle detonates against the Church. With only one exception, these attacks cause significant structural damages to the buildings involved within the explosion. In one case, the Church was almost demolished and it needed to be rebuilt while in three cases the explosion involves also nearby buildings.86 In terms of human losses, this typology of attack provokes in average 12.4 casualties and 54.7 injured. Counting only attacks which manage to explode against the Church, the proportions only slightly increase to respectively 14.2 and 58.1. Passersby are referred among the victims in four cases while in three cases the priest is reported among casualties. In eight cases, suicide bombers blow up themselves detonating dressed belt bombs. The night New Year’s eve attack belongs to this category. In six cases, the plan consists of entering the Church and exploding while Mass is ongoing. Despite the plan, only one attacker succeeded at entering the Church, corresponding to a multiple attack perpetrated by two assailants who detonate their bombs one after the other at Church’s entrance. Among the three cases where the presence of guards is referred, attackers are always prevented from entering. Also in all the cases in which a structural deterrent is reported, the explosion happens outside the building. In one case, the at-

83 Five cases out of twelve. 84 In four cases out of the five where structural impediments were referred, also guards at building protection were present. 85 In four cases out of five. 86 A common threat for human beings due to explosions concerns the ejection of crashed glass and debris from windows. Home Office, Center for the Protection of National Infrastructure, and National Counter-Terrorism Security Office, Protecting Crowded Places: Design and Tech- nical Issues, 2012. THREAT ASSESSMENT AND VULNERABILITY 135 tacker voluntarily explodes outside the Church while Mass is ending and prayers are leaving the building. In the last case of this category, explosion happened inside a bus in front of the Church bus stop was suspected to be meant to happen in front of the Church.87 Structural damages on the targeted Churches are not always referred,88 whereas in two cases, also nearby buildings are partially involved in the incident, with more often not structural damages.89 In terms of human losses, the attacks provoke 21.9 casualties and 66.7 injured persons in average, although the numerical dispersion associated to this subgroup is significant and there are three cases with less than five casualties. Passersby might be referred among the victims.

Worst Case Studio On 8th April 2012, at the beginning of the 8.00 am Easter Mass at All Saint Church in Kaduna (Nigeria), a Boko Haram affiliated terrorist drove a Toyota Accord at high speed against the building. The presence of guards and physical barriers prevented the car from reaching the target but the explosion happened in a busy district of the town, full of restaurants and bars, provoking more than 42 victims and 33 injured among passersby and prayers. The Church was damaged, as well as more than 50 nearby buildings reported slightly or moderated damages. This attack anticipated a second event happened the same day in the central part of Jos [Database Ref. 51].

Bombing Attacks Forty-four incidents cause the detonation of explosive devices without im- plying the assailant’s suicide. Statistical elaboration reveals specific patterns related to the strategy adopted to perpetrate the attack, in turn associated to the distance the assailant puts between itself and the detonating device. In twenty-nine cases, explosives are activated or programmed to explode from long distance. No specific patterns are found with regards to the targeted day of the week and moment of the day. In fifteen cases the incidents happens during Mass and Sunday is the targeted day fourteen times, whereas weekdays are chosen in fifteen cases. Four attacks are perpetrated during Christmas. Definite trends are unveiled if the analysis is disaggregated with respect to the type of recipient for the explosive used to conduct the attack. Fifteen attacks imply the detonation of car-bombs parked among others in a lateral street or

87 Early detonation was suspected. This is a common threat for attackers themselves if explosive devices are prepared at home. Harvey W. Kushner, Encyclopedia of Terrorism (Sage, 2003). 88 In four cases, structural damages are reported. 89 Crashed windows. 136 TIZIANO LI PIANI in front of the targeted Churches. In one case, an improvised device is placed under priest’ car. These attacks are often associated to multi target selections90 and in four cases coordinated attacks are perpetrated against more than one Church. Definite terrorist matrices are recognized behind these incidents, in particular Boko Haram,91 Al Qaeda and Abu Sayyaf. All the car bomb attacks take place when the Church is not protected by guards. Although correla- tions with respect to the number of victims are not always inferred, the presence of structural deterrents does not result to be associated to low level of damages for the involved building. In fact, in all the cases where information is reported, the explosion causes significant damages to the Church. In five cases, also nearby houses, hospitals or schools are involved.92 The average values of casualties and injured people respectively are 5.6 and 19.1, although in four cases the attack does not cause any losses even if Mass is being celebrated at the moment of the explosion. Passersby are referred among the victims in four cases. On the other hand, the detonation of devices hidden in small ves- sels, such as bags or boxes is reported in fourteen cases. Used quantitative of explosive is limited by recipient size.93 The explosive device in its recipient is left outside the Church in eleven cases out of those thirteen incidents where the device position at the moment of the explosion is recorded. Devices explode both in cases of ongoing rite or of empty Churches. In case of con- comitance with Mass rites, incident reconstructions reports that the device is meant to explode while prayers are leaving the building after the end of the rite. In two cases, the device hidden inside a bag and left aside a candle store or inside a ventilation cell explodes inside the Church, not necessarily during Mass rite but including during private prayers of worshippers. Also this subgroup of attacks is characterized by features of coordination and multiple attacks are registered in nine cases.94 In both the cases in which the presence of guards is referred, the explosion do not cause structural damages on the building. However, guards are always referred among the victims. Informa- tion on possible building damages is referred in only six cases. The average values of human losses and injured respectively are 5.4 and 11.9. Passersby might also be involved.95 In fifteen cases out of forty-four, the mean of offence consists of grenades thrown by the assailants once they are sufficiently close to the building. Most of these attacks are perpetrated during Mass rites,96 with

90 In twelve cases out of fifteen. 91 With eight attacks. 92 And structural damages are reported. 93 However, in one case dynamite for fishing in a receptacle was used to conduct the attack. 94 In two cases more than one Church was targeted simultaneously. 95 They are reported in at least two cases. 96 In ten cases. THREAT ASSESSMENT AND VULNERABILITY 137 not a favorite targeted day of the week, while all the attacks perpetrated when no celebrations are ongoing take place during week days. Al Shaabab,97 Boko Haram or ISIS are often recognized behind these attacks. These incidents are generally not a part of coordinated attacks.98 Depending on the number of assailants who take part to the attack, different operative strategies might be adopted. In fact small groups99 prefer to enter the building and explode the weapon during Mass directly against the worshipping crowd. Attacks involving more than four assailants100 are instead mainly connoted by the strategy of throwing molotov cocktails from the outside premises of the Church directly against the building. Only attacks targeting Churches hit from outside produce (always) structural damages, despite not involving nearby buildings. The average number of casualties and injured people respectively are 1.5 and 11.6, although considering only attacks happened inside, this value increases to 2.2 and 19.3. No passersby are recognized among the victims.

Worst Case Studio 2010 Christmas’ eve in Jos (Nigeria) was struggled by multiple bombs detonated by Boko Haram affiliated in different areas of the town. According to eyewitnesses reports, guards in the streets used to invite passersby to hide as soon as possible. Car bombs detonations nearby three churches provoked 60 losses and 70 injured and serious structural damages to the buildings [Da- tabase Ref. 74].

Hybrid Attacks Six incidents are characterized by the contemporary use of more than one type of weapons. Four incidents involve the use of both fire guns and grenades. These incidents present many shared features. They all are ascribable to two definite terrorist matrices, Boko Haram and Al Qaeda. They are all perpetrated on Sundays, during morning Mass, by more than four people, as part of coordinated plans of multiple target selections. Two different operative strategies are recognized, in relation to the function of the thrown grenades within the attack. In three cases, assailants enter the Church shooting and bombing the crowd at the same time. In the only case where the presence of guards is referred at building protection, killers are prevented from en-

97 With the highest incidence of four cases. 98 In eleven cases. 99 Three killers at maximum. 100 Reported in three cases. 138 TIZIANO LI PIANI tering.101 In one case, the attackers use few grenades thrown from outside against the building in order to force people’s exit from the Church and only then they randomly shoot the crowd using fire guns. The average numbers of losses and injured people respectively are 20.8 and 22.5 and no significant differences in values between the two strategies are found. No structural damages are caused in any of these attacks. Finally, one case of hybrid attack is characterized by higher sophistication and involves the adoption of fire guns and grenade within a complex attack ended with several suicide belts activated. This incident description is resumed in the following.

Worst Case Studio On 31stt October 2010, during the evening Mass at the Our Lady of Salva- tion Chaldean Catholic Church, in the central district of Baghdad (Iraq), a command of six Al-Qaida-IS young gunmen wearing belt bombs and holding assault weapons, entered the building throwing a grenade among prayers and started shooting. Different hostage groups were formed, while Iraqi and US (which co-participated to the operation) soldiers approached the building. After also a live media claim by one of the perpetrators to one local network, a three-hour lull in the violence ended just after 9pm, when dozens of Iraqi security forces and eight US soldiers blew open the Church’s doors and stormed inside. The gun battle was ferocious and lasted more than six minutes, with suicide attackers detonating their belt bombs. The attack, that was heralded by a car bomb outside the fortified church gate at 5:30pm, caused 53 victims and 80 injured with reported damages to the Church [Database Ref. 75].

An Encoding Algorithm for Terrorist Hazard Scenarios Statistical elaborations performed on a sample of terrorist attacks targeting places of worship confers the mean of offence the role of shaper of the not solely mechanical component of the man-made threat. For a given weapon, attackers’ modus operandi result to be characterized by high statistical incidence. The depicted strategies are not simply referred to the series of decisions and actions the attacker follows before and after the moment of the attack, but are extended to the chosen day of the week and to the moment of the attack with respect to the possible rite ongoing inside the building. The adopted mean of offense results to be extremely correlated to the specific anti-social mission of the attacker, which is quantitatively reflected in the dependence between the type of weapon and its suitability to offend the

101 And guards result among the victims. THREAT ASSESSMENT AND VULNERABILITY 139 function represented by the building at the timing targeted by the attack.102 If these premises were to be confirmed, it would emerge that the entire terrorist threat, including both the choice and displacement of the mechanical input’s effects and the programming of the human carrier’s strategy, are governed by the social function the space of the building is assigned to. As a result, quantitative terrorist encoding paradigms based on assessment of cause-effects relationships of the mechanical input and the social function of the target are prone to quantitatively address the sensitivity of the threat to the targeted day time, day of the week, number of attackers and planned strategy. The resulting algorithm establishes a relative temporal and spatial relationship with respect to the social function a given mechanical input is suitable at disaggregating. Declined to the mission of addressing terrorist threat for Christian Churches, the following basic input are modelled as comprehensive terrorist scenarios:

Input 1: During a morning Mass on a weekday, 2-4 terrorists on foot enter the Church in order to kill worshippers or the priest using machetes or knives; Input 2: At the end of Mass on a weekday, 1-2 terrorists on foot wait outside the Church in order to kill a worshipper or the priest leaving the building using knives; Input 3: During Mass on a whatever day time and day of the week, 3-5 terrorists, arrived by motorbike or city car, enter the Church in order to kill worshippers or the priest using fire guns; Input 4: When no Mass is ongoing on a whatever day time on a weekday, 2-4 terrorists, accompanied by lookouts on motorbikes, stop outside the Church in order to execute the guards at building protection using fire guns; Input 5: On a Sunday morning Mass, 1-3 terrorists drive city car or truck – bombs at maximum speed against the Church’s entrance or one lateral wall in order to kill randomly humans and to produce damages on the building; Input 6: On a Sunday morning Mass, 1-2 terrorists arrived on foot or by city car enter the Church in order to kill worshippers or the priest or the guards activating their belt bombs; Input 7: On a whatever day time and day of the week, 1-2 terrorists on foot leave inside or outside the Church an explosive device hidden in a bag or in a box activated to explode to kill randomly or worshippers;

102 Namely an ongoing religious rite inside the building, two guards at entrance for the empty building protection or passersby at the parvis of the Church for gathering purposes. 140 TIZIANO LI PIANI

Input 8: On a whatever day time and day of the week, 1-2 terrorists park a car-bomb or hide a device in a parked car activated to kill randomly and to produce damages on the building; Input 9: During Mass on a whatever day time and day of the week, 1-3 terrorists arrived on foot or by car enter the Church in order to kill worshippers or the priest or remain outside to kill worshippers or guards, throwing grenades; Input 10: During a Sunday morning Mass, 4-6 terrorists arrived on foot or by car enter one or more Churches in order to kill randomly worshippers using fire guns and grenades;

A note on the modelling approach for human behavior in terrorist attacks The approach adopted in this research hypothesizes that the human actions which subtend a terrorist attack can be quantified and encoded as a mechanical variable, with the same level of mechanism associated to an earthquake or an impact. This approach neglects the preliminary assessment of the root causes which lead the terrorist(s) to pursue an attack. Independent- ly from any possible radicalization path pursued or forced recruitment, the human nature of the attacker is employed and conceived only as the series of decisions and actions that the threat carrier makes among binary options given by the boundary conditions of the weapon carried and of the environment surrounding the target.103 As a result, the full identification assessment between the mechanical input and its carrier is hypothesized along the entire temporal span which starts from the premises of the doorstep of the terrorist attacker up to the final point of the attack. In this approach, the possibility of the attacker to change idea and resign from attacking until the premises of the target is negated and the free will is considered as a suspended feature of ‘its’ human nature. Despite the mechanism imposed to the human behav- ior104 might appear to be a strong limitation when it comes to predict actions made under pressure conditions, empirical evidence seems to corroborate its

103 Radicalization results from a combination of educational, cultural, social, economic and psychological factors of difficult interpretation. Alex P. Schmid, Radicalisation, De-Rad- icalisation, Counter-Radicalisation: A Conceptual Discussion and Literature Review, The Hague: International Centre for Counterterrorism, 2013 http://www.icct.nl/download/file/ ICCT-Schmid-Radicalisation-De-Radicalisation-Counter-Radicalisation-March-2013.pdf. or L. Vidino, ‘Radicalization, Linkage, and Diversity – Current Trends in Terrorism in Europe’, RAND Corporation, 2011 https://doi.org/10.1214/10-AOAS405. 104 Which de facto de humanizes the attacker. THREAT ASSESSMENT AND VULNERABILITY 141 operative implications.105 Furthermore, this approach also overcomes the mis- leading interpretation sometimes found in literature which would associate a less serious threat to attackers which self-radicalize, with respect to Jihadist of first generations.106 The approach followed in this work parametrizes the political, social or religious nature of the terrorist attackers in terms of the final outcome of the attack and the inherent strategies planned to maximize its effects with respect to the social function of the target aimed to offend.107 In this setting, also the factual distinctions between urban terrorism and organized criminal modus operandi are operatively smoothed because both evaluated in the series of behaviors and acts determined by the needs that the beliefs which might either come from religious fanaticism or by the belonging to a clan print on man’s will.108 For example, the dynamics of a subgroup of shooting attacks category emerging in this paragraph clearly recall some of Camorra’s executions.109 Behind expert curtains of propaganda,110 criminal modus operandi and urban warfare techniques are trained and operatively

105 Public opinion was shocked after watching a video recording one of the attackers involved in the last series of attacks against Churches in Sri Lanka (2019) caressing a little girl in the path undertaken to enter the Church and blow up himself. However, in the interpretation of the author, this may happen if the mission is ‘programmed’ in the human brain of the attacker as a result of a complete alienation process (https://www.youtube.com/watch?v=CfND24Xvy- YU). In a physiological approach, a caress is interpreted as a human reflex with the same level of mechanism associated to taking off a coat when sun shines. 106 Recent reports like AIVD Insight into Targets Fifteen Years of Jihadist Attacks in the West (Algemene Inlichtingen En Veiligheidsienst). sharply shed light on the evidence that the proportions of successful attacks has actually increased over the last years. To address differences in the radicalization processes among different generations of Jihadists, the reader is referred to some relevant sources as L. Vidino, Il Jihadismo Autoctono in Italia: Nascita, Sviluppo e Dinamiche Di Radicalizzazione (Native Jihadism in Italy: Emergence, Development and Radi- calization Dynamics), ed. by ISPI (ISPI, 2014). 107 In an unique case study on the radicalization and training of a spontaneous Jihadist cell recently published in Manuel Ricardo Torres-Soriano, ‘How Do Terrorists Choose Their Targets for an Attack? The View from inside an Independent Cell’, Terrorism and Political Violence, 00.00 (2019), 1-15 https://doi.org/10.1080/09546553.2019.1613983., Islamist religiously motivated attackers were found to train and plan attacks based also on sources of extreme left and anti-establishment groups. Alex P. Schmid, Political Terrorism. A Research Guide to Concepts, Theories, Data Bases, and Literature (Amsterdam: North-Holland Publishing Company, 1984). 108 Daniel Boduszek and Philip Hyland, ‘The Theoretical Model of Criminal Social Identity: Psycho-Social Perspective’, International Journal of Criminology and Sociological Theory, 4.1 (2011), 604-14; Emma Alleyne and Jane L. Wood, ‘Gang-Related Crime: The Social, Psycho- logical and Behavioral Correlates’, Psychology, Crime and Law, 19.7 (2013), 611-27 https://doi. org/10.1080/1068316X.2012.658050. 109 ‘Threat Assessment : Italian Organised Crime’, Europol Public Information, 7.6 (2013), 11-17. 110 Alex P. Schmid and J. de Graaf, Violence as Communication. Insurgent Terrorism and the Western News Media (London: Sage, 1982). 142 TIZIANO LI PIANI applied to accomplish the final aim of preventing individuals or groups from experiencing security and freedom in the everyday life.111 Operative and practical reasoning can be effectively used also to interpret some specific and defined trends statistically emerging from database elaboration.112 Furthermore, sophisticated shooting attacks proved to be capable of overcoming imposed constraints and deterrence means. The most complex attacks seem to be the result of a in depth evaluation of the most effective plan and equipment to be adopted in order to exterminate worshippers. In this sense, the incidents reconstructions reveal that the majority of attacks, with different levels of abstractions, were always somehow prepared and organized, also considering possible deterrent factors to be faced. Needs and contingency reasoning might be used to explain also global patterns like the trend clearly emerging in Figure 2 and not interpreted yet. This refers to the peak of intensity in the graph by year 2012, when 90% of the 30 attacks were located in Africa. That year coincided with the peak in rampage of Boko Haram, which was identified behind more than 20 attacks in Churches in Nigeria, whereas Al Shabaab was recognized in other three attacks happening in the same year in Kenya.113 Before 2010, Boko Haram attacks in Nigeria were mainly focusing military targets or buildings representative of economic interests or political interferences and public opinion was relatively concerned about local terrorism.114 The group lately started to targeting soft targets, particularly including public spaces of aggregations like Churches, with the ultimate goal of maximizing disruption and producing broader international media impact, regardless of the lives of the civilians of different beliefs possibly involved.115 Given local dynamics and territorial ambitions, groups like Boko Haram and Al Shaabab share she same Wahhabi global mission as well as the inherent terrorist operative strategies.116 Both groups become soon affiliated to more notorious organizations operating in the Middle East: Boko Haram has re-

111 Recent reports confirm sophistications of attacks against soft targets progressively acquired along years: ‘CTED Analytical Brief: Responding to Terrorist Threat against Soft Targets’, 2019, p. 7 https://doi.org/10.1017/CBO9781107415324.004. and Tony Blair Institute for Glob- al Change : How Islamist Extremists Target Civilians, 2018. 112 As an example, need for clear visibility in case of suicide car bomb attacks forces morning timings for attacking. 113 Global Terrorism Index. Measuring and Understanding the Impact of Terrorism, 2015. 114 Adesoji O Adelaja, Abdullahi Labo Late, and Eva Penar, ‘Public Opinion on the Root Causes of Terrorism and Objectives of Terrorists: A Boko Haram Case Study’, Perspectives on Terrorism, Leiden University, 12.3 (2018), 35-49. 115 T. Li Piani, ‘Local Trends and Global Dynamics of Religious Terrorism in Africa’, NATO Defense College Foundation Paper, 2019, 10. 116 A. Mbiyozo, ‘How Boko Haram Specifically Targets Displaced People’ (Institute for Secu- rity Studies, 2017). THREAT ASSESSMENT AND VULNERABILITY 143 cently pledged alliance to the Islamic State, while A Shaabab is closer to Al Qaeda.117 The illegal and religiously forbidden financing sources of terrorist groups operating in different countries are also similar and often interconnected, including collaboration with international criminal organizations.118 These revenues have been fostered by the introduction and spread of internet in Africa from which Boko Haram particularly benefitted.119 Internet is used by such organizations for funding, but also for propaganda, recruitment and training. In this regards, internet is becoming the virtual field of training of the terrorist attacks. Social media such as Telegram and Whatsapp have been recently adopted for the training and planning of terrorist attacks, including indoctrination of potential lone wolves abroad. This observation, linked with the definite patterns of actions emerging from statistical elaborations on an dataset heterogeneous in time and geography suggests the possible existence of a global online terrorist network, not only for the radicalization, but including for the preparation, teaching and training of the terrorist candidates.

An empirical validation of the threat encoding algorithm for attacks on Churches At moment of the creation of this database, all the terrorist attacks of Isla- mist matrix performed against Christian Churches were located outside the European Continent. On July 22nd 2016, a first terrorist attack religiously motivated was perpetrated in the Church Saint-Étienne-du-Rouvray in France by two assailants armed with knives. This unfortunate episode represents an important source of validation for the algorithm previously defined from the I.T.A.W. dataset. In particular, due to the nature of the mean of offence, the dynamics of the event are suitable for comparison with the Input 1 identified in the previous paragraphs of this Chapter. From media news, on a Tuesday morning, at 9.35 am, two attackers walked entering the 16th century Church of Saint Etienne during the Mass. Consistency with the model in terms of number of attackers, approaching strategy and chosen day and daytime emerges: According to Input 1, ‘During a morning Mass on a weekday, 2-4 terrorists on foot enter the Church’. Accord- ing to the Rouen incident reconstruction, the assailants specifically targeted

117 Jennifer Ogbogu, ‘Analysing the Threat of Boko Haram and the ISIS Alliance in Nigeria’, Counter Terrorist Trends and Analyses, 7.8 (2015), 16-21 https://doi.org/10.2307/26351381. 118 Edwin Bakker, Jihadi Terrorists in Europe: Their Characteristics and the Circumstances in Which They Joined the Jihadd (Netherlands Institute of international Relations, 2006). 119 Kate Cox and others, ‘Social Media in Africa (A Double-Edged Sword for Security and Development)’, UNDP, 2018. 144 TIZIANO LI PIANI the priest on the altar120 and next randomly stabbed other worshippers. Also in terms of final aim, the ultimate goal emerging from reality finds consistency with the predicted aim of Input 1 of ‘to kill worshippers or the priest’. Further- more, also the outcome of the attack happened in France, in terms of the killed priest and the four injured worshippers is close to the average values emerging from database elaboration in the side arm category of respectively 1.3 killed and 3.1 injured persons.121 More evidence on the typical terrorists’ behavioral patterns before and after the attack and on the spatial vulnerability maps emerging from database elaboration are discussed in the following section. This unfortunate episode provides also evidence about the existence of an international online recruitment and training network. It is in fact worth noticing that the two young terrorists122 were recruited via the Telegram chan- nel ‘Sabre de Lumiere’.123 Since 2016, other serious terrorist attacks happened against Churches around the world, which further validated the suitability of the derived series of terrorist attacks idealizations for places of worship presented in this chapter.124 On 15th March 2019, in Christchurch, New Zealand, a multiple terrorist attack conducted by a radicalized group of Islamophobic white-su- premacist was conducted against the Al Noorr mosque and an Islamic center in Linwood during the Friday prayer.125 If the encoding algorithm is declined to account for the social function of the Mosque and the inherent timing, In- put 3 (fire guns attack) shows consistency with the factual evidence emerged from records on the New Zealand attack.

120 The priest was ferociously slaughtered (https://www.telegraph.co.uk/news/2016/07/26/murder-of-a-priest-how-the-horror-unfolded-as-two-islamic-state). Sympathy of the author goes to the brave priest and to all the innocent victims of any man-made attacks. 121 It appears that after the attack the two young terrorist tried to use worshippers as shelters against the police which was alerted by a nun escaped during the premises of the attack. At- tackers were finally killed by police. 122 With criminal records. 123 Sword of the Light, a symbol for the sword of truth, whose shine eliminates falsehood like light wipes away darkness. In Li Piani, ‘Local Trends and Global Dynamics of Religious Ter- rorism in Africa’. 124 T. Li Piani, ‘After Sri Linka: Anatomy of Terrorist Attacks in Churches (Italian)’ (ISPI, 2019), p. 10. 125 The ‘Islamic Friday’ is the day in which Muslim worshippers are called to go to mosque to These prayers are performed at midday and .(ﺟﻤﻌﺔ) profess their public prayers called Jumuʿa preceded by a sermon declaimed by the preacher (khuṭba). THREAT ASSESSMENT AND VULNERABILITY 145

3. Threat Assessment for Places of Worship against Terrorist Attacks In civil engineering, design and assessment derive from the simulation of the response of a structure subjected to a mechanical load, whose correctness is in turn a consequence of a consistent target idealization (the structure) and of a trustworthy input (the load) schematization. The quantitative assessment of human losses, injured persons and structural damages inferred for each category in the previous paragraphs surely offers important indications on the potential outcome and on the nature itself of different typologies of terrorist attacks. For instance, suicide bombing attacks are associated to the highest number of casualties and structural damage. On the other hand, the same weapon used for different ultimate aims is found to determine substantially different outcomes (Figure 7).

F igure 7 - Casualties (killed and injured persons) for different types of terrorist attacks (a) and different casualty entities for the same weapon and different targets (b)

(a)

(b) 146 TIZIANO LI PIANI

However, the quantitative analysis of these absolute values is not sufficient for a comprehensive characterization of the terrorist hazard’s effectiveness, which is needed to enable a proper safety design of the targeted building and of surrounding public space. Instead, the assessment of the spatial and temporal distributions of the potential and produced effects caused by a terrorist attack on a given target is prone to unveil the intrinsic vulnerability each target is exposed to, namely this operation ‘vectorizes’ the hazard for people and goods.126 The development of vulnerability maps is a common practice within the design of structures against natural hazards127 and these identify the weaknesses of the target against the intrinsic features of the input. Given a travelling input moved by its carrier and a targeted building which extends beyond its perimeter, the assessment of the input-target interaction needs also to cover the preliminary phases of the attack, starting from the pathway undertaken by the attackers in the urban fabric surrounding the domain of the Church. Given these premises, within the categorization proposed in the previous paragraphs, all the cases contained in the I.T.A.W database were analyzed again directly from the sources of information used for database implementation.128 For each case analyzed, the assessment of the areas with highest threat level required the understanding of the specific properties of the targeted building and the comprehension of the surrounding urban fabric in terms of squares, incoming and peripheral streets from first terrorists sighting up to the relative location of the buildings in the domain of the city. As a result, a comprehensive characterization would require that each case is presented separately, which is not possible for obvious space limits and an alternative approach has been developed. This is based on the representation of a physical abstraction of the Church as an element of the city. This approach is meant to represent all the possible spatial configurations of the Church within the surrounding urban fabric, including all the different spatial relationships which it establishes with the other elements of the city129 in a sole model.130 The entire system is based on the use of form as both encoding and design tool of these spatial relationships. The physical domain included in the place of worship, including its parvis, is represented by means of filled up forms, circular or prismatic according to its relative position with respect to the urban square where it is possibly inserted: circular in case of Churches in

126 A vector is identified by a ‘modulus’, a versus and a direction. 127 L. Pagnini and others, ‘A Mechanical Method For the Vulnerability Assessment of Masonry Buildings’, 14th World Conference on Earthquake Engineering, 2008. 128 Eyewitness records were analysed again to understand where civilian suffered from the outcome of the attack and also ‘felt’ or visibly recognized the threat. 129 Namely other buildings, streets and squares. 130 L. Mumford, The Culture of Cities, 1960. THREAT ASSESSMENT AND VULNERABILITY 147 the center of squares, triangular in case of corner Churches or rectangular in case of Churches at a side of the square. Possible linear (in case of Churches not inserted in any urban squares, categorized as ‘isolated Churches’), triangular (two-side open squares or three-side squares), rectangular (four-sides squares), or circular (curvilinear shaped square) elementary geometry idealiz- es the urban squares in which the church is possibly inserted. The incoming streets to Churches are represented by lines. These are distinguished between leader street and secondary streets. Leader streets connote those segments of incoming roads from where the access to the urban square where the Church is inserted is visible with eyes. This graphical tool has been defined as ‘Build- ing as a public space influencer toolbox’ and it is graphically resumed in Fig- ure 8. In this setting, all the specific circumstances contained in the database could be traced back to one of the analytical configurations of the abstracted space. This scheme can be generalized also for other types of buildings of the city.131 This categorization neglects the structural properties of the building and technical knowledge is necessary to numerically address the damages that mechanical loads like impacts and blasts induce on different materials and structures and urban layout configurations.132 All the cases contained in the database have been grouped in the input categories previously defined and declined to the abstraction of the target developed.133 For each case, the location and timing from where people and goods were considered to be in danger for life and buildings for disruption as a consequence of a terrorist attack directly targeting Churches were inferred.

131 The use of geometry to represent public spaces comes from Architectural sciences. Funda- mental works are: Rob Krier, Urban Space, ed. by Academy (Academy Editions, 1979) or P. Zucker, Town and Square: From the Agora to the Village Green, ed. by The MIT Press (The MIT Press, 1970). 132 The current design approach for strategic buildings against blast loads is commonly based on the assumption that the building experiences the load in an open space. However, only considering the mere mechanical input, scientific research already proves that neglecting the effects of waves interactions with other structures and urban environment may constitute a serious approximation. Different streets configurations, surrounding buildings density and relative layout for the same charge at a given distance from the target are prone to produce significantly different effects on the same structure. Two examples of research in this field: Peter D. Smith and Timothy A. Rose, ‘Blast Wave Propagation in City Streets – An Overview’, Progress in Structural Engineering and Materials, 8.1 (2006), 16-28 https://doi.org/10.1002/ pse.209. and Hao H. and et al., ‘Review of the Current Practices in Blast-Resistant Analysis and Design of Concrete Structures’, Advances in Structural Engineering, 2016. 133 Not only urban squares can be shaped in patterns but also human behavior itself in the urban square. Patterns in space occupations of public spaces in terms of human spatial distribution and behavioral traits were derived from a case study in the city of New York in E. Schlickman and A. Domlesky, Field Guide to Life in Urban Plazas: A Study in New York City, ed. by Julie Eakin, New York (SWA). 148 TIZIANO LI PIANI

Schematic representations of the Church internal layout have been also used to represent the final position of the attacker and trace the areas exposed to maximum threat (Figure 9). The major trends derived from these analytical input-target simulations are described in the following.

F igure 8 - ‘Building as a public space influencer toolbox’

F i gure 9 - Schematic representation of Church’s parvis, main and lateral entrances, internal layout, position of the attacker after weapon pulling out (circle) and dotted area where people and goods are exposed to threat

Target-Input 1 interaction assessment The terrorist threat consists of few people armed by side arms, which for dimensions and shape, can be easily hidden inside clothes. Other- THREAT ASSESSMENT AND VULNERABILITY 149 wise, also backpacks are suitable destinations. In order to access the place of worship, terrorists may decide to walk along pedestrian tracks of streets until the Church is reached or can also take public means of transport till closer locations to the public space. Along the approaching path, terrorists need not to be recognized nor to raise suspect among eyewitnesses, who are not considered to be exposed to danger in this stage. For this purpose, they can adopt simple disguising systems such as caps and glasses in summer or hats in winter in casual clothing. The timing of the attack is likely to enhance the need for anonymity. On weekdays, Mass rites are usually one or two along the day.134 Most of daily Mass rites are performed between 7.30 am and 10.00 am, when pedestrian and car traffic is enhanced by the need of reaching working places or schools.135 While reaching the building, terrorists can also be tempted to consciously or unconsciously feel the weapons in their clothes. This need is more likely to be felt nearby the parvis of the Church. If terrorists approach Churches protected by guards, and especially if access is prevented by metal detector screenings, passersby standing on the parvis are in danger. The Church can be accessed by the main entrance, or by an available lateral one, especially if the priest, who stands on the altar, is among the targets. If terrorists are four, also a combined access in different parts of the Church can be planned (Figure 10). Weapons are likely to be extracted only once the building is approached, starting from the time and space in-between the inner door which often follows the main entrance. Once inside, terrorists may decide to immediately extract the weapons and stab prayers standing close to the entrance or sitting in the first rows of benches (with respect to the entrance) of the Church, or rather wait for a proper timing during the Mass. The different scenarios are associated to the possibility that the priest is the chosen target of the attack. In this case, terrorists could even sit136 during the rite, waiting for the proper moment to attack, which might coincide with the Commun- ion rite, when the prayer receives the Christ directly from the hands of the officiant. Especially in case of large worshippers number, after the attack terrorists leave immediately the building, escaping from the lateral or main entrances previously accessed. If the main target is the priest, only worshippers who are in the same trajectory of terrorists on the run are likely to be in danger of being stabbed. Otherwise, also persons in

134 Priest can give Communion twice per day. 135 In afternoons, Mass usually takes place between 17.30 am and 19.00 am, also corresponding to relatively highly busy moments. 136 This happens more often. 150 TIZIANO LI PIANI the parvis and the possible surrounding square are in danger for life in the agitated moments following the attack. On the other hand, if Mass is barely attended, attackers may decide to overcome the entire number of worshippers, executing all of them and take into consideration the likeli- hood of a mortal conflict with armed forces.

Figure 10 - Areas of vulnerability in the urban fabric (a) and in the Church (b) for one of the possible Target-Input 1 interaction scenarios

(a)

(b)

Target-Input 2 interaction assessment The terrorist threat consists of a single individual or a couple of men armed by knives or machetes.137 Similarly to the previous target-input assessment, the designated place of worship can be accessed on foot or by bus and disguising clothes are usually used as well. If the attacker is mentally instable, the adoption of a disguising system is not a priority of the terrorist and anoma- lous behavior is often recognized during the preliminary phases of the attack.

137 Same reasoning about weapon portability referred at beginning of Input 1-Target assessment. THREAT ASSESSMENT AND VULNERABILITY 151

Nevertheless, eyewitnesses along the path are not considered to be in danger. The timing of the attack is likely to enhance the need for anonymity.138 The planning of the timing of the attack is important and it is probable that terrorists approach the parvis with some advance with respect to the end of the Mass. Preliminary surveys from the attacker, including routine paths in the days before the attack can not be excluded. Also after having approached the premises of the Church, passersby outside the Church are in danger during Mass rite only if the attacker feels to have attracted suspicion. At the end of the Mass, if the target is a random worshipper, the first persons who leave the building are the most likely victims (Figure 11). These can be easily targeted even in presence of guards at building protection, especially if parvis is characterized by a significant number of steps, with the attack displayed at the ground level. In general, the attack is likely to be displayed on the parvis, especially at its first steps, or close to the Church’s main or lateral entrances if this architectural element is absent. If the target is the priest, the terrorist needs to wait for a longer time after worshipper have left.139 In this case, the attack is more likely displayed at one of the lateral entrances of the Church. The terrorist may leave the parvis immediately after the attack, trying to go on the lam but, especially in case of mentally unstable people, it is not unlikely that the terrorist does not feel the urgence of not being recognized or cap- tured and the attack may be claimed by the author on the spot.

Figure 11 - Areas of vulnerability in the urban fabric (a) and in the Church (b) for one of the possible Target-Input 2 interaction scenarios

138 As in [131]. 139 After Mass, priests might be involved into conversations and confessions with worshippers and need time to undress the cassock clothes. 152 TIZIANO LI PIANI

(a)

(b)

Target-Input 3 interaction assessment The terrorist threat consists of a group of men armed with fire guns. Weap- ons can be easily hidden in bags or backpacks stored in the dash board, back seats or in the luggage compartment of the car used to approach the building or alternatively directly worn if using motorbikes. Two different scenarios in the approaching phases are distinguished, according to the possible choice of preserving anonymity till the premises of the building. In this latter case, if the car is chosen as a mean of transport, the vehicle is driven by the attackers themselves or more likely by one lookout.140 Stolen cars or cars provided with false plaques are often used. However, breaking traffic regulations is avoided and the car is usually pulled up alongside the sidewalks of secondary streets in order to try to avoid from being recorded by possible CCTV cameras. Once backpacks are worn, terrorists walk until the Church is approached. To maximize anonymity, busy day times are usually chosen and disguise systems adopted. In case of attacks during week- ends, the car is usually parked farer away due to higher traffic restrictions and lookouts are often preferred. Mass on a Festivity day is performed on morning times, between 9.30 am and 11.30 am, whereas afternoon Mass usually takes place between 18.00pm and 19.00pm.141 If motorbikes are used to approach the

140 In case of lookouts, there is no need to park the car. 141 Besides the Sunday morning Mass, the most crowded rite is usually displayed on Saturdays afternoon (after 17.30), because this Mass is considered to have the same function of the Sun- day celebration according to Christian catechism. THREAT ASSESSMENT AND VULNERABILITY 153 target, lookouts are usually less useful due to the relatively high numbers of attackers involved and the flexibility of the chosen mean of transport, which can be easily parked closer to Church location. In both cases, a certain walking path is likely to be performed by terrorists to access the place of worship, but passersby along the path are not considered to be in danger. On the contrary, if the action is planned to be abruptly performed and contemplates the possibility of mortal armed conflict even before accessing the place of worship142 the aforementioned precautions are not necessary. In these cases, cars or motorbikes driven at high speed stop only once very close to the targeted Church, regardless of any regulations and only limited by traffic density. Weapons are immediately extracted and passersby in the accessing route are exposed to danger. In both approaching scenarios, if guards are present at building protection, terrorists unveil their weapons before entering the Church, especially nearby the premises of the parvis. Thus, passersby on the parvis are always potentially in danger. The Church can be accessed by the main entrance, or through available lateral ones.143 If attackers are more than two, combined accesses in different parts of the Church are performed. In case of combined attacks, terrorists accessing the lateral entrance would preferably target the priest and the ones from the main one only the lateral rows of benches from the main entrance. Once inside the building, terrorists are likely to start shooting at first steps because the surprise effect is already ensured by the type of weapons used. Terrorists might decide to shoot while standing close to the entrance or contemporary walking till more central positions are reached. In case of single attacking groups targeting specifically the priest from the main entrance, prayers sitting on the central benches are also in danger (Figure 12). Structural elements of the Church are likely to be impacted by projectiles as well as non structural elements including windows, decorations and furniture. If the attack is performed without ensuring anonymity during the approaching phase, terrorists are aware of the mortal conflict with armed forces which is likely to happen during or after the terrorist operation inside the building is completed. This conflict may happen outside the Church, in the proximity of the parvis, or inside the place of worship. Policemen and passersby are exposed to threat. Elsewise, terrorists can plan to evade from the building immediately after the operation, especially if this happens on weekdays. In case of arrival by means of motorbike, it is likely that terrorists try to use them also when leaving the building. In case of arrival by means of car, terrorists more likely go on the lam through the nearby streets on foot in order to reach agreed points with lookouts. Policemen and passersby are often exposed to danger also in secondary streets not in the immediate proximity of the Church.

142 Attacks are carefully planned and attackers are well equipped. 143 Especially if the main target is the priest, who is standing on the altar performing the rite. 154 TIZIANO LI PIANI

Figure 12 - Areas of vulnerability in the urban fabric (a) and in the Church (b) for one of the possible Target-Input 3 interaction scenarios

(a)

(b)

Target-Input 4 interaction assessment The terrorist threat consists of few people who shoot guards using fire guns. For the nature of the attack, this scenario is a threat only for buildings protected by guards. The attackers are driven on a motorbike by a lookout, who might also join the shooting phase. Weapons, which need to be hidden till the target is approached, have to remain at terrorists’ fingertips. Thus, guns hidden in backpacks are unlikely while weapons can be hidden in the internal folder of the jacket.144 The motorbike needs to reach the closest location with respect to the Church’s entrance available to ensure proper visibility to the attacker. However, traffic regulations are often respected not to attract police attention until final moment of attack. The possible video tracking from CCTV cameras does not represent an issue

144 In this latter case, a typical posture aimed at covering and protecting the weapon is often recognized in the approaching phase. THREAT ASSESSMENT AND VULNERABILITY 155 in case of stolen mean, false plaque, and integral helmets on attackers. Attackers can shoot directly from the vehicle or rather walk few steps to approach the target. In both cases, the attacking phase lasts less than one minute. Passersby in the approaching path are not in danger. Instead, passersby in the proximity of the parvis are in serious danger, including those who walk in the proximity areas, especially in case of Churches inserted in squares (Figure 13). Immediately after the attack, terrorists drive away on the same motorbike but it is not unlikely that they decide to change the means of transport after secondary streets.

Figure 13 - Areas of vulnerability in the urban fabric (a) and in the Church (b) for one of the possible Target-Input 4 interaction scenarios

(a)

(b)

Target-Input 5 interaction assessment The terrorist threat consists of one or two persons driving car bombs. The adopted mean is often a city car, which is agile enough during the approaching phase145 Nevertheless, the use of larger means of transport, such as

145 Possibly provided with reinforced fenders and equipped with false plaque. 156 TIZIANO LI PIANI diverted trucks or buses is also a possibility. Due to the nature of the event, terrorists do not need anonymity during the approaching phase of the attack. Cars are accelerated at the maximum speed allowed by traffic density along the secondary and primary streets in the surrounding of the Church, regardless traffic regulations. According to the size and touristic attractiveness of the site and of the city, Sundays morning times can be significantly less or more busy than weekdays. Passersby along the pathway are potentially in danger starting from streets in which the target is not visible yet. The vehicle is directed toward the main entrance or on one of the lateral walls of the Church, according to the square-accessing street relative orientations or to the possible presence of parvis at main entrances. The car is planned to hit the target during Mass rite. However, the denotation is very likely to happen at the first physical obstacle which the vehicle encounters along its path.146 Nevertheless, the effects of the impact are always prone to involve the Church as a building and its prayers, as well as nearby buildings according to the layout of the urban fabric.147 Prayers at Mass and passersby in the possible surrounding square and on the parvis are seriously exposed to danger, especially in case of protected Churches (Figure 14). In case of multiple attacks on the same target, the second car can follow the first one till impact in order to reinforce the local effects of the first denotation or rather being directed toward a different point of impact, in order to enlarge the destructive potential of the event. In the first case, the second impact is more likely to happen inside the building.

Figure 14 - Areas of vulnerability in the urban fabric (a) and in the Church (b) for one of the possible Target-Input 5 interaction scenarios

(a)

146 Detonation against walls of the Church is less likely in case of parvis raised by a significant number of steps. 147 According to urban layout and structural properties. THREAT ASSESSMENT AND VULNERABILITY 157

(b)

Target-Input 6 Assessment The terrorist threat consists of one or two persons armed with belt bombs, which for dimensions and shape can be disguised also inside clothes.148 In order to access the place of worship, terrorists might decide to walk along pedestrian tracks or also to take public means of transport till the proximity of the Church is reached.149 Terrorists have the need for not being recognized neither raising suspect among eyewitnesses.150 The likely chosen timing of attack is prone to force anonymity, especially when Sunday morning Masses coincide with religious festivities or public holidays. Minor efforts are required in touristic places. Passersby along the approaching path of the attackers are usually not in danger. The moment of the Mass chosen to hit the target is variable. If the attack is performed against protected Churches, the belt bomb is probably activated outside the building or at its premises, starting from the physical domain of the external gates, parvis or entrance, after Mass has begun or at its end. Even if the Church is protected, when the attack is perpetrated by two suicide terrorists, it is likely that the second attacker can manage at entering the building just after the first explosion is accomplished and the prayers are still inside, hurt or in state of shock. If the Church is not protected, attackers may decide to enter and immediately activate their belt bombs, or rather to sit in central locations to maximize damage and

148 Especially in winter. Other disguise systems described in the previous paragraphs. 149 Provided that early detonations are prevented. 150 For this purpose, terrorists can adopt simple disguise systems such as caps and glasses in summer or hats in winter and casual clothing slightly oversized (Target-Input 1,2 Interaction). 158 TIZIANO LI PIANI casualties. In the former case, attacks can happen at any moments of the Mass.151 Alternatively, attackers may enter the Church before or after Mass has begun and wait until a crucial moment in the religious rite to activate the explosive device.152 Priests can also be specifically targeted in case of double attacks by two terrorists who enter from opposite sides of the building and contemporary activate their belt bombs (Figure 15). Passersby outside the Church and worshippers inside are equally exposed to danger. The Church is likely to experience the effects of the explosion. Moreover, also surrounding buildings are likely to be involved, for an extent that depends on the charge and final activation location of the explosive and on the properties of the building including of its surrounding urban layout.

Figure 15 - Areas of vulnerability in the urban fabric (a) and in the Church (b) for one of the possible Target-Input 6 interaction scenarios

(a)

(b)

151 Preferably not at the beginning nor ends. 152 During Eucharist rite prayers are all aligned in front of the priest. THREAT ASSESSMENT AND VULNERABILITY 159

Target-Input 7 Assessment The terrorist threat consists of a low number of people who carry an explosive device hidden in a recipient. One or two persons can accomplish the plan whilst disguise attention but larger coordination cannot be excluded. The chosen recipient(s) might be a bag, a box, a backpack or any similar mean suitable to hide and carry explosive without representing a danger for carriers. The physical transporta- tion of very large amounts of explosive in such recipients could represent a serious threat for terrorists and small amount of explosive are therefore more likely within this strategy of attack. In order to access the place of worship, terrorists can walk along pedestrian tracks or also take public means of transport, with the need of neither raising suspects among eyewitnesses nor letting the recipient being bumped along the path.153 Passersby along the path are in danger only in case of terrorists’ errors and involuntary device activation. Only if terrorists are suspected by armed forces or policemen and requested to stop along the approaching path, anticipated explosions might be voluntarily performed. An effective disguising strategy for the attackers is thus essential, because terrorists need also to leave the device at the place of worship without raising suspect among intruders. Besides already mentioned disguising strategies, students’ camouflage is considered to be an effective option.154 The device can be left inside the Church or at its parvis. If the device is left inside the Church, this is more likely that it is programmed or activated to explode during Mass rite or praying moments at lateral altars. For the symbolic effect that the attack is meant to produce, also explosions during other moments that Mass are not excluded. In these cases, the device is likely to be left at candles’ store or in front of religious icons/altars. In order to generate the minimum suspicion and place the device in a strategic position with regard to the meant explosion effects, terrorists may plan to enter the building at the same moment of the first prayers who access the Church willing to attend the Mass and leave the unattended luggage only after its beginning, when Church is crowded. Alternatively, terrorists may enter the building while the Mass is ongoing. In this case, attackers more likely abandon the device in corner angles of the building or at the final rows of benches. If the Church is open also after and before the Mass rite, devices can be placed when no prayers are present in the Church. In this case, terrorists need to be able to hide the device in a strategic position without generating suspects on prayers entering the Church nor being recorded by possible real time analyzed CCTV cameras placed inside the building. Prayers inside the building are exposed to danger depending on their location with respect to the final position of the device and on the amount of charge. For similar reasons, passersby standing on the parvis can also be involved. Especially in case of presence of guards, the device is left outside the building and

153 Use of cars and buses is less frequent not to cause potential threats for carriers themselves. 154 And the plan is suitable to be carried out also by young women. 160 TIZIANO LI PIANI effectiveness is enhanced in case of insertion of the Church in large and crowded public spaces. In this variant, terrorists have to appear like passersby or worshippers carrying a bag or a backpack. The strategy is likely to consist on approaching the more crowded areas of the parvis and sitting on its steps, waiting the appropriate timing for leaving the bag unattended without raising suspects among eyewitnesses, and programmed to explode in a time sufficient to allow terrorists to approach secondary streets. Also in case of exterior explosions, passersby at the parvis are exposed to danger according to the amount of charge and final position of the explosive (Figure 16). In both cases, damages to the building are not excluded.

Figure 16 - Areas of vulnerability in the urban fabric (a) and in the Church (b) for one of the possible Target-Input 7 interaction scenarios

(a)

(b) THREAT ASSESSMENT AND VULNERABILITY 161

Target-Input 8 Assessment The terrorist threat consists of an undefined number of people who arm a parked car with explosive. City cars or SUV are mainly used for the purposes of these attacks. Cars can be parked by the assailants without generating suspicion. The car used might also be a stolen vehicle and/or provided with false plaque in order to avoid the property recognition after the incident. The device might also be placed under an already parked car. In this case, terrorists need to disguise this operation. Thus, this phase might be completed only when no eyewitness are encountered.155 This operation can be accomplished with more easiness during nights. In order to explicate the destructive threat, the charged vehicle should be parked as closely as possible to the targeted Church. Thus, priority need of the terrorist is to select a Church and find a suitable and available parking site, preferably in areas not controlled by security cameras. If the device is programmed to explode in short time and the terrorists accept the possibility of being tracked by cameras and caught by police, the car might also be parked in the proximity of the Church, despite traffic prohibition or parking spots availability. Particularly suitable opportunities are represented by nighty religious celebrations (Christmas’ Eve, Easter’s Eve, New Year’s Mass), when common habits e.g. to park closely to the Church without proper care on the respect of traffic regulations and parking procedures allow the charged car armed with explosive to be parked without suspicion. The most favorably sited parking spots are usually situated along the lateral sides of the Church (Figure 17). Also cars parked close to one of the lateral sides of the square where the Church is possibly inserted represents a possible hazardous scenario, especially in case of parking areas nearby the surrounding square. Once terrorists leave the vehicle, they may enter the square or walk back to the streets undergone for accessing the space, according to the shortest way in order not to be tracked by cameras and to be protected from the explosion effects. Passersby walking or standing nearby the vehicle are exposed to danger. Entity of the effects of the explosion on the Church and its prayers depends on the charge and inherent timing of activation and corresponding urban layout. Significant effects on the targeted Church can be produced in terms of structural damages, and these involve the parvis, square and nearby buildings according to the properties of the charge and of the urban layout. Prayers inside the building are more likely to be involved in case of large amounts of explosive nearby the entrances, especially if the Church is not inserted in squares.

155 Or pretending to be the car’s owner. 162 TIZIANO LI PIANI

Figure 17 - Areas of vulnerability in the urban fabric (a) and in the Church (b) for one of the possible Target-Input 8 interaction scenarios

(a)

(b)

Target-Input 9 Assessment The terrorist threat consists of a group of men armed with grenades. For the depiction of the most typical scenarios inherent the approaching phase, the reader is referred to previous paragraphs.156 If guards are present at building protection, terrorists show their weapons before entering the Church, nearby the parvis. Thus, passersby on the parvis are exposed to danger. In this case, terrorists throw the first grenades, aimed at eliminating policemen, directly against the Church entrance. The Church can be accessed using the main entrance, or through available lateral ones, especially if the main target is the priest. However, combined accesses at different entrances of the Church

156 E.g. Target-Input 3. THREAT ASSESSMENT AND VULNERABILITY 163 require high coordination among terrorists due to the properties of the used weapon. Terrorists are likely to immediately extract and slide off the grenades over the first lines of central benches, just exceeded the main entrance, with the door still held open. If the chosen entrance is a lateral one, the main target of the first launch is more likely to be the priest.157 Structural damages are possibly experienced as well. Subsequent launches could be performed from the exterior of the building while prayers try to escape. Especially if the operation is conducted without assuring anonymity during the approaching phase, terrorists are aware of the mortal conflict with armed forces as part of the terrorist operation. This conflict is more likely to happen at the parvis, in the possibly surrounding square or inside the place of worship, if the terrorist decide to end the operation sequestering prayers and barricading themselves into the building. Else, terrorists may also plan to evade from the place immediately after the operation and they would rather go on the lam on foot through nearby streets in order to be rescued at agreed points by lookouts. Passersby are exposed to danger also outside the parvis along farer streets. Due to the nature of the attack, typical noises are likely to attract people and thus public forces of security are likely to intervene during and after the attack in the Church.

The Space of Influence of Places of Worship Two general trends emerged from the assessment of all the possible target-input interactions. Independently from the mean of offence, in all the about 100 attacks of the I.T.A.W. database, people and goods outside the interior perimeter of the Church resulted to be exposed to danger. Also for those attacks planned to happen inside the Church, areas of vulnerability involved at least the parvis of the Church, including its extension in the surrounding square. For the nature of the threat, the terrorist attack for a soft target in a highly urbanized environment represents primarily a threat for the public space it presides over, which for the Church starts from the premises of the parvis. This function of the Church not only as an individual building, but rather as an integrated compound of urban elements clearly emerges. As a second observation, it emerges that the extension of this vulnerability area is not solely a result of the type of weapon used to commit the attack. Attacks involving improvised explosive devices were confirmed to produce casualties and determine structural damages in number and entity which not solely depend on the structural properties of the Church and the amount of TNT. Furthermore, also attacks characterized by the use of weapons of minor

157 Thus the corresponding altar. 164 TIZIANO LI PIANI impact158 were found to be prone to constitute a serious threat for people life within large domains outside the building depending on its relative location in the city, streets layout, traffic and density of commercial services provided in the nearby buildings. In this regards, the entity of the attack and the ex- posure to damage of the Church appears to be significantly determined by the spatial relationships the building establishes with the other components of the city, namely streets, squares and other buildings. Coupling these two main findings within an extended case method,159 a new property of the building in the counter terrorism design arises. This may be defined as the space of influence of the building, because it is an extension of the building beyond its physical perimeter, which results from the social function of the building itself and by the spatial interactions established with the other elements of the city, namely streets, squares and buildings of the surrounding urban fabric. Not only its existence, but also the shape and entity of this public space governed by a physical structure are determined by the role of the building and of the inherent urban fabric within the domain of the city. This property has been unveiled within a counter terrorism threat assessment because man- made hazards are specifically meant to mug and offend the social function of the space of the city and its meaning and purpose for its citizen. Within the domain of the city, buildings are poles of attractions of fluid masses of persons in which the attacker is also immerged and the individual physical structure of the urban environment has a social function which the attacker is specifically aimed to disaggregate. Similarly for the input encoding algorithm developed in the previous paragraphs, also the interpretation attempted in this chapter on the discovery of this old physical property of buildings has been recently empirically validated.160

Conclusions Society is more and more exposed to threats and hazards which directly or indirectly result from mankind activities on Earth. The escalation of inter-

158 Knives or guns. 159 From M. Burawoy, ‘The Extended Case Method’, Sociological Theory, 16.1 (1988), 4-33, the extended case method consists in to ‘extract the general from the unique [...] to connect present to the past in anticipation of the future [...] in preexisting theory’. Other applications can be found in Cavalcanti and Li Piani. 160 Invited to the Italian Parliament in Rome on 10th April 2017, the author of this chapter presented the fitting illustration of the terrorist attack conducted last 24th March 2017 in London, when a single attacker drove an Honda Accord against the palace of the Parliament. Despite specifically targeting the Westminster palace, the largest number of casualties were caused in the busy bridge taken to reach it. THREAT ASSESSMENT AND VULNERABILITY 165 national terrorism in urban environments requires an effective safety design for all the elements of the city, including buildings for civilian use. The diffi- culty to assess the terrorist hazard for structures of the city is mainly related to the social nature of the attacker and to the antisocial function of the attack. In this chapter, the human component which subtends terrorist attacks on buildings has been encoded using a methodology and an approach commonly followed in the dynamic assessment of mechanical input like earthquakes and blasts. In this setting, the behavior of terrorists which results from the human reasoning over a finite systems of available options at finite temporal discretization is thought to be less aleatory and more easily simulated than an earthquake, because its phenomenology takes roots in the nature of human being which is known to larger extents than many other natural phenomena. The inference of statistical recurrences of terrorist attacks which share the same final target allows the modelling of the human behavior during an attack besides its mechanical input and encoding algorithms which mechanize the planning strategy, timing and preparation of man-made hazard scenarios as a function of the mechanical input and of the social function of the target can be generalized. Independently from the type of weapon, the terrorist hazard for a targeted building is primarily a threat for the public space it presides over. Each building defines an area of influence beyond its physical premises whose extension and shape depends on the social function of the building and on the spatial relationships with the other elements of the city, namely streets, squares and buildings in virtue of their respective functions and mutual relationships. Since terrorism is specifically aimed at disaggregating the spatial reflection of a community, the space of influence of a building delimits its vulnerability domain for people and goods during a terrorist attack. Indeed, the social function of space must arise as a key property in the counter terrorism safety design of buildings in urban environments. In this setting, provision of safety against terrorist attacks is not possible if buildings are designed as single entities whereas the assessment and design of the building as a block of structural elements of the city with respect to the effects, not solely mechanical, of the carrier and its input should be conceived in the occurrence of a terrorist attack. As a result, security for sensitive buildings of the city and their occupants must derive from the safety design of the overall urban fabric in which it is inserted, which should be contemporary inspired to original principles of democracy, free access and aesthetes the European city is originally spatial reflection of. In this view, the threat encoded and the vulnerability mapping emerged in this project convey and promote the return to an integrated vision of the city, within which the single building is part of an urban harmony which must be recovered in a design philosophy which takes roots in the human history of the built heritage. 166 TIZIANO LI PIANI

Bibliography Adelaja, Adesoji O, Abdullahi Labo Late, and Eva Penar, ‘Public Opinion on the Root Causes of Terrorism and Objectives of Terrorists : A Boko Haram Case Study’, Perspectives on Terrorism, Leiden University, 12.3 (2018), 35-49. AIVD Insight into Targets Fifteen Years of Jihadist Attacks in the West (Algemene Inli- chtingen En Veiligheidsienst), 2019. Alberti, De Re Aedificatoria, 1443. Alleyne, Emma, and Jane L. Wood, ‘Gang-Related Crime: The Social, Psychologi- cal and Behavioral Correlates’, Psychology, Crime and Law, 19.7 (2013), 611-27 https://doi.org/10.1080/1068316X.2012.658050. Bakker, Edwin, Jihadi Terrorists in Europe: Their Characteristics and the Circum- stances in Which They Joined the Jihadd (Netherlands Institute of international Relations, 2006). Beck, U., Risk Society: Towards a New Modernity, 2nd edn (Sage, 1986). Bekkers, F., R. Meessen, and D. Lassche, Hybrid Conflicts: The New Normal?, 2018. Billy, P., ‘The New Zealand Attack Exposed How White Supremacy Has Long Flour- ished Online’, TIME, 2019. Bjorgo, T, Root Causes of Terrorism: Myths, Reality and Ways Forward, Routledge, 2005 https://doi.org/10.4324/9780203337653. Boduszek, Daniel, and Philip Hyland, ‘The Theoretical Model of Criminal Social Identity: Psycho-Social Perspective’, International Journal of Criminology and So- ciological Theory, 4.1 (2011), 604-14. Bonobo, F., ‘Http://Francescobonomo.Blogspot.Nl/2014/08/Il-Sagrato-Delle-Chiese. Html’, 2014. Burawoy, M, ‘The Extended Case Method’, Sociological Theory, 16.1 (1988), 4-33. Cavalcanti, Ana Rosa C., Housing Shaped by Labour: The Architecture of Scarcity in Informal Settlements (Berlin: Jovis Press, 2018). —, ‘Work, Slums and Informal Settlement Traditions : Architecture of the Favela Do Telegrafo’, Traditional Dwellings and Settlements Review, XXVIII.II (2017), 71-81. Cavalcanti, Ana Rosa C., and T. Li Piani, ‘Housing by People and Their Work: De- sign Principles for Favelas Residents’, The Plan Journal, 2 (2019), 30. Coaffee, J., P. O’Hare, and M. Hawkesworth, ‘The Visibility of (In)Security: The Aes- thetics of Planning Urban Defences Against Terrorism’, Security Dialogue, 40.4-5 (2009), 489-511 https://doi.org/10.1177/0967010609343299. Colaiocco, S., ‘Prime Osservazioni Sulle Nuove Fattispecie Antiterrorismo Introdotte Dal Decreto Legge 7 Del 2015 (First Observations on the New Antiterrorism Cir- cumnstances Introduced by Decree Law #7, 2015)’, 2015, p. 11. Cox, Kate, William Marcellino, Jacopo Bellasio, Antonia Ward, Katerina Galai, So- fia Meranto, and others, ‘Social Media in Africa (A Double-Edged Sword for Security and Development)’, UNDP, 2018. ‘CTED Analytical Brief: Responding to Terrorist Threat against Soft Targets’, 2019, p. 7 https://doi.org/10.1017/CBO9781107415324.004. THREAT ASSESSMENT AND VULNERABILITY 167

Dusenberry, Donald O., Handbook for Blast-Resistant Design of Buildings, Assess- ment (John Wiley & sons,Inc., 2010). EN 1998-1 (2004): Eurocode 8: Design of Structuresfor Earthquake Resistance – Part 1: General Rules, Seismicactions and Rules for Buildings [Authority: The Europe- anUnion Per Regulation 305/2011, Directive 98/34/EC, Directive2004/18/EC], 2004. FEMA 452: A How-To Guide to Mitigate Potential Terrorist Attacks Against Buildings (2005), 2005, p. 248 https://www.fema.gov/media-library-data/20130726-1456-20490-0832/fema429_ch4.pdf. Gaite, Jose, ‘Penetration of Fast Projectiles into Resistant Media: From Macroscopic to Subatomic Projectiles’, 2017 http://arxiv.org/abs/1705.02337. Gennip, J.V., Policy Implication of Risk Society, 2005. Global Terrorism Index. Measuring and Understanding the Impact of Terrorism, 2015. H., Hao, and et al., ‘Review of the Current Practices in Blast-Resistant Analysis and Design of Concrete Structures’, Advances in Structural Engineering, 2016. Ha, Joseph, ‘Recurrence Relations for Computing Complete P and SV Seismo- grams’, Geophysical Journal of the Royal Astronomical Society, 79.3 (1984), 863- 73 https://doi.org/10.1111/j.1365-246X.1984.tb02873.x. Harre-Young, Steven, Lee Bosher, Andrew Dainty, and Jacqueline Glass, ‘The Impli- cations of the UK’s Counter-Terrorism Strategy on the Construction Sector’, Asso- ciation of Researchers in Construction Management, ARCOM 2009 – Proceedings of the 25th Annual Conference, April 2014, 2009, 1285-94. Hennig, Christian, ‘Mathematical Models and Reality: A Constructivist Perspective’, Foundations of Science, 15.1 (2010), 29-48 https://doi.org/10.1007/s10699-009- 9167-x. Home Office, Center for the Protection of National Infrastructure, and National Counter-Terrorism Security Office, Protecting Crowded Places: Design and Tech- nical Issues, 2012. Homeland Security Committee, ‘Terror Gone Viral: An Overview of the 75 Isis Linked Plots against the West (2014-2016)’, March, 2016. Hussey, A., ‘France Church Attack: Even If You Are Not a Catholic, This Feels like a New and Deeper Wound’, The Guardian (France, 2016). Jedin, H., History of Church, ed. by Jaka Book, I (Milan: Jaka Book, 1972). Jewish Virtualibrary.org, ‘Terrorism against Israel: Comprehensive Listing of Fatali- ties from 1993’. Kalvach, Z., and et al., Basics of Soft Target Protection-Guidelines (Prague: Soft Tar- get Protection Institute, 2016). Krauthammer, Theodor, Modern Protective Structures (CRC Press, 2008) https://doi. org/10.1201/9781420015423. Krautheimer, R., Roma. Profilo Di Una Citta 312-1308, ed. by Dell’Elefante, Ele- fante (Roma, 1981). Krier, Rob, Urban Space, ed. by Academy (Academy Editions, 1979). Kushner, Harvey W., Encyclopedia of Terrorism (Sage, 2003). 168 TIZIANO LI PIANI

Li Piani, T., ‘After Sri Linka: Anatomy of Terrorist Attacks in Churches (Italian)’ (ISPI, 2019), p. 10. —, ‘Experimental-Numerical Material Characterization of Adobe Masonry: Tests and Simulations on Various Types of Earthen Bricks and Mortar in Statics and Dynamics’ (Delft University of Technology – TU Delft, 2019). —, ‘Local Trends and Global Dynamics of Religious Terrorism in Africa’, NATO Defense College Foundation Paper, 2019, 10. —, Operative Guidelines for Protection of Places of Worship: A New Approach toward Security Design of Sensitive Buildings (Milan: Institute for Advanced Strategic and Political Studies, ISBN:97888940373-2-6, 2017). —, ‘Structural Design and the Social Function of Space as Vulnerability Factor and Solution to the Progression of the Terrorist Threat in Urban Environments (Ital- ian)’, Security, Terrorism, Society (STS), 8.2 (2018), 7-17. Li Piani, T., J. Weerheijm, and L. J. Sluys, ‘Ballistic Model for the Prediction of Penetration Depth and Residual Velocity in Adobe: A New Interpretation of the Ballistic Resistance of Earthen Masonry’, Defence Technology, 14.5 (2018), 4-8 https://doi.org/10.1016/j.dt.2018.07.017. —, ‘Dynamic Simulations of Traditional Masonry Materials at Different Loading Rates Using an Enriched Damage Delay: Theory and Practical Applications’, Engineering Fracture Mechanics, 218.May (2019) https://doi.org/10.1016/j.engfracmech.2019.106576. Maggi, Alberto, Versetti Pericolosi. Gesù e Lo Scandalo Della Misericordia (Jesus and the Scandal of Mercy), Fazi (Collana Campo dei Fiori, 2011). Mbiyozo, A., ‘How Boko Haram Specifically Targets Displaced People’ (Institute for Security Studies, 2017). Memluk, Murat Z, ‘Designing Urban Squares’, in Advances in Landscape Architec- ture, 2013, p. 16. Mumford, L., The Culture of Cities, 1960. National Capital Planning Commission, ‘The National Capital Urban Design and Security Plan’, October 2002, 2004, 26. National Consortium for the Study of Terrorism and Responses to Terrorism (START), Maryland University. Ngo, T., P. Mendis, A. Gupta, and J. Ramsay, ‘Blast Loading and Blast Effects on Structures – An Overview’, Electronic Journal of Structural Engineering, 7 (2007), 76-91 https://doi.org/no DOI. Niiler, E., ‘Knife vs. Gun: What a Weapon Reveals’, Seeker, 9 April 2014. Ogbogu, Jennifer, ‘Analysing the Threat of Boko Haram and the ISIS Alliance in Nigeria’, Counter Terrorist Trends and Analyses, 7.8 (2015), 16-21 https://doi. org/10.2307/26351381. Pagnini, L., R. Vicente, Sergio Lagomarsino, and H. Varum, ‘A Mechanical Method For the Vulnerability Assessment of Masonry Buildings’, 14th World Conference on Earthquake Engineering, 2008. Peinhardt, K., and N. Storring, ‘Inclusive by Design: Laying a Foundation for Diver- sity in Public Space’ (Project for Public Spaces, 2019). THREAT ASSESSMENT AND VULNERABILITY 169

Pereira, Luis, ‘New Computational Approach towards the Simulation of Concrete Structures under Impulsive Loading’ (Delft University of Technology (TU Delft), 2018). Pinho, Rui, ‘Nonlinear Dynamic Analysis of Structures Subjected to Seismic Ac- tion’, in Advanced Earthquake Engineering Analysis, ed. by Alain Pecker (Vienna: Springer Vienna, 2007), pp. 63-89 https://doi.org/10.1007/978-3-211-74214-3_5. Reitherman, R.K., ‘Five Major Themes in the History of Earthquake Engineering’, 15th World Conference on Earthquake Engineering (15WCEE), 2012. Romaniuk, Scott N., The Palgrave Handbook of Global Counterterrorism Policy (Pag. 20) (London: Palgrave, 2017). Schlickman, E., and A. Domlesky, Field Guide to Life in Urban Plazas: A Study in New York City, ed. by Julie Eakin, New York (SWA). Schmid, Alex P., Political Terrorism. A Research Guide to Concepts, Theories, Data Bases, and Literature (Amsterdam: North-Holland Publishing Company, 1984). —, Radicalisation, De-Radicalisation, Counter-Radicalisation: A Conceptual Discus- sion and Literature Review, The Hague: International Centre for Counterterrorism, 2013 http://www.icct.nl/download/file/ICCT-Schmid-Radicalisation-De-Radical- isation-Counter-Radicalisation-March-2013.pdf. —, The Routledge Handbook of Terrorism Research., ed. by Alex P. Schmid (New York and London: Routledge, 2011). Schmid, Alex P., and J. de Graaf, Violence as Communication. Insurgent Terrorism and the Western News Media (London: Sage, 1982). Schuurman, B, and Q. Eijkman, ‘Moving Terrorism Research Forward: The Crucial Role of Primary Sources’, International Center for Counter Terrorism-The Hague, 2013. Sinvhal, A., and H. Sinvhal, ‘Simulation of Synthetic Seismograms’, Seismic Mod- elling and Pattern Recognition in Oil Exploration, 1992, 63-90 https://doi.org/ https://doi.org/10.1007/978-94-011-2570-3_4. Sitte, C., City Planning According to Artistic Principles (A Random House Book: Columbia University Studies, 1889). Smith, Peter D., and Timothy A. Rose, ‘Blast Wave Propagation in City Streets – An Overview’, Progress in Structural Engineering and Materials, 8.1 (2006), 16-28 https://doi.org/10.1002/pse.209. Song, C., Z. Qu, N. Blumm, and A.L. Barabasi, ‘Limits of Predictability in Human Mobility’, Science, 327.November (2010). Suárez, Luis E., and Luis A. Montejo, ‘Generation of Artificial Earthquakes via the Wavelet Transform’, International Journal of Solids and Structures, 42.21-22 (2005), 5905-19 https://doi.org/10.1016/j.ijsolstr.2005.03.025. ‘Threat Assessment : Italian Organised Crime’, Europol Public Information, 7.6 (2013), 11-17. Tony Blair Institute for Global Change : How Islamist Extremists Target Civilians, 2018. 170 TIZIANO LI PIANI

Torres-Soriano, Manuel Ricardo, ‘How Do Terrorists Choose Their Targets for an Attack? The View from inside an Independent Cell’, Terrorism and Political Vio- lence, 00.00 (2019), 1-15 https://doi.org/10.1080/09546553.2019.1613983. Vidino, L., Il Jihadismo Autoctono in Italia: Nascita, Sviluppo e Dinamiche Di Rad- icalizzazione (Native Jihadism in Italy: Emergence, Development and Radicaliza- tion Dynamics), ed. by ISPI (ISPI, 2014). —, ‘Radicalization, Linkage, and Diversity – Current Trends in Terrorism in Eu- rope’, RAND Corporation, 2011 https://doi.org/10.1214/10-AOAS405. Vidino, Lorenzo, and James Brandon, ‘Europe’s Experience in Countering Radicali- sation: Approaches and Challenges’, Journal of Policing, Intelligence and Counter Terrorism, 7.2 (2012), 163-79 https://doi.org/10.1080/18335330.2012.719097. W.R. Johnston, ‘Worst Terrorist Strikes Worldwide’ www.jonhnstonesarchive.net. Wainwright, O., ‘Fortress London: The New US Embassy and the Rise of Coun- ter-Terror Urbanism’, Harvard Design Magazine, 2019. Weerheijm, J., and P. Forquin, Response Mechanisms of Concrete under Impulsive Tensile Loading, Understanding the Tensile Properties of Concrete (Woodhead Publishing Limited, 2013) https://doi.org/10.1533/9780857097538.2.181. Weerheijm, J., J. Mediavilla, and J. C.A.M. Van Doormaal, ‘Explosive Loading of Multi Storey RC Buildings: Dynamic Response and Progressive Collapse’, Struc- tural Engineering and Mechanics, 32.2 (2009), 193-212 https://doi.org/10.12989/ sem.2009.32.2.193. Wiener, Philip P., ‘The Tradition behind Galileo’s Methodology’, The University of Chicago Press, 1 (1936), 733-46. Witte, G., and L. Morris, ‘Failure to Stop Paris Attacks Reveals Fatal Flaws at Heart of European Security’, The Washington Post (Paris (France), 28 November 2015). Wright, Austin I., Terrorism, Ideology and Target Selection (Princeton). Zucker, P., Town and Square: From the Agora to the Village Green, ed. by The MIT Press (The MIT Press, 1970). PERSPECTIVES ON CYBERWARFARE

Sicurezza, terrorismo e società 13 (2021)

L’attacco hacker a SolarWinds: nuove frontiere del cyber warfare e impatti geopolitici Federico Borgonovo - Luca Cinciripini - Marco Zaliani

Federico Borgonovo è analista-ricercatore presso l’Italian Team for Security Terroristic issues and Managing Emergencies – ITSTIME e contributor pet Il Caffè Geopolitico all’interno del desk Eu- ropa. Laureato in Scienze Politiche per le Relazioni Internazionali presso l’Università Cattolica del Sacro Cuore (UCSC) e in Politiche per la Sicurezza (PoliSi), con una tesi magistrale intitolata “L’Etnografia digitale su Telegram come Strumento di Contrasto al Terrorismo”. Specializzato in etnografia digitale, social media intelligence e social network analysis applicate allo studio della propaganda terroristica e alla modellazione delle tattiche di reclutamento. Parallelamente, a supporto di studi geopolitici si occupa di analisi geo-spaziali e mappatura della minaccia. Luca Cinciripini è dottorando di ricerca in Istituzioni e Politiche presso l’Università Cattolica del Sacro Cuore di Milano (UCSC) e ricercatore-analista presso l’Italian Team for Security Terroristic issues and Managing Emergencies – ITSTIME. Autore e coordinatore del desk Europa presso Il Caffè Geopolitico. Laurea in Giurisprudenza, con specializzazione in Diritto Internazionale, presso la LUISS Guido Carli e Master in International Relations presso ASERI – Alta Scuola di Economia e Relazioni Internazionali della Cattolica (UCSC). Principali ambiti di ricerca riguardanti la Polit- ica Estera e di Sicurezza dell’Unione Europea e la sua interazione con la NATO. Specializzato in analisi strategica degli scenari di rischio e aree di crisi in relazione a minacce alla sicurezza nazionale e internazionale. Marco Zaliani è analista e ricercatore presso l’Italian Team for Security Terroristic issues and Man- aging Emergencies -ITSTIME. Laureato in Lingue Straniere per l’Impresa presso l’Università Cat- tolica del Sacro Cuore (UCSC) e Master in Relazioni Internazionali presso ASERI - Scuola di Spe- cializzazione in Economia e Relazioni Internazionali (UCSC), con una tesi dal titolo: “Information warfare: The new frontier of international hybrid conflicts”. Specializzato in analisi di Cyber Security, Open Source Intelligence (OSINT) e social network analysis. Focalizzato sul monitoraggio della propaganda terroristica e delle minacce pertinenti alla sicurezza nazionale, con particolare attenzione alla guerra informatica e alle minacce poste dalle organizzazioni terroristiche ed estremiste. Il lavoro di ricerca include: analisi delle tendenze e degli scenari di minaccia riguardanti in particolare il terrorismo islamico, l’estremismo di destra, la guerra informatica e le questioni di sicurezza nazionale.

Abstract The growing relevance of cyber warfare as a dimension of conflict and competition in international relations, such as to involve state entities and non-state actors, stems from the high level of digitiza- tion and interconnection achieved by contemporary society. Given the high pervasiveness of digital tools and technologies, cyber threats can now orient themselves not only towards the military sphere 174 FEDERICO BORGONOVO - LUCA CINCIRIPINI - MARCO ZALIANI of a single country, but also towards civil infrastructures such as to seriously endanger national security. This implies the need for a careful evaluation not only of the technical specifications connected to certain attacks, but also to evaluate the potential repercussions on the international geopolitical level. Therefore, this article intends to trace the physiognomy of the hacker attack suffered by the US company SolarWinds, underline the scope and importance of the cyber threat and the possible repercussions of systemic security for Italy. Such large-scale attacks represent an immediate danger for various key sectors in the economic and social spheres, also considering the existing regulatory vacuum at the level of national and international law that limits the possibility of effective contrast and the identification of effective countermeasures. This article identifies the main gaps and threats of the current picture and indicates mitigation factors.

Keywords Cyberwarfare, SolarWinds, Supply chain attack, malware, APT, impatto.

Introduzione Questo articolo vuole delineare la fisionomia dell’attacco hacker subito dall’a- zienda SolarWinds per sottolineare la portata e la rilevanza della minaccia cyber e le possibili ripercussioni di sicurezza sistemica per l’Italia. Le motivazioni sottostanti a questa analisi sono da ricondurre alla crescente rilevanza del cyber warfare come dimensione di conflittualità e concorrenza nelle relazioni internazionali, coinvolgendo entità statali e attori non-statali. Essendo ormai la società contem- poranea estremamente interconnessa e digitalizzata, attacchi di così ampia scala rappresentano un immediato pericolo per diversi settori chiave. Esaminare appie- no le modalità e gli obiettivi dell’attacco consentirà di comprenderne la portata e successivamente implementare misure di sicurezza e protocolli adeguati che vadano a eliminare o quantomeno mitigare simili minacce. L’elaborato si divide concettualmente in tre sezioni. La prima avrà il compito di stabilire una base di letteratura per poi fornire un resoconto dettagliato di come è stato condotto l’attacco includendo dettagli tecnici riguardo al modus operandi; quindi, i malware utilizzati e le vulnerabilità sfruttate per portare a termine l’attacco. La seconda sezione sarà dedicata allo studio di impatto dell’attacco concentrandosi sulle conseguenze. L’ultima parte, infine, si focalizzerà sull’Italia: in particolare riguardo le implicazioni specifiche dell’attacco per il Paese e più in generale le misure e i protocolli di contrasto esistenti per far fronte a minacce simili e come possono essere migliorati. La ricerca terrà in considerazione le implicazioni a livello geopolitico mondiale e di sicurezza, essendo SolarWinds e le agenzie governative compromesse, in prevalenza statunitensi. La parte conclusiva dello studio fornirà inoltre, indicazioni per la mitigazione di minacce cyber ad alto rischio e al tempo stesso evidenzierà la rilevanza di una cooperazione più efficace tra pubblico e privato che vada a rafforzare i sistemi di difesa europei e italiani. L’ATTACCO HACKER A SOLARWINDS 175

Rassegna della letteratura e problema della ricerca In questo paragrafo si getteranno le basi di letteratura partendo dalle quali verrà elaborata la domanda della ricerca dello studio. La rassegna della letteratura è stata impostata seguendo lo schema temporale relativo al susseguirsi degli eventi dell’attacco hacker in modo tale da supportare al meglio la sezione dedicata all’analisi dei metodi d’attacco impiegati. Nel mese di dicembre 2020 è stata resa pubblica da FireEye, azienda statunitense di sicurezza informatica, la notizia di essere stata colpita da un attacco hacker.1 Indagando sull’intrusione subita i tecnici di FireEye hanno scoperto che l’attacco era giunto sotto forma di aggiornamento malevolo del software “Orion” prodotto da SolarWinds, il quale viene usato per monitorare e amministrare le reti interne delle aziende che ne fanno utilizzo.2 Nell’analisi pubblicata da FireEye il malware utilizzato dagli attaccanti viene denominato SUNBURST. Quest’ultimo sarebbe una DLL (Dynamic Link Library) malevola che è stata inserita all’interno di un aggiornamento del software Orion. La DLL è un componente firmato digitalmente da SolarWinds del software Orion, il quale conterrebbe la backdoor malevola. Diverse agenzie governative statunitensi hanno attribuito, in una dichiarazione, la responsabilità dell’attacco alla Russia.3 Il sospetto di un coinvolgimento russo nell’attacco ha trovato conferme nella scoperta fatta da Kaspersky.4 La reportistica raccolta sul sito di Kaspersky riguardo SUNBURST ha rivelato una possibile attribuzione al gruppo APT russo “Turla”, noto per i suoi legami con l’FSB. Nello stesso mese l’azienda CrowdStrike ha scoperto l’esistenza di un altro malware adibito all’inserimento di SUNBURST ovvero: SUNSPOT.5 Successivamente sono stati rilevati altri due malware: TEARDROP e RAINDROP.6 La coppia TEARDROP/RAIN- DROP aveva come compito l’“armamento” della backdoor SUNBURST, prece-

1 Per una completa ricostruzione della vicenda si veda https://www.itstime.it/w/attacco-a-solarwinds-la-sequenza-temporale-by-f-borgonovo-l-cinciripini-m-zaliani. 2 “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor”, 13 Dicembre 2020, Recuperato da: https://www.fireeye. com/blog/threat-research/2020/12/evasive-attacker-leverages-SolarWinds-supply-chain-compromises-with-sunburst-backdoor.html. 3 “Joint statement by FBI, CISA, ODNI and NSA” 5 gennaio 2021, Recuperato da: https:// www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure. 4 Georgy Kucherin, Igor Kuznetzov e Costin Raiu, “Sunburst backdoor – code overlaps with Kazuar”, 11 gennaio 2021, Recuperato da: https://securelist.com/sunburst-backdoor-kazuar/99981. 5 CrowdStroke Initelligence Team “SUNSPOT: An Implant in the Build Process”, 11 gennaio 2021, Recuperato da https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis. 6 Threat Hunter Team Symantec, “Raindrop: New Malware Discovered in SolarWinds Investi- gation” 18 gennaio 2021, Recuperato da https://symantec-enterprise-blogs.security.com/blogs/ threat-intelligence/solarwinds-raindrop-malware. 176 FEDERICO BORGONOVO - LUCA CINCIRIPINI - MARCO ZALIANI dentemente schierata. Infine, a febbraio 2021 è stata rilevata l’esistenza di altri due malware: SUPERNOVA e COSMICGALE. I due nuovi malware agiscono in modo simile ma non sono direttamente connessi ai quattro precedentemente scoperti. Dagli aggiornamenti pubblicati a febbraio, l’azienda Palo Alto Networks evidenzia che il malware SUPERNOVA sarebbe stato caricato sulla rete della vittima anch’esso tramite una DLL malevola per poi attivare il secondo malware ovvero COSMICGALE.7 Attualmente l’identità degli hacker responsabili di SUPERNOVA/COSMICGALE resta sconosciuta; tuttavia, secondo le agenzie di intelligence statunitensi, dietro questo secondo gruppo di hacker ci sarebbe la Cina. I sospetti sulla Cina si basano sul fatto che il National Finance Center (uno dei bersagli) è stato colpito con strumenti associabili a precedenti attacchi delle cyberspie cinesi.8 La letteratura in materia pubblicata tra dicembre 2020 e febbraio 2021 sebbene fosse composta totalmente da letteratura e grigia e reportistica, ha fornito gli elementi di base per comprendere il susseguirsi dei fatti relativi all’attacco; ma soprattutto ha permesso di raccogliere sufficiente materiale al fine delineare una lacuna conoscitiva e il suo relativo problema della ricerca. Nello specifico, dalla rassegna della letteratura emergono due gap strettamente connessi tra di loro. Innanzitutto, si evidenzia il fatto che attualmente non esista un’analisi ad ampio spettro in grado di illustrare la globalità dell’attacco a SolarWinds e in secondo luogo non è stato ancora condotto uno studio sull’impatto e sulle possibili conseguenze future.

Descrizione tecnica dell’attacco Supply chain attacks Prima di addentrarsi nella spiegazione più tecnica di quanto accaduto a SolarWinds è necessario comprendere la logica sottostante un attacco del genere e perché è così rilevante. Il fatto che le aziende e le agenzie governative siano state colpite tramite SolarWinds (un fornitore) e che la stessa potrebbe essere stata compromessa tramite software di terze parti, rende questa tipologia di attacco molto pericolosa e sempre più frequente. Nello specifico, un Supply chain attack si verifica quando un soggetto si infiltra nel sistema bersaglio tramite un partner o un fornitore esterno dell’azienda con accesso ai sistemi e ai dati.9 Questa tipologia di attacco ha la peculiarità di incrementare

7 Matt Tennis, “SUPERNOVA: A Novel .NET Webshell”, 17 dicembre 2020, Recuperato da: https://unit42.paloaltonetworks.com/solarstorm-supernova. 8 Ibidem. 9 Maria Korolov, “Supply chain attacks show why you should be wary of third-party providers”, 4 febbraio 2021, Recuperato da: https://www.csoonline.com/article/3191947/supply-chain-at- L’ATTACCO HACKER A SOLARWINDS 177 considerevolmente la “superficie” vulnerabile di un’azienda. Poiché sfrutta l’esigenza delle aziende odierne di far ricorso sempre di più a fornitori esterni invece che gestire l’attività internamente, esponendosi così alle eventuali vulnerabilità dei loro fornitori.10 Ciò che è emerso dall’attacco a SolarWinds è quindi una logica molto precisa dove l’anello debole della catena di approvvigionamento del software non era rappresentato dagli utilizzatori finali del software bensì dalla stessa azienda fornitrice. In questo modo gli attaccanti, invece che spendere tempo e risorse nel tentare di compromettere i loro bersagli di più alto valore come i dipartimenti governativi statunitensi, hanno sfruttato il punto debole di un sistema che altrimenti sarebbe stato sicuramente più difficile da violare. L’attacco Il seguente paragrafo descriverà precisamente la struttura dell’attacco e i suoi dettagli tecnici. L’attacco è stato suddiviso in tre distinte fasi secondo le quali si è svolto.

Fase 1 - Ricognizione iniziale e test Secondo il resoconto pubblicato da SolarWinds le prime fasi dell’attacco si sarebbero verificate a settembre 2019. Il periodo iniziale è di estrema importanza in quanto, anche nei mesi successivi, si è tentato di dare una spiegazione sul come effettivamente le reti di SolarWinds sarebbero state compromesse inizialmente. A riguardo sono state fatte numerose ipotesi. • [Ipotesi 1] Compromissione tramite software di terze parti. Un’ipotesi, al momento ancora non corroborata da prove, che spieghe- rebbe le modalità di compromissione iniziale prevederebbe che SolarWinds possa essere stata vittima a sua volta di un Supply chain attack. • [Ipotesi 2] Sfruttamento di credenziali compromesse. Secondo un’altra ipotesi gli attaccanti avrebbero sfruttato delle credenziali disponibili pubblicamente per accedere e prendere il controllo di un server e-mail interno. Le credenziali in questione sarebbero state disponibili pubblicamente già nel 2018 quando uno stagista di SolarWinds aveva pubblicato sul suo profilo GitHub la password da lui usata ovvero: “Solarwinds123”.11 Successivamente in un’audizione davanti ai comitati della Camera per la supervisione e la riforma e per la sicurezza interna, il CEO Ramakrishna ha affermato che la password fosse già in uso anche nel 2017 e che non tacks-show-why-you-should-be-wary-of-third-party-providers.html. 10 Ibidem. 11 Ravie Lakshmanan, “SolarWinds Blames Intern for ‘solarwinds123’ Password Lapse”, 1 marzo 2021, Recuperato da: https://thehackernews.com/2021/03/solarwinds-blame-intern-for-weak.html. 178 FEDERICO BORGONOVO - LUCA CINCIRIPINI - MARCO ZALIANI appena il problema è stato fatto notare a novembre 2019, l’azienda ha immediatamente provveduto a correggere e modificare la password.12 Durante l’audizione SolarWinds è stata duramente criticata dai rappresentanti della camera presenti per il basso livello di sicurezza della password usata e della sua incapacità di rilevare tale problema se non dopo diverso tempo.13 • [Ipotesi 3] Compromissione di un server e-mail di Office 365. Questa ipotesi è stata delineata dal CEO di SolarWinds, Sudhakar Ramakri- shna, il quale ha affermato che a seguito della loro indagine interna erano emerse attività sospette nel loro ambiente Office 365. Analizzando più a fondo tali ri- scontri è stato scoperto che, probabilmente tramite l’uso di credenziali pubbliche (le stesse dell’ipotesi 2), era stata possibile la compromissione di un server e-mail interno. Grazie ad esso gli attaccanti sono stati in grado di prendere il controllo di un account e-mail SolarWinds e sfruttarlo per accedere in modo programmatico ad altri account del personale inquadrati in ruoli aziendali e tecnici.144 Secondo quanto è stato scoperto, gli attaccanti avrebbero così avuto accesso al sistema e- mail di SolarWinds fornito da Office365 per almeno 9 mesi sfruttandolo come punto d’entrata.15 Ramakrishna ha poi affermato che non hanno identificato una vulnerabilità specifica in Office 36516. In risposta a tali dichiarazioni, Microsoft ha affermato che i dati ospitati nei loro servizi fossero uno dei molteplici obiettivi degli attacchi (relativamente ai servizi e-mail SolarWinds) e non il vettore iniziale; aggiungendo che gli attaccanti avevano ottenuto credenziali privilegiate tramite modalità alternative.17

12 House Committees on Oversight and Reform and Homeland Security, “Weathering the storm: the role of private tech in the SolarWinds breach and the ongoing campaign”, 26 febbraio 2021, Recuperato da: https://homeland.house.gov/weathering-the-storm-the-role-of-private- tech-in-the-solarwinds-breach-and-the-ongoing-campaign. 13 Brian Fung e Geneva Sands, “Former SolarWinds CEO blames intern for ‘solarwinds123’ password leak”, 26 febbraio 2021, Recuperato da: https://edition.cnn.com/2021/02/26/politics/ solarwinds123-password-intern/index.html. 14 Michael Novinson, “SolarWinds CEO Confirms Office 365 Email ‘Compromise’ Played Role In Broad-Based Attack”, 4 febbraio 2021, Recuperato da: https://www.crn.com/news/ security/solarwinds-ceo-confirms-office-365-email-compromise-played-role-in-broad-based- attack?itc=refresh. 15 Robert McMillan, “Hackers Lurked in SolarWinds Email System for at Least 9 Months, CEO Says”, 2 febbraio 2021, Recuperato da: https://www.wsj.com/articles/hackers-lurked-in- solarwinds-email-system-for-at-least-9-months-ceo-says-11612317963. 16 Arielle Waldman, “Microsoft, SolarWinds in dispute over nation-state attacks”, 8 febbraio 2021, Recuperato da: https://searchsecurity.techtarget.com/news/252496046/Microsoft-Solar- Winds-in-dispute-over-nation-state-attacks. 17 Doug Olenick, “Microsoft: Office 365 Was Not SolarWinds Initial Attack Vector”, 5 febbraio 2021, Recuperato da: https://www.bankinfosecurity.com/microsoft-office-365-was-solarwinds- initial-attack-vector-a-15939. L’ATTACCO HACKER A SOLARWINDS 179

A seguito della compromissione iniziale è iniziato poi un periodo di ricognizione e test sulle reti SolarWinds per avere la certezza che l’attacco andasse a buon fine e che non venisse identificato prima di aver completato la compromissione. A partire da settembre 2019 gli attaccanti, utilizzando più server con sede negli Stati Uniti d’America, monitorano attentamente il traffico legittimo sulla rete in modo tale da poterlo imitare e aggirare il sistema di rilevamento delle minacce utilizzato da SolarWinds, dai suoi partner e dai clienti.18 Questo monitoraggio, combinato alle modalità usate come vettore iniziale d’attacco, consente quindi agli attaccanti di avere un accesso con privilegi elevati all’interno della rete di SolarWinds. Allo stesso modo consente di avere il tempo di testare i vari malware e le parti di codice malevolo per sfruttare al meglio la falla nella sicurezza che avevano creato e colpire i loro bersagli finali.

Fase 2 - Inserimento backdoor Una volta terminata la fase di studio e monitoraggio delle reti, l’attacco continua inserendo la backdoor SUNBURST nell’aggiornamento della piattaforma Orion. L’inserimento viene effettuato furtivamente così da non allertare i sistemi di controllo di SolarWinds. Tale operazione viene effettuata tramite il malware denominato SUNSPOT dall’azienda di cyber sicurezza CrowdStrike. Quest’ultima ha infatti prodotto un’analisi molto dettagliata sul malware che attribuisce a SUNSPOT tre specifici compiti nella conduzione generale dell’attacco:19 1. dopo attenti monitoraggi dei processi finali di sviluppo di Orion, sostitui- sce furtivamente uno dei file sorgente per includere il codice della backdoor SUNBURST; 2. inserisce la backdoor SUNBURST nelle “build”20 del software per la gestione/monitoraggio delle reti interne di SolarWinds e Orion; 3. implementa diverse misure di sicurezza per evitare il fallimento delle bu- ildd di Orion nel momento in cui il codice del nuovo aggiornamento viene testato prima del rilascio. Fallimento che potrebbe rivelare agli sviluppatori la presenza degli attaccanti mettendoli così in allarme. Il design di SUNSPOT suggerisce che gli sviluppatori hanno investito molto per garantire che il codice fosse inserito correttamente e non venisse rilevato; hanno dato priorità alla sicurezza operativa per evitare di rivelare la

18 “A Timeline of the Solarwinds Hack: What We’ve Learned”, 19 gennaio 2021, Recuperato da: https://www.kiuwan.com/solarwinds-hack-timeline. 19 CrowdStrike Intelligence Team, “SUNSPOT: An Implant in the Build Process”, 11 gennaio 2021, Recuperato da: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis. 20 Stadi finali dello sviluppo di un software. 180 FEDERICO BORGONOVO - LUCA CINCIRIPINI - MARCO ZALIANI loro presenza nell’ambiente di compilazione agli sviluppatori SolarWinds.21 SUNSPOT secondo il timestamp del malware, è stato creato il 20 febbraio 2020.22 La data sarebbe coerente con la sequenza temporale del Supply chain attack subito da SolarWinds in quanto sarebbe stato creato solo in seguito al periodo di monitoraggio della Fase 1 dell’attacco. Inoltre, SUNSPOT è stato progettato in modo tale da attivare diverse misure anti-rilevamento. Come prima misura avvia un mutex.23, Ovvero un processo che garantisce l’esecu- zione una sola istanza alla volta evitando errori causati dall’ dall’eventuale avvio due processi contemporaneamente; in secondo luogo, attiva un file log crittografato all’interno del quale registrerà e nasconderà gli eventuali errori che si dovessero creare. Infine, il codice sorgente malevolo viene crittografato per renderlo inaccessibile e nascosto.24 L’insieme di queste misure ha reso SUNSPOT molto difficile da identificare.25 Quando SUNSPOT trova un processo compatibile, analizza il software Orion per determinare se è nelle fasi finali dello sviluppo (vedi punto 1 pg.5) e, in tal caso, dirotterà l’operazione di sviluppo per iniettare SUNBURST.26 Il ciclo di monitoraggio viene eseguito ogni secondo, consentendo a SUN- SPOT di modificare il codice sorgente di destinazione prima che venga letto dallo sviluppatore. Il malware poi procede a verificare che tutte le condizioni di attivazione vengano rispettate. In caso contrario, il malware è stato progettato affinché interpretasse eventuali incongruenze come segnale di ces- sazione delle sue attività, al fine di evitare metodi di arresto più evidenti. Fermare SUNSPOT nel mezzo del suo funzionamento, infatti, avrebbe potuto comportare una manomissione incompleta del codice sorgente e quindi rivelando la presenza dell’attaccante. Dopo questi passaggi, il file sorgente con backdoor SUNBURST verrà quindi compilato come parte del processo standard venendo così accettato dal sistema come aggiornamento legittimo del software. Se la costante nel caso di SUNSPOT è stata la furtività, nel caso di SUNBURST è rimasta la medesima. La stessa scelta di nominare la componente malevola “SolarWinds.Orion.Core.BusinessLayer.dll” è stata presa non solo per confondersi con il resto del codice, ma anche per ingannare gli sviluppatori del software o chiunque effettui i controlli. La componente, infatti, e molti dei metodi che utilizza, possono essere trovati in altre parti del software Orion. Ciò implica non solo l’intento di rimanere furtivi, ma

21 Ibidem. 22 Ibidem. 23 Ibidem. 24 Ibidem. 25 Ibidem. 26 CrowdStrike Intelligence Team, “SUNSPOT: An Implant in the Build Process”, 11 gennaio 2021, Recuperato da: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis. L’ATTACCO HACKER A SOLARWINDS 181 anche un’elevata familiarità degli attaccanti con il codice di base acquisita in seguito ai mesi passati a monitorare.27 SUNBURST poi, una volta inserito e consegnato al sistema bersaglio effettua una nuova serie di test e azioni per garantirsi l’anonimato e stabilire una connessione sicura con gli attaccanti. In particolare, queste sono le azioni attuate da SUNBURST una volta consegnato: – effettua dei controlli per appurare se un certo insieme di requisiti è soddi- sfatto prima di intraprendere qualsiasi azione per infettare ulteriormente il sistema. Ad esempio, verifica di essere nel sistema corretto da infettare.28 SUNBURST, infatti, arresta ulteriori infezioni se il sistema non fa parte di un dominio di interesse per gli attaccanti.29 – resta “dormiente” per un periodo compreso tra i 12 e i 14 giorni prima di eseguire un’azione dannosa. Il periodo di inattività ha come scopo il mantenimento di un profilo il più basso possibile per evitare rilevamenti;30 – effettua dei controlli per rilevare se e quali software di sicurezza sono presenti cercando poi di disabilitarli. Al tempo stesso raccoglie informazioni sul sistema in cui si trova che verranno poi utilizzate per mascherarsi ulteriormente in fasi successive; – controlla che sia presente una connessione internet stabile e verifica se riesce a contattare correttamente il server intermedio di comando e controllo (C2), il quale (tramite indirizzi IP mascherati come legittimi di So- larWinds) invia informazioni al server C2 finale e imposta la modalità di funzionamento di SUNBURST.31 A questo punto viene stabilita la connessione criptata con il server C2 finale. – la backdoor è quindi aperta e pronta a essere sfruttata. La backdoor SUNBURST ha come ruolo nell’attacco la consegna dei malware secon- dari (TEARDROP e RAINDROP) i quali servono quindi ad “armare” la backdoor che singolarmente si limiterebbe a raccogliere ed esfiltrare dati dal sistema in cui è presente.32

27 Tomislav Pericˇin, “SunBurst: the next level of stealth”, 16 dicembre 2020, Recuperato da: https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth. 28 Alexis Rodriguez, “A Summary of FireEye’s Detailed Analysis on the SUNBURST Malware”, 28 dicembre 2021, Recuperato da: https://medium.com/swlh/a-summary-of-fireeyes-detailed- analysis-on-the-sunburst-malware-d76cef328a3b. 29 Ibidem. 30 Ibidem. 31 Alexis Rodriguez, “A Summary of FireEye’s Detailed Analysis on the SUNBURST Malware”, 28 dicembre 2020, Recuperato da: https://symantec-enterprise-blogs.security.com/blogs/ threat-intelligence/sunburst-supply-chain-attack-solarwinds https://medium.com/swlh/a-summary-of-fireeyes-detailed-analysis-on-the-sunburst-malware-d76cef328a3b. 32 “Sunburst: Supply Chain Attack Targets SolarWinds Users”, 16 dicembre 2020, Recuper- ato da: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-sup- 182 FEDERICO BORGONOVO - LUCA CINCIRIPINI - MARCO ZALIANI

Fase 3 - armamento backdoor Terminate tutte le fasi preliminari, gli attaccanti procedono e armano la backdoor SUNBURST. Per rendere gli attaccanti in grado di eseguire i comandi sulla rete infettata, tramite il collegamento stabilito con la backdoor, era necessario caricare degli impianti definiti Cobalt strike Beacon.33 A tal fine erano necessari dei malware aggiuntivi per estrarli ed eseguirli. TEARDROP prima e successivamente RAINDROP eseguivano quel compito preciso. Come mostrato dalla figura 1, TEARDROP e RAINDROP, insieme ai Cobalt Strike Beacon, rappresentano la fase finale dell’attacco. Viene pertanto stabilito un controllo remoto tramite i Cobalt Strike Beacon, i quali forniscono agli attaccanti le capacità di agire in ogni modo possibile sulla rete compromessa. RAINDROP e TEARDROP, tuttavia, seppur simili differiscono in alcune caratteristiche fondamentali. TEARDROP, secondo quanto scoperto da FireEye, sarebbe stato inserito simultaneamente alla backdoor iniziale SUNBURST.34 In aggiunta Microsoft ha specificato che l’analisi del modus operandi di SUNBURST ha rivelato che gli attaccanti hanno scelto con cura i loro obiettivi, optando per intensificare l’attacco solo nei casi in cui erano stati trovati gli account di maggior valore e risorse.35. In tali circostanze veniva attivato TEARDROP.

Figura 1

Fonte: https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate- second-stage-activation-from-sunburst-to-teardrop-and-raindrop ply-chain-attack-solarwinds. 33 Un impianto che fornisce a chi lo utilizza un comando da operatore remoto e funzionalità di controllo sul sistema della vittima attraverso un tunnel di rete crittografato. 34 “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor”, 13 Dicembre 2020, Recuperato da: https:// www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-SolarWinds-supply-chain-compromises-with-sunburst-backdoor.html. 35 Ravie Lakshmanan, “Researchers Discover Raindrop — 4th Malware Linked to the Solar- Winds Attack”, 19 gennaio 2021, Recuperato: https://thehackernews.com/2021/01/researchers-discover-raindrop-4th.html. L’ATTACCO HACKER A SOLARWINDS 183

RAINDROP invece, sembra essere stato utilizzato per diffondersi lateral- mente nella rete della vittima oltre che per caricare il Cobalt Strike Beacon. Symantec nella sua analisi ha dichiarato di non aver trovato alcuna prova fino ad oggi che RAINDROP sia stato caricato direttamente da SUNBURST.36 Apparirebbe, invece su reti in cui almeno un computer è già stato compromesso da SUNBURST.37 RAINDROP in definitiva, pur essendo molto simile a TEARDROP, aggiungerebbe una caratteristica fondamentale che aumenterebbe significativamente le capacità di appropriazione del controllo delle reti bersaglio da parte degli attaccanti.38 Questo perché RAINDROP tramite lo spostamento laterale nella rete attaccata aument così: da un lato le pos- sibilità per gli attaccanti di trovare materiale di valore, dall’altro il proprio controllo diretto sulla rete e sui dispositivi a essa collegati. Con il completa- mento della terza fase dell’attacco ogni malware ha compiuto il suo scopo e gli attaccanti sono riusciti a conseguire il loro obiettivo.

Eventi collegati In relazione all’attacco è opportuno fare alcune precisazioni su coinvolgi- menti di soggetti terzi e di metodi alternativi sfruttati contro i bersagli.

Metodi alternativi: La CISA (Cybersecurity and Infrastructure Security Agency) statunitense in un comunicato ha dichiarato che, sul totale dei bersagli colpiti dall’attacco, circa il 70% è stato compromesso tramite l’aggiornamento malevolo di Orion. Il restante 30% tuttavia, sarebbe stato compromesso tramite metodi non collegati all’attacco principale. Le indagini della CISA hanno identificato che l’accesso iniziale in alcuni casi è stato ottenuto tramite password guessing, password spraying e credenziali amministrative protette in modo inappropriato e accessibili tramite servizi di accesso remoto esterni.39 Gli hacker collegati all’attacco sarebbero inoltre penetrati nei sistemi sfrut-

36 “Raindrop: New Malware Discovered in SolarWinds Investigation”, 18 Gennaio 2021, Re- cuperato da: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/Solar- Winds-raindrop-malware. 37 Ibidem. 38 “Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop”, 20 gennaio 2021, Recuperato da: https://www.microsoft.com/security/ blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop. 39 “Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations”, 8 febbraio 2021, Recuperato da: https://us-cert.cisa.gov/ ncas/alerts/aa20-352a. 184 FEDERICO BORGONOVO - LUCA CINCIRIPINI - MARCO ZALIANI tando anche bug noti nei software e una serie di problemi nelle configurazio- ni del software basato su cloud di Microsoft.40

Secondo gruppo hacker coinvolto: Al proseguire delle indagini indipen- denti sull’attacco sono stati scoperti progressivamente sempre più malware coinvolti e in alcuni casi essi sono stati attribuiti a soggetti terzi. Questo è stato il caso di SUPERNOVA/COSMICGALE. Nello specifico SUPERNO- VA, come SUNBURST, agisce allo stesso modo di una backdoor e permette la comunicazione con un server di comando e controllo.41 COSMICGALE è il malware che viene eseguito tramite la backdoor SUPERNOVA e si tratta di una PowerShell, ovvero uno strumento di Windows progettato per automa- tizzare le attività di amministrazione del sistema.42 Questo tipo di malware è molto difficile da individuare perché comporta lo sfruttamento malevolo di strumenti già presenti in Windows.43 L’utilizzo di programmi legittimi rende il rilevamento di questi attacchi particolarmente impegnativo poiché questi strumenti e le azioni che eseguono sono ritenute legittime.44 Ulteriori indizi di un coinvolgimento cinese in SUPERNOVA/COSMICGALE sono state fornite dall’azienda di cyber sicurezza Secureworks. Alla fine del 2020, i ricercato ri di Secureworks hanno osservato un attore che sfruttava un server SolarWinds connesso a Internet per distribuire la backdoor SUPERNOVA.45 Ulteriori analisi hanno rivelato somiglianze con un’altra attività di intrusione identificata sulla stessa rete all’inizio del 2020, suggerendo che le due intrusioni siano collegate.46 I ricercatori di Secureworks attribuiscono le intrusioni al gruppo SPIRAL per il fatto che le caratteristiche delle intrusioni sono coerenti con le precedenti attività registrate del gruppo APT cinese. Infatti,

40 Robert McMillan e Dustin Volz, “Suspected Russian Hack Extends Far Beyond Solar- Winds Software, Investigators Say”, 29 gennaio 2021, Recuperato da: https://www.wsj. com/articles/suspected-russian-hack-extends-far-beyond-solarwinds-software-investigators-say-11611921601?mod=tech_lead_pos1. 41 Pierluigi Paganini, “SUPERNOVA, a backdoor found while investigating SolarWinds hack”, 21 dicembre 2020, Recuperato da: https://securityaffairs.co/wordpress/112512/malware/supernova-backdoor-SolarWinds-hack.html. 42 Marvin Cruz, “Security 101: The Rise of Fileless Threats that Abuse PowerShell”, 1 giugno 2017, Recuperato da: https://www.trendmicro.com/vinfo/pl/security/news/security-technology/security-101-the-rise-of-fileless-threats-that-abuse-powershell. 43 Fred O’Connor, “What you need to know about PowerShell attacks”, 5 dicembre 2017, Recu- perato da: https://www.cybereason.com/blog/fileless-malware-powershell. 44 Ibidem. 45 “SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group”, 8 marzo 2021, Recuperato da: https://www.secureworks.com/blog/supernova-web-shell-deployment-linked- to-spiral-threat-group. 46 Ibidem. L’ATTACCO HACKER A SOLARWINDS 185 sono state associate a gruppi APT cinesi intrusioni di rete che coinvolgono il bersagliare server di gestione, il mantenimento dell’accesso a lungo termine per raccogliere credenziali ed esfiltrare dati e spionaggio o furto di proprietà intellettuale.47 Sebbene l’attività di SPIRAL condivida queste caratteristiche, esse non sono sufficienti per attribuire con certezza il suo paese di origine. Tuttavia, il collegamento (probabilmente involontario) a un indirizzo IP lo- calizzato in Cina, rilevato dall’analisi di Secureworks, sembrerebbe confermare il collegamento alla Cina.48

Conferma coinvolgimento russo: come evidenziato in precedenza, l’attribuzione alla Russia dell’attacco a SolarWinds è stata pressoché unanime da parte delle agenzie di intelligence statunitensi. Le prove a suppor- to di tale attribuzione sono arrivate paradossalmente dalla Russia. La nota azienda di cyber sicurezza Kaspersky ha pubblicato una dettagliata analisi di SUNBURST nella quale rivela che, comparandolo con malware già co- nosciuti dall’azienda, presenta diverse similitudini con un malware di pro- venienza russa ovvero KAZUAR. Quest’ultimo è anch’esso una backdoor, comparsa la prima volta nel 2015, attribuita da PaloAlto Networks al gruppo APT Turla, il quale sarebbe legato all’intelligence russa. Il primo punto in co- mune è che sia KAZUAR che SUNBURST hanno implementato un periodo di attesa prima di connettersi al server C2, probabilmente progettato per rendere meno evidente l’attività di rete.49 Nello specifico i ricercatori hanno rilevato, analizzando i codici, che entrambi i malware usano pressoché la stessa formula matematica per calcolare casualmente il periodo di attesa prima di contattare il server C2.50 Ulteriori similitudini sono state trovate nelle modalità di offuscamento del codice per renderne più difficile il rilevamento. In entrambi i casi viene usata la medesima peculiare modalità, la quale fa ipotizzare un legame tra i due malware.51 Sebbene Kaspersky non escluda la possibilità che queste similitudini possano essere una false flag per incolpare la Russia, sono giunti alla conclusione che SUNBURST probabilmente è stato sviluppato dalle stesse persone che hanno sviluppato KAZUAR o che comunque i due team di sviluppo abbiano condiviso personale/conoscenze per il suo sviluppo.52

47 Ibidem. 48 Ibidem. 49 Georgy Kucherin, Igor Kuznetzov e Costin Raiu, “Sunburst backdoor – code overlaps with Kazuar”, 11 gennaio 2021, Recuperato da: https://securelist.com/sunburst-backdoor-kazuar/99981. 50 Ibidem. 51 Ibidem. 52 Ibidem. Figura 2

Fonte: elaborazione degli autori. Digramma esplicativo dell’attacco realizzato unificando le molteplici rappresentazioni presenti in letteratura L’ATTACCO HACKER A SOLARWINDS 187

Risvolti geopolitici dell’attacco L’attacco hacker nei confronti di SolarWinds pone importanti ricadute anche sul piano geopolitico. Preliminarmente alla loro analisi, occorre innanzitutto considerare la difficoltà di inquadramento dell’attacco nell’attuale regime di diritto internazionale. Alcuni senatori statunitensi si sono affrettati a definire tale atto di spionaggio come un “act of war”.53 Ciò è particolarmente rilevante considerando la difficoltà di ricondurre un attacco simile alle categorie previste dal diritto internazionale e, pertanto, definirlo come un’aperta violazione di esso. Sia perché ciò com- porterebbe l’attribuzione diretta di tale operazione cyber a uno specifico Stato, sia per la complessa qualifica di attacco informatico come vero e proprio atto illecito sul piano internazionale.54 Se un attacco informatico costituisca un uso illegale della forza, o un attacco armato anche in assenza di danni materiali o vittime fisiche, rimane pertanto oggetto di in- tenso dibattito accademico che i vari Stati stanno interpretando in chiave sempre più estensiva. Occorre tuttavia sottolineare come l’esistenza una zona grigia in ambito normativo non rappresenti un semplice vuoto sul piano teorico, bensì ponga seri problemi anche sul piano delle ricadute materiali a livello geopolitico. In un’era digitale che vedrà un progres- sivo intensificarsi di attacchi informatici ed episodi di cyber-spionaggio, l’indeterminatezza dell’inquadramento giuridico di tali episodi pone seri problemi sia in merito a possibili soluzioni sia per quanto riguarda la proporzionalità delle contromisure da adottare. Ciò rileva ancor più se vengono valutati non solo gli impatti futuri di possibili attacchi cyber, ma soprattutto gli effetti concreti derivanti per gli USA, ma anche per l’Italia, dall’attacco condotto nei confronti di SolarWinds. Di seguito alcuni dati numerici riguardo all’impatto globale dell’attacco. Al fine di mostrare l’ampiezza dell’attacco e la sua pervasività sono stati selezionati i settori e i paesi più colpiti. I due grafici torta e la tabella riepilogativa forniscono un quadro sintetico ma significativo dei settori (grafico 1) e Paesi (grafico 2) coinvolti.

53 Yevgeny Vindman, “Is the SolarWinds Cyberattack an Act of War? It Is, If the United States Says It Is”, 26 gennaio 2021, Recuperato da: https://www.lawfareblog.com/solarwinds-cyberattack-act-war-it-if-united-states-says-it. 54 Michael Schmitt, “Top Expert Backgrounder: Russia’s SolarWinds Operation and Interna- tional Law”, 21 dicembre 2020, Recuperato da: https://www.justsecurity.org/73946/russias-solarwinds-operation-and-international-law. 188 FEDERICO BORGONOVO - LUCA CINCIRIPINI - MARCO ZALIANI

Grafico 1 - Settori bersagliati dall’attacco hacker

Fonte: elaborazione dell’autore. Dati forniti da https://threatit.com, https://www.fedscoop.com e https://www.cybersecurity360.it

Grafico 2 - Paesi bersagliati dall’attacco hacker

Fonte: elaborazione dell’autore. Dati forniti da https://threatit.com, https://www.fedscoop.com e https://www.cybersecurity360.it L’ATTACCO HACKER A SOLARWINDS 189

Tabella 1

Paese Azienda/Ente Settore USA Harvard University Formazione USADepartment of Commerce Economia USA Department of Defense Difesa USA Department of Energy Energia USA Department of Homeland Security Sicurezza Nazionale USA Department of Justice Legale USA Department of State Governance USA Department of Treasury Economia USA National Institutes of Health Sanità USA Cisco GGSG IT USA NOAA Ricerca/Scienza USANASARicerca/Scienza USA Mount Sinai Hospital Sanità USA Sacramento Metropolitan Air Quality Management Sanità District USAMicrosoft IT USA PQ Corporation Chimica USAHamilton Meccanica USASymantec IT USA Kansas City Power and Light Company Energia Israele College of Law and Business Formazione UK Infection Prevention Society Sanità UKDeloitte Consulenza Italia TIM Telecomunicazioni Italia Fastweb Telecomunicazioni Italia Uniweb Bancario Italia Scuola Superiore Sant’Anna di Pisa Formazione Olanda ING Direct Bancario Argentina Banco de Formosa Bancario Turchia DenizBank Bancario India The Bank of Punjab Bancario Taiwan Mediatek Telecomunicazioni Fonte: elaborazione dell’autore. Dati forniti da https://threatit.com, https://www.fedscoop.com e https://www.cybersecurity360.it

Impatto sugli USA Le conseguenze dell’attacco sono state, come prevedibile, particolarmente accentuate negli USA. La compromissione di SolarWinds, un’azienda statunitense, e del suo prodotto Orion ha avuto pesanti ripercussioni sia nel set- 190 FEDERICO BORGONOVO - LUCA CINCIRIPINI - MARCO ZALIANI tore pubblico che in quello privato. L’attacco, infatti, ha messo in luce quanto i sistemi informativi di entrambi i settori siano vulnerabili e potenzialmente in grado di causare seri danni al funzionamento della società. A distanza di mesi dalla scoperta dell’attacco i ricercatori sono stati in grado di ricostruire quali fossero le categorie di bersagli colpiti direttamente o indirettamente. Le vittime degli hacker includono aziende tecnologiche, uffici governativi locali, università, ospedali, banche, operatori di telecomunicazioni e molti altri. Tra i bersagli colpiti vi sono circa 4/5 delle aziende della Fortune500 tra cui nomi importanti del settore tecnologico come: Cisco, Intel e Nvidia.55 Ancora più rilevanti sono i bersagli colpiti tra le agenzie governative statunitensi tra le quali troviamo i dipartimenti: del Commercio, della Difesa, dell’Energia, dell’Homeland Security, della Giustizia, di Stato e del Tesoro; oltre al NIH (National Institutes of Health) un’agenzia facente parte del dipartimento della Salute.56 Nonostante gli USA abbiano diverse agenzie e dipartimenti adibiti alla cyber-difesa quando FireEye ha reso pubbliche le sue scoperte su SolarWinds, né la National Security Agency (NSA), il Cyber Command del Pentagono, né alcun altro servizio di intelligence o cyber-agenzia statunitense avevano rilevato l’attacco, nonostante fosse in corso ormai da mesi.57 A rendere il quadro ancora più preoccupante è il fatto che FireEye non fosse legalmente obbligata a informare nessuno, pubblicamente o privatamente, della sua scoperta.

Impatto sull’Italia Sebbene non coinvolta direttamente l’Italia è stata anch’essa colpita dall’attacco. Tra le grandi aziende colpite vi sono infatti anche: Tim, Fastweb, Uniweb, la Scuola Superiore Sant’Anna di Pisa e numerose srl di dimensioni minori.58 I bersagli italiani colpiti vanno a confermare il trendd già osservato nei bersagli USA; ovvero una predilezione per le aziende del settore delle

55 “Lists of Companies Affected by the SolarWinds Hack has Published”, 22 dicembre 2020, Recuperato da: https://threatit.com/articles/lists-of-companies-affected-by-the-solarwinds-hack- published. 56 Sara Wilson, “SolarWinds recap: All of the federal agencies caught up in the Orion breach”, 22 dicembre 2020, Recuperato da: https://www.fedscoop.com/solarwinds-recap-federal-agencies-caught-orion-breach. 57 David Z. Morris e Robert Hackett, “After SolarWinds: Untangling America’s cybersecurity mess”, 29 gennaio 2021, Recuperato da: https://fortune.com/longform/solarwinds-hack-cybersecurity-us-companies-hacked-fireeye. 58 Arturo Di Corinto, “La portata dell’hackeraggio di SolarWinds anche per l’Italia”, 24 dicembre 2020, Recuperato da: https://www.agi.it/blog-italia/cybersecurity/post/2020-12-24/ hackeraggio-solar-winds-sicurezza-cibernetica-10803567. L’ATTACCO HACKER A SOLARWINDS 191 telecomunicazioni (IT) e parallelamente quello dell’istruzione. L’impatto potenziale e le relative conseguenze sull’Italia di una compromissione grave di un settore essenziale come quello delle telecomunicazioni rende la definizione di misure di contrasto efficaci una priorità assoluta per l’immediato futuro.

Criticità presenti e future Il vuoto normativo citato in precedenza comporta criticità sia in termini di effettiva attribuzione di un attacco cyber, sia del suo inquadramento nel contesto di regolamentazione dei conflitti internazionali. Dette criticità si sostan- ziano poi in una zona grigia del diritto internazionale e dei rapporti tra Stati all’interno della quale attori statali e non effettuano operazioni cyber senza tuttavia associarvisi direttamente, evitando così ripercussioni. La questione di una non chiara (o assente) regolamentazione della cyber warfare, oltre a renderne difficile il contrasto, complica la definizione di una risposta adeguata ad attacchi simili a livello globale. Essendo gli attacchi sempre più frequenti ed estesi, senza un chiaro quadro normativo vi è il rischio di avere risposte sproporzionate e rappresaglie ad attacchi cyber considerati troppo gravi, con pesanti ricadute in termini di rapporti diplomatici tra stati. In tal senso i rischi delineati potrebbero essere mitigati tramite innanzitutto una collaborazione più efficiente tra pubbliche istituzioni e privati. In questo modo la risposta a incidenti/attacchi cyber diverrebbe più rapida e puntuale per ridurre al minimo le ricadute sulla sicurezza e sulla società. Da questo punto, in relazione al contesto italiano ed europeo, passa inevitabilmente un miglioramento in termini di capacità di mitigazione/contrasto alle minacce della struttura di difesa cyber nazionale già esistente. Nel caso di SolarWinds è stato immediatamente attivato il Nucleo di Sicurezza Cibernetica (NSC) ovvero l’organismo collegiale composto da esponenti delle agenzie di intelligence e dei vertici ministeriali a cui è affidato il compito di gestire gli incidenti informatici che potrebbero avere un potenziale impatto sulla sicurezza nazionale. Nell’ambito della struttura di difesa cyber italiana a coordinare le attività vi è appunto il DIS (tramite il NSC), il quale affida la risposta e la prevenzione a livello tecnico degli attacchi al CSIRT (Computer Security Incident Response Team).59 Il CSIRT si coordina poi a livello europeo con l’ENISA (European Union Agency for Cyber Security) e il neonato CyCLONe (Cyber Crisis Liaison Organization Network) il cui obiettivo è quello di contribuire all’at- tuazione del piano della Commissione europea per una risposta rapida alle emergenze in caso di un incidente o di una crisi informatica che coinvolge

59 Samuele Dominioni, “L’architettura italiana di cybersecurity”, 9 ottobre 2019, Recuperato da: https://www.ispionline.it/it/pubblicazione/larchitettura-italiana-di-cybersecurity-23769. 192 FEDERICO BORGONOVO - LUCA CINCIRIPINI - MARCO ZALIANI gli stati europei su larga scala coordinando le agenzie dei vari stati a livello sia politico/strategico che tecnico.60 Con una simile organizzazione, una collaborazione più efficiente tra gli organi istituzionali preposti e i privati si potrebbe raggiungere tramite innanzitutto una condivisione tempestiva delle informazioni da entrambe le parti in caso di attacco cyber anche attraverso la creazione di canali diretti che vadano a coadiuvare l’unità per l’allertamento del NSC. Secondariamente, tramite un maggiore coinvolgimento operativo/ strategico dei privati negli organi preposti alla difesa cyber nazionale. Nel caso di SolarWinds, le aziende private hanno avuto un ruolo fondamentale nel rilevamento, analisi e mitigazione dell’attacco grazie alle loro risorse e conoscenze. Per questo motivo un coinvolgimento più diretto dei privati, anche tramite task force ad hoc, aumenterebbe la reattività e le capacità di reazione contribuendo così a mitigare ulteriormente i rischi.

Bibliografia Borgonovo, Cinciripini e Zaliani, “Attacco a SolarWinds: la sequenza temporale”, 29 marzo 2021, Recuperato da: https://www.itstime.it/w/attacco-a-solarwinds-la- sequenza-temporale-by-f-borgonovo-l-cinciripini-m-zaliani. CrowdStrike Initelligence Team “SUNSPOT: An Implant in the Build Process”, 11 gennaio 2021, Recuperato da https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis. Marvin Cruz, “Security 101: The Rise of Fileless Threats that Abuse PowerShell”, 1 giugno 2017, Recuperato da: https://www.trendmicro.com/vinfo/pl/security/news/ security-technology/security-101-the-rise-of-fileless-threats-that-abuse-powershell. Arturo Di Corinto, “La portata dell’hackeraggio di SolarWinds anche per l’Italia”, 24 dicembre 2020, Recuperato da: https://www.agi.it/blog-italia/cybersecurity/ post/2020-12-24/hackeraggio-solar-winds-sicurezza-cibernetica-10803567. Samuele Dominioni, “L’architettura italiana di cybersecurity”, 9 ottobre 2019, Re- cuperato da: https://www.ispionline.it/it/pubblicazione/larchitettura-italiana-di- cybersecurity-23769. Brian Fung e Geneva Sands, “Former SolarWinds CEO blames intern for ‘solar- winds123’ password leak”, 26 febbraio 2021, Recuperato da: https://edition.cnn. com/2021/02/26/politics/solarwinds123-password-intern/index.html. Maria Korolov, “Supply chain attacks show why you should be wary of third-party providers”, 4 febbraio 2021, Recuperato da: https://www.csoonline.com/article/3191947/supply-chain-attacks-show-why-you-should-be-wary-of-third-party- providers.html.

60 “Blue OLEx 2020: the European Union Member States launch the Cyber Crisis Liaison Organisation Network (CyCLONe)”, 29 settembre 2020, Recuperato da: https://www.enisa. europa.eu/news/enisa-news/blue-olex-2020-the-european-union-member-states-launch-the- cyber-crisis-liaison-organisation-network-cyclone. L’ATTACCO HACKER A SOLARWINDS 193

Georgy Kucherin, Igor Kuznetzov e Costin Raiu, “Sunburst backdoor – code overlaps with Kazuar”, 11 gennaio 2021, Recuperato da: https://securelist.com/sunburst-backdoor-kazuar/99981. Ravie Lakshmanan, “SolarWinds Blames Intern for ‘solarwinds123’ Password Lapse”, 1 marzo 2021, Recuperato da: https://thehackernews.com/2021/03/solarwinds- blame-intern-for-weak.html. Ravie Lakshmanan, “Researchers Discover Raindrop — 4th Malware Linked to the SolarWinds Attack”, 19 gennaio 2021, Recuperato: https://thehackernews. com/2021/01/researchers-discover-raindrop-4th.html. Robert McMillan, “Hackers Lurked in SolarWinds Email System for at Least 9 Months, CEO Says”, 2 febbraio 2021, Recuperato da: https://www.wsj.com/ articles/hackers-lurked-in-solarwinds-email-system-for-at-least-9-months-ceo- says-11612317963. Robert McMillan e Dustin Volz, “Suspected Russian Hack Extends Far Beyond So- larWinds Software, Investigators Say”, 29 gennaio 2021, Recuperato da: https:// www.wsj.com/articles/suspected-russian-hack-extends-far-beyond-solarwinds-software-investigators-say-11611921601?mod=tech_lead_pos1. David Z. Morris e Robert Hackett, “After SolarWinds: Untangling America’s cybersecurity mess”, 29 gennaio 2021, Recuperato da: https://fortune.com/longform/ solarwinds-hack-cybersecurity-us-companies-hacked-fireeye. Michael Novinson, “SolarWinds CEO Confirms Office 365 Email ‘Compromise’ Played Role In Broad-Based Attack”, 4 febbraio 2021, Recuperato da: https://www. crn.com/news/security/solarwinds-ceo-confirms-office-365-email-compromise- played-role-in-broad-based-attack?itc=refresh. Fred O’Connor, “What you need to know about PowerShell attacks”, 5 dicembre 2017, Recuperato da: https://www.cybereason.com/blog/fileless-malware-powershell. Doug Olenick, “Microsoft: Office 365 Was Not SolarWinds Initial Attack Vector”, 5 febbraio 2021, Recuperato da: https://www.bankinfosecurity.com/microsoft-office-365-was-solarwinds-initial-attack-vector-a-15939. Pierluigi Paganini, “SUPERNOVA, a backdoor found while investigating Solar- Winds hack”, 21 dicembre 2020, Recuperato da: https://securityaffairs.co/ wordpress/112512/malware/supernova-backdoor-SolarWinds-hack.html. Tomislav Pericˇin, “SunBurst: the next level of stealth”, 16 dicembre 2020, Recuperato da: https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth. Alexis Rodriguez, “A Summary of FireEye’s Detailed Analysis on the SUNBURST Malware”, 28 dicembre 2021, Recuperato da: https://medium.com/swlh/a-summary-of-fireeyes-detailed-analysis-on-the-sunburst-malware-d76cef328a3b. Michael Schmitt, “Top Expert Backgrounder: Russia’s SolarWinds Operation and International Law”, 21 dicembre 2020, Recuperato da: https://www.justsecurity. org/73946/russias-solarwinds-operation-and-international-law. Matt Tennis, “SUPERNOVA: A Novel .NET Webshell”, 17 dicembre 2020, Recupe- rato da: https://unit42.paloaltonetworks.com/solarstorm-supernova. 194 FEDERICO BORGONOVO - LUCA CINCIRIPINI - MARCO ZALIANI

Yevgeny Vindman, “Is the SolarWinds Cyberattack an Act of War? It Is, If the United States Says It Is”, 26 gennaio 2021, Recuperato da: https://www.lawfareblog.com/ solarwinds-cyberattack-act-war-it-if-united-states-says-it. Arielle Waldman, “Microsoft, SolarWinds in dispute over nation-state attacks”, 8 febbraio 2021, Recuperato da: https://searchsecurity.techtarget.com/ news/252496046/Microsoft-SolarWinds-in-dispute-over-nation-state-attacks. Sara Wilson, “SolarWinds recap: All of the federal agencies caught up in the Ori- on breach”, 22 dicembre 2020, Recuperato da: https://www.fedscoop.com/solarwinds-recap-federal-agencies-caught-orion-breach. “Joint statement by FBI, CISA, ODNI and NSA” 5 gennaio 2021, Recuperato da: https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure. “Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastruc- ture, and Private Sector Organizations”, 8 febbraio 2021, Recuperato da: https:// us-cert.cisa.gov/ncas/alerts/aa20-352a. “Blue OLEx 2020: the European Union Member States launch the Cyber Crisis Li- aison Organisation Network (CyCLONe)”, 29 settembre 2020, Recuperato da: https://www.enisa.europa.eu/news/enisa-news/blue-olex-2020-the-european-union-member-states-launch-the-cyber-crisis-liaison-organisation-network-cyclone. “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multi- ple Global Victims With SUNBURST Backdoor”, 13 Dicembre 2020, Recuperato da: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-SolarWinds-supply-chain-compromises-with-sunburst-backdoor.html. House Committees on Oversight and Reform and Homeland Security, “Weather- ing the storm: the role of private tech in the SolarWinds breach and the ongoing campaign”, 26 febbraio 2021, Recuperato da: https://homeland.house.gov/weathering-the-storm-the-role-of-private-tech-in-the-solarwinds-breach-and-the-ongoing- campaign. “Deep dive into the Solorigate second-stage activation: From SUNBURST to TEAR- DROP and Raindrop”, 20 gennaio 2021, Recuperato da: https://www.microsoft. com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop. “A Timeline of the Solarwinds Hack: What We’ve Learned”, 19 gennaio 2021, Recu- perato da: https://www.kiuwan.com/solarwinds-hack-timeline. “SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group”, 8 marzo 2021, Recuperato da: https://www.secureworks.com/blog/supernova-web-shell- deployment-linked-to-spiral-threat-group. Threat Hunter Team Symantec, “Raindrop: New Malware Discovered in SolarWinds Investigation” 18 gennaio 2021, Recuperato da https://symantec-enterprise-blogs. security.com/blogs/threat-intelligence/solarwinds-raindrop-malware. “Sunburst: Supply Chain Attack Targets SolarWinds Users”, 16 dicembre 2020, Re- cuperato da: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds. L’ATTACCO HACKER A SOLARWINDS 195

“Raindrop: New Malware Discovered in SolarWinds Investigation”, 18 Gennaio 2021, Recuperato da: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/SolarWinds-raindrop-malware. “Lists of Companies Affected by the SolarWinds Hack has Published”, 22 dicembre 2020, Recuperato da: https://threatit.com/articles/lists-of-companies-affected-by- the-solarwinds-hack-published.

Sicurezza, terrorismo e società 13 (2021)

Cyberwarfare: combattere in una nuova dimensione Cosimo Melella

Cosimo Melella is a research analyst at the Italian Team for Security Terroristic issues and Managing Emergencies - ITSTIME, expert of the subject in communication and information for security in UCSC, secretary of Socint (Società Italiana d’intelligence) in Lombardia. His research topics concern advanced persistent threats, industrial control system security, and cybint (cyber threat intelligence). Cosimo Melella gained a combined bachelor’s and Master’s degree in Law from Bocconi University, a MA in Public Policy and Policy Science and a MSc in Cybersecurity from the University of Milan. He has attended specialized courses at the NATO CCDCOE and is Cisco certified.

Abstract This work focuses on and explores the theme of a new type of war. Unlike the past wars, it has particular characteristics that are decreeing its success to the point that it is a candidate to become the paradigm of future conflicts between nations. The 1910s of the 21st century began with state actors of the first cyber weapon known to the general public (Stuxnet). They ended at the end of last year with a significant cyber attack on some of the main infrastructures “sensitive”of the American government (the attack suffered by Solarwinds). Cyberspace is, therefore, the new battlefield on which the leading players on the international stage face each other. In this arena, new forms of attacks develop, such as influencing attacks aimed at “influencing” public opinion by encouraging the copious dissemination of fake news through social networks. In any fight, the goal is to overwhelm the opponent, annihilating the forces both on a tactical and strategic level. From this point of view, cyber operations are also more effective than conventional conflicts, allowing to launch of potentially devastating attacks on a technological or economic level, from the short to long run. Even without physically destroying the attacked sites, allow striking any goal at any time. In the light of what has been summarized so far, we will proceed in this research work, starting from attempting to provide a clear definition of a cyber attack. It should be noted that this expression implies an unauthorized intrusion into a computer and a physical computer network with the intent of sabotage, and that can cause from simple forms of tampering to denial of service, up to the exfiltration of data and infiltration into servers. We will then continue to outline which are the actors of the threats and the new types of attacks (among these, as previously mentioned, we find the new channels of disinformation), which will involve much more the mobile internet devices (smartphones and tablets) also under the reduction in costs and the increase in power of the same – combined with the new health 198 COSIMO MELELLA emergency due to Covid19 – which, benefiting users, have made effectiveness and maintenance even more complicated the level of security of “sensitive” infrastructures. The paper will conclude by referring to the new strategies used by the Rogue State and pro- posing new possible countermeasures and remediation methods, methods aimed precisely at preventing and limiting these attacks used by threat actors.

Keywords Information Security, Cyberwarfare, Advanced Persistent Threat, Malware, Information Warfare

Introduzione Per tutta la storia dell’umanità i conflitti tra nazioni sono stati risolti sul campo di battaglia, schierando truppe e mezzi, con elevati costi in termini economici e di risorse umane e non solo in termini di soldati addestrati. Di fatto, questo conto da pagare non è richiesto nella cyberwarfare. Infatti, la supremazia tra le nazioni nel 21° secolo si giocherà significativamente nel cyberspace, quel luogo virtuale che già oggi ha un ruolo strategico decisivo quanto lo era la dimensione marittima nel 19° o quella aeronautica nel 20° secolo. Il cyberspace è dunque il nuovo dominio di scontro in cui si affronta- no – in modo più o meno palese – i principali attori dello scacchiere internazionale e dove si stanno delineando i rapporti di forza di una nuova Guerra Fredda1. È questa arena, in cui ogni nazione, ogni impresa lecita o criminale e, in definitiva, ogni essere umano con determinati interessi e specifiche conoscenze e capacità informatiche, può impiegare risorse estranee dai settori tradizionalmente fondamentali per ottenere una supremazia strategica, militare ed economica. Da sempre, in qualsiasi combattimento l’obiettivo è di sopraffare l’avversario, annichilendo le forze sia a livello tattico che strategico e storicamente, il successo in guerra veniva ottenuto dalle nazioni che potevano spendere più risorse economiche per finanziare il proprio arsenale2. Oggi invece le cyber operations consentono l’accesso a una varietà di armi potenzialmente deva- stanti, capaci di colpire qualsiasi obiettivo in qualsiasi momento, ma dal costo relativamente contenuto e comunque facilmente reperibili. La discriminante torna a essere il singolo individuo3.

1 B. Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics, Harvard University Press, 2020. 2 M. Friedman, Future of War: Power, Technology and American World Dominance in the Twen- ty-first Century, St. Martin’s Griffin,1998. 3 C. Hadnagy, Human Hacking, Apogeo, 2019. CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 199

Non esiste una definizione univoca di “cyber attacco armato” sebbene il Tallinn Manual 2.0 definisca un attacco cyber armato come: “un’operazione informatica, offensiva o difensiva, che è ragionevolmente prevista per causare lesioni o morte a persone o danni o distruzione di oggetti (ad esempio manomissione e negazione del servizio)”. Generalmente con questa espressione si intende anche un’intrusione non autorizzata in un calcolatore o in una rete informatica (ossia un insieme di calcolatori connessi tra loro) che preveda forme di esfiltrazione di dati e infiltrazione nei server da parte di utenti non autorizzati. Più sfumata è invece la definizione su ciò che si debba intendere come “primo” attacco informatico, sia esso effettuato da parte di uno Stato nazionale, di una cellula terroristica o di un operatore solitario4. Infatti l’attacco potrebbe manifestarsi semplicemente come un insieme di operazioni volte a disturbare e ostacolare il normale svolgimento delle operazioni civili e/o militari senza assumere particolare rilevanza, oppure potrebbe essere un primo, trascurabile ma essenziale, step per un’operazione di più ampio raggio, pluriennale volta a danneggiare le infrastrutture critiche di uno Stato nemico.

1. Un nuovo tipo di hacker: gli advanced persistent threat Il termine Advanced Persistent Threat, è stato usato per la prima volta durante una riunione tenuta presso l’USAF da un gruppo di colonnelli che discuteva su quale termine fosse più idoneo per classificare i nuovi tipi di hacker: individui ben addestrati e formati da Stati nazionali avversari o ben finanziati da organizzazioni criminali. Successivamente l’acronimo APT è diventato il termine standard usato dai membri dei CERT (Computer Emer- gency Response Team) ed è tuttora utilizzato da quasi tutti i consulenti di sicurezza informatica aziendali5. Un attacco informatico, per essere considerato effettuato da un APT, deve presentare alcuni specifici criteri generalmente accettati. 1°) Criteri di advanced: il threat actor deve disporre di una gamma completa di tecniche di raccolta d’informazioni. Queste vanno da tecniche avanzate di fingerprinting a metodi OSINT di raccolta d’informazioni, alle tecnologie d’intercettazione telefonica e alle immagini satellitari (SIGINT). Non

4 C. Cunningham, Cyber Warfare – Truth, Tactics, and Strategies: Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare, Packt Publishing, 2020. 5 C. Cunningham, Cyber Warfare – Truth, Tactics, and Strategies: Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare, cit. 200 COSIMO MELELLA tutti i componenti di un team APT sono classificabili come advanced, tuttavia ognuno di essi è comunque altamente specializzato ed è in grado di operare con avanzati strumenti d’attacco a seconda delle necessità. Spesso vengono combinati più metodi, strumenti e tecniche di targeting per raggiungere e compromettere un obiettivo e mantenere l’accesso al target, così da poter effettuare successivamente un nuovo attacco. In questi tipi di attacchi talvolta gli operatori hanno dimostrato una particolare capacità di manipolare i sistemi operativi di sicurezza, differenziandosi dalle minacce “meno avanzate” (come gli hacktivists o alcuni gruppi di cyber criminali) e lasciando supporre che essi abbiano elevate conoscenze anche in materia di “difesa informatica”. In sostanza: che abbiano competenze anche difensive e non soltanto offensive. 2°) Criteri di persistent: il threat actor ha un obiettivo specifico e priori- tario; egli non cerca informazioni puramente a scopo di lucro e può essere guidato da attori che agiscono dietro le quinte. Il targeting è pianificato e supervisionato attraverso un monitoraggio continuo dei committenti e da una interazione continua tra essi e gli operatori. Uno degli obiettivi degli APT è di mantenere il bersaglio accessibile sul lungo periodo: infatti a differenza delle minacce che operano per eseguire un’attività specifica, come gli hacker ordinari o coloro che cercano guadagni finanziari, le minacce caratterizzate da persistence cercano di passare, almeno all’inizio, sottotraccia, così da poter operare indisturbati in un secondo momento. 3°) Criteri di threat: il threat actor presenta capacità e finalità significative. Gli attacchi APT vengono eseguiti sia attraverso azioni umane coordinate (il social engineering) che attraverso azioni informatiche basate su specifici lin- guaggi di programmazione (Java, SQL, Python). Solitamente i criteri di threat sono caratterizzati da attaccanti che hanno un obiettivo preciso, che sono altamente motivati, organizzati e ben finanziati. Nel passato si sono registrati attacchi da cui si è potuto legittimamente dedurre che i finanziamenti prove- nissero da intrecci tra organizzazioni criminali e agenti di nazioni straniere. ll targeting e l’exploitation delle reti e dei calcolatori da parte degli APT seguono sempre una metodologia e una pratica ben definite al fine di tentare di mantenere l’anonimato durante l’attacco e successivamente, ossia per tutta la durata della compromissione. La mancanza di una definizione univoca e coerente per le operazioni effettuate dagli APT dimostra quanto sia fluida e dinamica questa area di studio. Inoltre, l’esistenza di un dibattito aperto tra gli addetti ai lavori circa le operazioni e le analisi cibernetiche, il fatto che il termine generico APT venga usato in modo molto generico e che sia difficile persino definire uno dei termini più importanti, rileva quanto sia estrema- CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 201 mente difficile identificare e isolare qualsiasi gruppo di minacce in modo puntuale6. Sebbene il termine malware7 sia considerato un sottoinsieme di quello ampio di “minaccia informatica”, non è un termine esaustivo ed esplicativo. La ricerca e il lavoro accademico in campo informatico discutono del tema del malware come parte del problema informatico – insieme al bug – e qualsiasi tentativo di classificazione e approfondimento del termine stesso si dirama in rivoli di definizioni. Inoltre, anche termini come social engineering ed exploitation sono parte consistente della ricerca sulla cyberwarfare e hanno gli stessi problemi8. Un importante punto di nota sull’evoluzione della cyberwarfare è l’istitu- zione dei centri di comando e controllo (C2)9 a scopi difensivi e non offensi- vi. La creazione di queste entità belliche è stata fondata quasi esclusivamente sul bisogno di difendere le infrastrutture nazionali e i propri beni. Tuttavia è solo con la fine della prima decade degli anni 2000 che le reali capacità “cyberoffensive” sono entrate in azione o sono state utilizzate in modo diffuso dagli Stati nazionali10.

6 C. Cunningham, Cyber Warfare – Truth, Tactics, and Strategies: Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare, cit. 7 Malware o “software malevolo” è un termine generico che descrive un programma/codice dannoso che mette a rischio un sistema informatico. Ostili, invasivi e volutamente maligni, i malware cercano di invadere, danneggiare o disattivare computer, sistemi, reti, tablet e dispositivi mobili, spesso assumendo il controllo parziale delle operazioni del dispositivo. Lo scopo dei malware è lucrare illecitamente a spese degli utenti. Sebbene i malware non possano danneggiare gli hardware fisici di un sistema o le attrezzature di rete, possono rubare, criptare o eliminare i dati, alterare o compromettere le funzioni fondamentali di un computer e spiare le attività degli utenti senza che questi se ne accorgano o forniscano alcuna autorizzazione. 8 T. Rains, Cybersecurity Threats, Malware Trends, and Strategies: Learn to mitigate exploits, malware, phishing, and other social engineering attacks, Packt Publishing, 2020. 9 «Comando e controllo (C2) costituisce l’insieme di attributi e processi organizzativi e tecnici mediante i quali un ente gestisce e impiega risorse umane, fisiche e informative per risolvere problemi e svolgere missioni». Le funzioni di comando e controllo sono svolte attraverso una disposizione di personale, attrezzature, comunicazioni, strutture e procedure impiegate da un comandante nella pianificazione, direzione, coordinamento e controllo delle forze e delle operazioni nel compimento di una specifica missione. «Un server di comando e controllo [C2] può essere anche un computer controllato da un utente malintenzionato o un criminale informatico che viene utilizzato per inviare comandi a sistemi compromessi da malware e rice- vere dati rubati da una rete di destinazione. Sono state trovate molte campagne che utilizzano servizi basati su cloud, come webmail e servizi di condivisione di file, come i server C&C per integrarsi con il traffico normale ed evitare il rilevamento». 10 T. Rains, Cybersecurity Threats, Malware Trends, and Strategies: Learn to mitigate exploits, malware, phishing, and other social engineering attacks, cit. 202 COSIMO MELELLA

Questa rapida e importante evoluzione indica un sottile cambiamento degli obiettivi nel tempo: passando dalla guerra dell’informazione condotta attraverso l’acquisizione di conoscenze e informazioni sull’avversario, alla cyberwar portata avanti attraverso la conduzione di attacchi ibridi di tipo “cinetico e non cinetico” contro l’avversario di turno. Si tratta dunque di un cambiamento di paradigma sul campo di battaglia: ossia da un hacking che aveva come scopo la ricerca d’informazioni intese come merce di scambio nel mercato degli ambienti dell’intelligence, allo sviluppo di forme di hija- cking informatico come forme di attacco e difesa, contro e a favore d’infrastrutture per destabilizzare, elaborare, immagazzinare e trasmettere risorse e informazioni11. Questo scontro costante – non percepibile ai più – ha portato rapidamente alla diffusione di alcune delle più potenti armi dal perimetro degli Stati, facendole diventare vere e proprie merci su Internet. Prodotti che chiunque oggi può acquistare per raggiungere i propri scopi. Una delle prime armi di maggior efficacia a diventare pubblica è stata Stuxnet, il worm plausibilmente frutto dell’operazione “Giochi Olimpici” tra Stati Uniti e Israele (anche se, ovviamente, non c’è mai stata alcuna conferma ufficiale che il worm Stuxnet sia il risultato di una specifica operazione voluta proprio dagli USA e da Isra- ele12). Sostanzialmente si ritiene che Stuxnet sia stata la conseguenza diretta delle tensioni tra Stati Uniti e Israele in opposizione all’Iran tra la fine degli anni 2000 e l’inizio degli anni 2010. Il motivo della tensione tuttora accesa è l’obiettivo dichiarato da parte del governo iraniano di raggiungere l’auto- nomia nucleare. Per fermare lo sviluppo di potenziali armi nucleari, gli Stati Uniti avrebbero rilasciato una nuova arma “in codice” che avrebbe sabotato il funzionamento delle centrifughe utilizzate per l’arricchimento dell’uranio. La seconda metà degli anni 2010 si è dimostrata altrettanto significativa per le cyberwar, forse anche più della prima metà dello stesso decennio. Tutto ciò è accaduto non solo a causa delle costanti tensioni tra Stati e tra Stati e importanti aziende private (come le “Unità 110” e “Unità 121”, quest’ultima nota anche con il nome di Lazarus, al soldo della Corea del Nord, per attaccare aziende come la piattaforma di scambio sudcoreana Youbit nel 2017) ma anche a causa dei leak informativi e della diffusione massiva di armi informatiche di ultima generazione. La responsabilità delle fughe di notizie e della distribuzione “gratuita” di “pistole col colpo in canna” sarebbe di un gruppo di APT (gli Shadow Broker) probabilmente riconducibili alla Federazione

11 B. Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics, cit. 12 K. Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weap- on, Crown Pub; Reprint edizione, 2015. CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 203

Russa il cui scopo sarebbe stato volto ad alimentare il caos e al tempo stesso a vendere queste nuove armi ai Rogue State sparsi per il globo13. Dunque, tenuto conto degli sviluppi negli ultimi anni, sebbene la cyberwarfare sia attualmente limitata alle reti e ai sistemi annessi, è plausibile che si diffonderà esponenzialmente nel prossimo futuro. Gli effetti non saranno limitati solo alle reti stesse e alle infrastrutture connesse, quanto piuttosto comprenderanno tutti i sistemi di elaborazione elettronica delle informazioni nei domini terrestri, aerei, marittimi, spaziali. Le perdite di grandi exploit come BlueKeep ed EternalBlue (usato poi per realizzare un attacco informatico attraverso il ransomware WannaCry), le sue varianti, così come l’influencing dei social media e le tattiche dei BOT14, accelereranno e aumen- teranno la varietà e la ferocia dei futuri attacchi. Esaustivo esempio di come potrebbe svilupparsi la cyberwarfare potrebbe essere la vicenda ucraina della guerra del Donbass15.

2. La fine del perimetro convenzionale La quinta dimensione è il luogo in cui le nazioni e le organizzazioni con- tinueranno a combattere nel futuro prossimo. Presiedere il terreno di scontro e surclassare nell’iniziativa il nemico è la base dei manuali dello spionaggio e della guerra: semplicemente, oggi, sono cambiati gli strumenti e le tattiche a causa dell’evoluzione del luogo virtuale in cui verrà combattuto il conflitto 5.0.16 Il modello di sicurezza basato sul perimetro non è riuscito a tenere il passo con vari fattori: l’evoluzione della rete, la proliferazione di dispositivi, l’esplo- sione del cloud computing e di una forza lavoro sempre più mobile attraverso la diffusione del BYOD (Bring Your Own Device), hanno messo in crisi tutti i modelli teorici di guerra informatica precedenti. Non esiste più un perimetro davvero affidabile: nel momento in cui un utente può accedere da un device da casa o utilizzare un’app per connettersi a un componente della rete, quel perimetro difendibile viene essenzialmente reso vulnerabile e potenzialmente violabile in qualsiasi momento (Cunningham, 2020). I governi stessi sono caduti vittime della trappola di questi labili confini. Ogni caso di exploitation negli ultimi quattro decenni aveva sempre la stessa

13 B. Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics, cit. 14 T. Rains, Cybersecurity Threats, Malware Trends, and Strategies: Learn to mitigate exploits, malware, phishing, and other social engineering attacks, Packt Publishing, 2020. 15 S. Jasper, Russian Cyber Operations: Coding the Boundaries of Conflict, Georgetown Uni- versity Press, 2020. 16 J.P. Carlin, G.M. Graff, Dawn of the Code War: America’s Battle Against Russia, China, and the Rising Global Cyber Threat, PublicAffairs, 2018. 204 COSIMO MELELLA causa: il motivo per cui i sistemi difensivi hanno fallito è perché dipendevano interamente da apparati di sicurezza basati sul concetto di perimetro (gli In- trusion Prevention System, gli Intrusion Detection System, i Web Application Firewall) combinati con pratiche manageriali anacronistiche o nella migliore delle ipotesi inefficaci (Forshaw & Moussouris, 2017). Oggi il modello basato sul perimetro mostra impietosamente tutti i suoi limiti, soprattutto a partire dalle sue premesse di base: la difendibilità dei confini dell’infrastruttura. La difesa informativa basata su questo concetto ha fatto il suo tempo come le cinta murarie medievali vennero rese inefficaci con l’avvento della polvere da sparo17. C’è poi un problema più ampio e con caratteristiche ambivalenti che in futuro diventerà problematico per le piccole e grandi imprese, e persino per le nazioni: il BYOD. In passato, gli utenti dovevano necessariamente trovarsi fisicamente sul posto di lavoro per avere accesso ai sistemi di rete, talvolta persino alla tecnologia informatica. Negli ultimi anni, invece, la riduzione del costo dei device e l’incremento di potenza degli stessi – unito alla nuova emergenza sanitaria dovuta al Covid19 – ha avvantaggiato gli utenti, ma ha reso ancora più difficile mantenere alto il livello di sicurezza dell’infrastruttura. La tendenza per le imprese e i governi di sposare una cultura che vive sempre più di “mobilità”, unita alle necessità dettate dall’emergenza sanitaria attuale, crea ulteriori problemi a coloro che hanno il compito di monitorare le infrastrutture (critiche e non)18. Oggi, le Virtual Private Network (VPN) sono il principale strumento adottato per proteggere l’accesso remoto degli utenti che si trovano a operare su dispositivi di tipo BYOD e, in particolare, di quelli che non lavorano su un device aziendale (Martin, 2017). Questa soluzione è disponibile sin dall’inizio degli anni ‘90 e, sebbene sia utile per ridurre gli errori di configurazione, è anche nota per la sua permeabilità agli attacchi esterni. I protocolli VPN hanno dunque punti di forza e di debolezza: un hacker può violarne la crittografia attraverso vulnerabilità note o sottrarre la chiavi crittografiche19. Gli attacchi crittografici vengono utilizzati da attaccanti e crittoanalisti per recuperare il plaintext – testo in chiaro n.d.a. – dalle versioni crittografate prive di chiave (Aumasson, 2017). Tuttavia, la violazione della crittografia è impegnativa in termini di calcolo e richiede tempo. Ad esempio, decodificare le chiavi d’accesso o interrompere la crittografia, può richiedere anni anche

17 T. Rains, Cybersecurity Threats, Malware Trends, and Strategies: Learn to mitigate exploits, malware, phishing, and other social engineering attacks, cit. 18 C. Cunningham, Cyber Warfare – Truth, Tactics, and Strategies: Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare, cit. 19 K. Martin, Everyday Cryptography: Fundamental Principles and Applications, Oxford Uni- versity Press, 2017. CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 205 per un computer potente anche se in futuro questo tempo potrà essere ridotto utilizzando la tecnologia dei computer quantistici.20 Per questo la maggior parte degli attacchi mira anche al furto di chiavi crittografiche. Un esempio è il caso dell’attacco di Avast e NordVPN nel 2019, in cui venne rubata una chiave TLS o SSL avrebbe potuto anche consentire in un secondo momento lo sfruttamento di uno qualsiasi dei 12 milioni di utenti, per lo più commerciali dell’azienda, tramite attacchi di tipo man in the middle21. A questo problema si aggiunge il problema della sicurezza delle applicazioni (le app n.d.a.). Infatti, in molti casi sono sviluppate e programmate cercando d’immetterle sul mercato nel minor tempo possibile trascurando la sicurezza e, alla fine, molte applicazioni risultano sostanzialmente insicure. Per questo motivo e per il principio secondo cui è l’essere umano a essere l’anello più debole della catena informatica (in quanto “tra la sedia e lo scher- mo”), il modello di sicurezza basato sul perimetro è diventato obsoleto e non riesce più a proteggere aziende e istituzioni. Tuttavia, occorre concedere che non è il concetto di “perimetro” in sé a essere fallimentare quanto piuttosto, è il concetto di difese basate esclusivamente su un solo sistema a rapida obsolescenza a causa della proliferazione della tecnologia mobile, che rende un tale approccio alla sicurezza alquanto inefficiente22. Inoltre, negli ultimi decenni, gli attacchi degli APT si sono generalmente concentrati nel prendere di mira le multinazionali o le aziende di grande dimensione; questo a causa del costo/opportunità che un APT era in grado di ottenere quando riusciva a “exploitare” l’ampiezza della rete di una multina- zionale. C’era quasi sempre un modo piuttosto semplice per ottenere l’accesso e, una volta oltrepassato il “perimetro”, poter operare indisturbati. Queste opportunità sono in qualche modo diminuite grazie agli sforzi e agli investimenti in infrastrutture e mezzi fatti dalle grandi imprese su spinta dei governi. E infatti, quegli stessi obiettivi, in passato facilmente attaccabili e ad alto rendimento, ora hanno “alzato la guardia” facendo diminuire il costo/ opportunità per un attaccante. Si è quindi registrato un cambio strategico nell’indirizzare i propri sforzi tattici. Tutto ciò ha condotto a un cambio di obiettivi: gli APT non indirizzeranno più gli attacchi nel prossimo futuro alle grandi imprese ma a quelle di piccole dimensione. Infatti queste ultime sono in genere a corto di personale, oberate di lavoro e i sistemi di rete e le

20 K. Martin, Everyday Cryptography: Fundamental Principles and Applications, cit. 21 C. Cunningham, Cyber Warfare – Truth, Tactics, and Strategies: Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare, cit. 22 C. Hadnagy, Human Hacking, cit. 206 COSIMO MELELLA infrastrutture annesse non sono configurati efficacemente: queste criticità le rendono facili prede23. Inoltre, questi obiettivi sono spesso legati ad imprese più grandi per forni- ture e/o supporto tecnico. Ciò fornisce al threat actor una via di accesso che se scovata, potendo sfruttare una delle reti non protette, renderebbe tutto il sistema vulnerabile. Ancora una volta, è la natura dell’infrastruttura interconnessa a offrire il fianco allo sfruttamento, poiché un bug o un guasto su una rete conduce all’exploitation di molte altre24.

3. Nuove tecniche di attacco Poiché gli APT dirigono gli attacchi verso obiettivi più vulnerabili, si assi- sterà anche alla proliferazione di nuovi metodi di azione e nuovi target. Questi ultimi possono innanzitutto essere i droni commerciali. Questi sono molto di più che “minicomputer volanti”: sono costituiti da sistemi che dispongono di software e funzionalità di controllo complessi. E se i droni militari, pur essendo più resilienti ai comuni vettori di attacco, possono venire compromessi in diversi modi, i droni commerciali sono ancora più vulnerabili. Generalmente l’exploitation avviene principalmente tramite attacchi al controller Wi-Fi o ai sistemi wireless, con il rischio che un semplice drone possa trasformarsi in un’arma cinetica qualora si prendesse il controllo su di esso25. Ci sono poi gli smartphone: già oggi costituiscono uno dei più grandi obiettivi di gravi attacchi informatici poiché non sono protetti da sofisticati software antivirus e contengono enormi quantità d’informazioni sensibili. Il phishing mirato combinato con tecniche di ransomware come mezzo di exploitation, infatti, sarà probabilmente la combinazione di tattiche più diffusa tra quelle che verranno messe in atto. Le conseguenze che questo scenario produrrà sono già note: telefoni cel- lulari Android e Apple sono stati già stati presi di mira; ScarePackage è emerso sulla scena alla fine dell’estate del 2014. Questo ransomware specifico per Android inganna gli utenti, infettando il device, tramite app false sullo store, mascherandosi da applicazioni antivirus e inducendo un considerevole numero di utenti a scaricarle per “proteggere” il proprio dispositivo Android.

23 C. Cunningham, Cyber Warfare – Truth, Tactics, and Strategies: Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare, cit. 24 T. Rains, Cybersecurity Threats, Malware Trends, and Strategies: Learn to mitigate exploits, malware, phishing, and other social engineering attacks, cit. 25 C. Cunningham, Cyber Warfare – Truth, Tactics, and Strategies: Strategic concepts and truths to help you and your. CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 207

Infine ci sono gli attacchi di tipo Denial of Service (DoS) o Distributed Denial of Service (DDoS). Questi non sono una novità nel panorama della sicurezza informatica: esistono già dal 1999, quando un computer dell’Uni- versità del Minnesota venne attaccato da un gruppo di circa 100 macchine infettate da un malware noto come Trin00. L’uso di attacchi di tipo DDoS, progettati per disturbare il bersaglio sono stati nel tempo impiegati come strumenti per isolare momentaneamente gli avversari o creare squilibri politici e creare condizioni favorevoli a lungo termine per gli Stati che ne facevano uso. Ad esempio, tramite una varie- gata campagna di cyberwarfare lanciata nella primavera del 2007, la Russia avrebbe innescato e intensificato un conflitto di natura politica con l’Estonia cercando di sensibilizzare l’opinione pubblica sul tema di un trattamento più favorevole nei confronti delle minoranze etniche russe presenti nel paese baltico e circa la collocazione di una statua dell’era della Seconda Guerra Mondiale. Si stima che nel corso dei decenni gli attacchi DDoS siano diventati un settore da due miliardi di dollari all’anno nel cyber underground. Hacker e gruppi di APT vendono i propri servizi DDoS a utenti terzi che estorcono alle proprie vittime somme di denaro consistenti. Questi numeri ci offrono immediatamente le potenzialità di ricavi e dunque l’inevitabile crescita di attacchi in un settore meno difendibile dei circuiti privati ma altrettanto ricco d’informazioni sensibili. Mirai sarà probabilmente lo strumento più adoperato per attacchi di tipo DDoS nel prossimo futuro: si tratta di un worm auto-propagante, appositamente scritto con capacità di attacco mirato. La botnet è composta da due diversi moduli: il primo, un payload di replica e il secondo di attacco. Il payload di replica funziona scansionando in modo casuale Internet, cercando dispositivi che comunicavano su porte standard basate su IoT, in particolare le porte 23 e 2323. La diffusione e la potenza degli attacchi DDoS, che Mirai è stato in grado d’infliggere, ha colto di sorpresa il settore della sicurezza. Inoltre, l’identificazione dei fattori alla base degli attacchi è stata resa difficile, poi- ché chiunque abbia delle criptovalute e conosca la rete TOR, potrebbe avere accesso all’infrastruttura Mirai e lanciare attacchi contro specifici obiettivi. La facilità d’uso che questo tipo di attacco di nuova generazione ha mostrato, costruito su misura per attività di minaccia clandestine e criminali, ne hanno fatto un’arma con un’enorme capacità d’impatto (Cunningham, 2020). 208 COSIMO MELELLA

4. I social media e gli attacchi d’influencing L’influencing, oltre a essere uno strumento adoperato per “far in modo che i singoli si facciano apprezzare sui social”, può essere utilizzato come arma per manipolare informazioni, con chiare implicazioni strategiche. Gli APT ne sono consapevoli e sono attivamente impegnati a sfruttare questi sistemi di coinvolgimento sociale, apparentemente innocui, come parte delle loro strategie d’azione26. Manipolare le tendenze sui social richiede poche risorse tecniche e, tutto sommato, capacità tattiche di base eppure, questi attaccanti possono accedere a flussi di dati online disponibili all’interno dei social e quindi influenzare facilmente cluster di utenti in rete all’interno di una nazione target. Essendoci quindi un cambio importante di paradigma nell’attacco, i threat actors possono prendere di mira specifiche fasce della popolazione e produrre danni comunque gravi anche se colpendo obiettivi collaterali piuttosto che attaccare forze armate, infrastrutture o risorse certamente meglio difese. In questo modo possono fare pressioni, influenzare convinzioni, diffondere opinioni, sostenere determinati valori e/o modificare finanche i comportamenti di un cluster target. A causa della natura interconnessa degli utenti e del pubblico all’interno delle piattaforme social, la capacità di diffondere disinformazione e paura è aumentata in modo esponenziale: alla velocità di un like27. L’evoluzione dei social media in strumenti di guerra informatica non deve sorprendere. La tecnologia dei social si è evoluta proprio in seguito alle azioni di guerra che si sono verificate intorno al 2006 con l’avvento nei mercati e nei servizi del web 2.0. Questi eventi sono stati il catalizzatore che ha rimosso il “controllo” che le grandi entità aziendali avevano sulla genesi di contenuti e sulla messaggistica e ha aperto Internet a tutti gli utenti. Si è avuta, quindi, una dispersione del controllo, dando nuove opportunità agli utenti, ovunque essi si trovassero, di creare contenuti online invece di consumare semplicemente materiale informatico. Da lì si è varcato il confine, per cui i social media e i contenuti condivisi hanno iniziato a funzionare come strumenti di propaganda e guerra. Il fatto è che l’essere umano, in quanto animale sociale, ha un bisogno atavico e intrinseco d’interagire con i propri simili e ciò ha contribuito a determinare lo stato attuale del massiccio networking virtuale. Pertanto una nuova forma di comunicazione, personalizzabile e manipolabile, ha trovato

26 M. Nance, C. Samposon, Hacking Isis: How To Destroy The Cyber Jihad, Skyhorse Pub Co Inc, 2017. 27 C. Cunningham, Cyber Warfare – Truth, Tactics, and Strategies: Strategic concepts and truths to help you and your. CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 209 terreno fertile in questo nuovo spazio digitale che presta il fianco ad attacchi tattici potenzialmente tanto pericolosi quanto quelli classici. Diverse organizzazioni State-related e attori cyber criminali sono diventati estremamente abili nello sfruttare strumenti e specifiche tecniche che impiegano i social media e il networking online come strumenti per diffondere una propaganda mirata asservita a scopi illeciti o a favore di terze parti avversarie28. Di per sé, i singoli tweet e i post non sono scalabili e non sono in grado di raggiungere un pubblico sufficientemente ampio per poter ottenere determinate azioni o influenzare specifici risultati. Per ottenere però una certa capacità virale e far apparire il messaggio come se sia degno di ulteriori punti di vista ossia, in sostanza, per promuovere una narrazione attiva, è necessario che un influencer sia capace di essere virale, riconoscibile e di suscitare curio- sità o empatia tra il pubblico. In definitiva, l’obiettivo di qualsiasi operazione di disinformazione su Twitter, ad esempio, è quello di ottenere che un messaggio venga re-twittato o ripubblicato da un influencer che abbia una massa significativa di followers. Una volta che il messaggio comincerà a essere re-twittato, avrà una diffusione rilevante e la veridicità stessa sarà direttamente proporzionale alla sua diffusione. È interessante notare che gli algoritmi all’interno delle piattaforme social sono costruiti appositamente scritti per contrastare le fake news, almeno a livello superficiale. Quando, però, a un influencer piace o re-twitta un post, l’algoritmo viene battuto29. Grandi player privati, statali o addirittura Rogue State sono diventati estremamente abili nell’usare queste piattaforme per diffondere fake news su vasta scala. Le piattaforme di social media sono le forme più recenti di condivisione dei dati e hanno influenze e impatti quasi illimitati nei rispettivi circoli sociali. Sfruttando queste risorse i gruppi criminali e gli stati nazionali possono avere sulle istituzioni fondamentali e sulle iniziative nazionali lo stesso impatto che si può avere con i principali attacchi ransomware o sfruttamenti mirati30.

5. Vecchi e nuovi attori delle minacce: Russia e Cina l’orso siberiano si risveglia Tra i grandi player attivi nel cyberspace con rilevanti gruppi di APT la Russia non è soltanto uno degli attori principali ma ha anche una lunga

28 M. Nance, C. Samposon, Hacking Isis: How To Destroy The Cyber Jihad, cit. 29 C. Cunningham, Cyber Warfare – Truth, Tactics, and Strategies: Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare, cit. 30 B. Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics, cit. 210 COSIMO MELELLA tradizione nelle operazioni d’information security nel perimetro delle attività militari. Le azioni di cyberwarfare rispondono ad antiche e ampie strategie le cui origini affondano nelle ragioni e negli scopi presenti ai tempi dell’URSS. D’altra parte le attuali operazioni tattiche di cyberwar russe prevedono la pos- sibilità d’includere anche soluzioni poco ortodosse, come il ricorso a soggetti criminali per mascherare le intrusioni informatiche. La Russia ha sempre mostrato di avere notevoli capacità di amministrare i rapporti con altri paesi, influenzandone la politica interna e gestendo al tempo stesso crisi di varia natura interne ai propri confini. Inoltre, questo Stato ha un complesso sistema di pratiche di disinformazione attraverso i seguenti meccanismi: fuorviare il nemico (fornendo informazioni false, incomplete o ambivalenti), nascondere informazioni sulle proprie intenzioni, sviluppare e implementare operazioni di false flag3131 al fine d’ingannare e impiantare il dubbio tanto nell’opinione pubblica quanto nei soggetti istituzionali o negli apparati d’intelligence sia nazionali che esteri. La manipolazione delle informazioni costituisce da sempre un importante caposaldo attraverso il quale sono organizzate e gestite le c.d. “Operazioni psicologiche” sia coperte che palesi, per inquinare il processo di formazione delle informazioni in Occi- dente. Nelle dinamiche della cyberwarfare della moderna Russia rimane centrale il ruolo della disinformazione come strumento di potere, sia negli ambienti governativi che in quelli accademici, dove l’informazione è considerata una fonte di potere. Per contrastare efficacemente le cosiddette “rivoluzioni colorate” che avevano coinvolto nell’era post-sovietica paesi come Georgia, Ucraina e Kirghizistan, questa strategia si è estesa fino comprendere nuovi settori e aumentare la leva d’influenza. La connettività e la velocità delle reti globali e del cyberspazio offrono probabilmente più occasioni e convogliano maggiori energie per sfruttare al meglio i meccanismi di disinformazione per disturbare i rivali. Il Cremlino agisce seguendo una strategia più ampia che ha come scopo principale disorientare i nemici così da compensare il proprio potere in declino. Le azioni sono incardinate all’interno di uno “spazio informativo” più ampio che sfrutta gli attacchi d’influencing e qualsiasi altro mezzo disponibile per diffondere efficacemente una propaganda volta a organizzare proteste antigovernative, influenzare l’opinione pubblica e fiaccare la volon- tà di resistenza dell’avversario. Una caratteristica peculiare delle strategie di disinformazione politica della Russia di oggi si basa sul concetto, ancora una

31 È una espressione che indica una tattica segreta perseguita con operazioni militari condotte in genere da governi, servizi segreti, progettata per apparire come perseguita da altri enti e organizzazioni, anche attraverso l’infiltrazione o lo spionaggio all’interno di questi ultimi. CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 211 volta di matrice sovietica, definito come “controllo riflessivo”: ossia il tentativo d’influenzare le decisioni finali del proprio nemico cercando di manipolarlo attraverso la disinformazione e l’inganno in modo tale che non ottenga vantaggi o, nei migliori dei casi, spingendolo a prendere decisioni che producano effetti negativi32. Sebbene i russi abbiano sempre discusso su come combinare più strumenti di azione per sviluppare e ottenere nuove forme di operazioni, cercheranno sempre di condurre una guerra in uno spazio informativo unificato, cercando di minare gli avversari dall’interno, riducendo pian piano il potere militare, economico e politico di uno stato. In un certo senso, la guerra dell’informazione è una discendente diretta delle misure adottate durante l’era sovietica, parte significativa delle quali comportava la diffusione di notizie che ritraeva- no l’Occidente sotto una luce negativa33. Un’altra caratteristica fondamentale dell’approccio russo alle strategie informatiche sarebbe lo storico legame tra servizi d’intelligence e organizzazioni criminali. Mentre gli Stati Uniti e tutti gli paesi del primo mondo tendono a evitare questa pratica, Mosca avrebbe utilizzato negli ultimi 20 anni numerosi cyber criminali come “hacker su commissione” o come mezzo per dissi- mulare l’origine di attacchi che i governi colpiti avrebbero potuto attribuire al Cremlino34. Dunque, in Russia esisterebbe ormai una relazione simbiotica tra il mondo criminale informatico e le agenzie d’intelligence oltre ad altre agenzie coinvolte in operazioni informatiche di varia natura. Dopo il crollo dell’Unione Sovietica, la Russia e l’Europa orientale si sono rivelati come il principale hub del crimine informatico e a differenza degli APT cinesi (su cui ci si focalizzerà in seguito) che si sono concentrati sul furto di proprietà intellettuale, i threat actors dell’Europa orientale hanno scritto e utilizzato malware, focalizzandosi principalmente nel prendere di mira le istituzioni finanziarie. L’efficacia dei presunti attacchi ordinati dal Cremlino e di altre iniziative a carattere informatico contro nazioni estere, dipenderebbero quindi da questo ecosistema criminale che attinge a un ampio bacino di hacker di talento

32 Brandon Valeriano, Benjamin Jensen, Ryan C. Maness, Cyber Strategy: The Evolving Char- acter of Power and Coercion, Oxford University Press, 2020. 33 L’esempio più noto è stata la pubblicazione su un giornale indiano nel 1984 di una storia secondo la quale il virus dell’’AIDS, che si stava diffondendo nell’Africa sub sahariana, era il risultato di esperimenti d’ingegneria genetica sviluppati negli Stati Uniti (questo tema è stato riproposto negli ultimi tempi per quanto riguarda l’origine del Covid-19). 34 Rivolgendo l’attenzione ad altri paesi, gli analisti concordano nel ritenere che plausibilmente la Cina sfrutterà organizzazioni criminali solo là dove si rendesse strettamente necessario, facendo invece per lo più affidamento al legame emotivo nei confronti della madrepatria e al senso del dovere dei propri cittadini residenti all’estero e che lavorano nel settore high tech. 212 COSIMO MELELLA e che consentirebbe di minimizzare la possibilità di un coinvolgimento del governo di Mosca. Ad esempio, malware creati per rubare le credenziali ban- carie (come Emotet) sono stati riconvertiti ma precedentemente erano usati per lanciare attacchi in Georgia nel 2008 durante il breve conflitto militare nell’agosto di quell’anno. Per fare altri esempi: si ritiene che la Russian Business Network (RBN), un’organizzazione criminale informatica già attiva dal 1996, sia stata fondata da individui sospettati di avere collegamenti diretti con l’esercito russo e l’FSB. A supporto di queste accuse, il fondatore della RBN avrebbe for- ti legami con la classe politica moscovita. Inoltre, altri membri della RBN sarebbero addirittura ex agenti dell’FSB. Nel giugno 2014, il Dipartimento di Giustizia degli Stati Uniti ha lanciato l’operazione Tovar per distruggere una botnet di probabile origine russa, GameOverZeus, che riscattava denaro da banche e altre istituzioni. Questa botnet ha presumibilmente infettato da 500.000 a 1 milione di calcolatori in tutto il mondo. Nel 2017, il dipartimento del tesoro degli Stati Uniti ha accusato e mul- tato in contumacia Mikhalovich Bogachev, un criminale russo ricercato insieme ai programmatori di GameOverZeus, per sospetto coinvolgimento nell’hacking del Democratic National Committee insieme agli APT Fancy Bear (APT 29) e Cozy Bear (APT 28). I paesi dell’Europa Orientale, come l’Ucraina, hanno una serie di condizioni economiche, politiche e sociali che agevolano la proliferazione di queste aree d’attività in chiaroscuro: poche regolamentazioni giuridiche sulle materie cibernetiche e norme permissive sul furto di copyright e proprietà intellettuale, programmatori altamente istruiti, un tessuto economico in dif- ficoltà, sono il mix ideale per una commistione tra agenzie d’intelligence e organizzazioni criminali. Per molti dei techies russi il crimine è diventato tanto redditizio al punto che hanno cominciato a reclutare i migliori laureati dalle università prospet- tandogli guadagni 10 volte superiori di quello che avrebbero potuto ottenere in Russia con lavori normali e il doppio di quello che avrebbero guadagnare in Occidente35. Pertanto, data questa favorevole congiuntura sociale, lo stato russo è riuscito a trovare numerosi talenti informatici a basso costo negli ambienti criminali. Sebbene sia difficile definire le origini delle reti illecite, potrebbe non essere errato considerare che hacker, programmatori e sviluppatori di malware, siano un effetto della cultura informatica amatoriale diffusasi nel periodo tar- do sovietico: infatti, il primo hacker informatico russo noto a livello interna-

35 Brandon Valeriano, Benjamin Jensen, Ryan C. Maness, Cyber Strategy: The Evolving Char- acter of Power and Coercion, Oxford University Press, 2020. CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 213 zionale, Vladimir Levin, che rubò più di $12 milioni da Citibank nel 1994, e che lavorava per la società AO SATURN, era un autodidatta. Infatti, almeno dalla fine degli anni ’60, i pionieri sovietici dell’informatica iniziarono a sostenere un’ampia attività di sensibilizzazione nel cyber nei confronti dei loro concittadini per informatizzare il sistema e stimolare la crescita economica. Tra la metà e la fine degli anni ’80, durante la perestrojka, queste idee porta- rono alla diffusione di una cultura dell’informatica amatoriale. Il crollo dell’Unione Sovietica vide, però, un gran numero di scienziati altamente qualificati ritrovarsi improvvisamente senza lavoro o sottopagati. La combinazione di una cultura informatica amatoriale preesistente di alti livelli d’istruzione in materie scientifiche e matematiche e infine di professionisti disoccupati favorì un ecosistema maturo per la crescita del crimine informatico e del successivo reclutamento dallo stesso per andare a comporre gruppi altamente qualificati di threat actors36.

6. Le operazioni russe di cyberwarfare Prendendo in esame altri episodi, le operazioni di cyberwarfare russe contro l’Estonia e la Lituania che si susseguirono a partire dal 2007 (in seguito alla nota vicen da del “milite di bronzo”) hanno dimostrato come Mosca utilizzi il dominio digitale in modo aggressivo. A questo proposito va notato che la Russia potrebbe disturbare con attacchi, ad alta o bassa intensità, i rivali più piccoli senza innescare richieste d’intervento da parte degli Stati colpiti verso i loro alleati così da evitare un’escalation e uscendone, di fatto, vincitri- ce. La Russia, in particolare, avrebbe utilizzato attacchi DDoS come mezzi a basso costo per evitare che si verificasse un’escalation in aggiunta ad attacchi propagandistici più ampi, antesignani dei più moderni attacchi d’influencig, finalizzati a screditare e a isolare gli avversari. La Russia ha utilizzato questi attacchi in Estonia nel 2007 come mezzo di disturbo, allo scopo di ottenere un trattamento migliore dei cittadini russi e un maggiore rispetto per il passato sovietico dell’Estonia; in altri casi, invece, come gli attacchi informatici rivolti alla Lituania nel 2008, avrebbe cercato d’integrare l’interruzione del servizio con attività di propaganda fortemente distorsiva, studiata e diffusa per influenzare l’opinione pubblica a favore degli interessi russi37.

36 Prima che svanisse, RBN ha venduto i servizi di web hosting a gruppi criminali e ha creato un hub per il crimine informatico specializzato nel furto d’informazioni personali e nella rivendita degli stessi. 37 Al contempo veniva condotta una campagna parallela di propaganda interna (ai confini dello Stato ex-sovietico) che cercava d’influenzare l’opinione pubblica che l’Estonia fosse un 214 COSIMO MELELLA

L’attuale approccio russo alla cyberwarfare si declina chiaramente non solo nel furto d’informazioni “sensibili”, ma anche nel loro riutilizzo a fini propagandistici. Associato, infatti, a campagne d’influencing, un cyberwarfare attack può riuscire a indirizzare l’opinione pubblica. Queste azioni non hanno lo scopo di ottenere immediate concessioni in sede internazionale ma creano le condizioni per contrattare con avversari e attori terzi da una posizione di forza. A questo si aggiungono sofisticati cyber toolkits come lo spyware per le campagne di spionaggio informatico della Russia, noto come “Snake/Urobu- ro/Tula”, apparso per la prima volta nel 2005, prendendo di mira Stati Uniti, Regno Unito e altri paesi dell’Europa occidentale e orientale. Il toolkit uti- lizzava malware che in precedenza avevano attaccato i sistemi classificati del Pentagono ed era apparso di nuovo in Ucraina nel 2013. Lo spyware poteva anche accedere ai sistemi attraverso altri vettori di minacce, tra cui l’exploit Adobe e il watering hole attack38 tramite exploit in Java39. Un’altra campagna che risulterebbe collegata alla Russia e che ha visto come threat actor il gruppo APT legato al GRU, noto come Sandworm, si è verificata nel 2009 sulla base di exploit zero-day40 e interessò i sistemi operativi Windows. Sandworm infatti si sarebbe concentrato sulla esfiltrazione di documenti ed e-mail contenenti informazioni d’intelligence e diplomatiche e avrebbe sottratto chiavi TLS e certificati per violare altri sistemi. In seguito, nell’ottobre 2014, Sandworm avrebbe utilizzato il malware BlackEngery3 per effettuare molteplici intrusioni in Ucraina, concentrandosi stavolta su reti elettriche e social media. Oltre a Sandworm anche il noto gruppo russo APT 28, o Fancy Bear, avrebbe utilizzato in modo simile malware per prendere di mira gruppi d’interesse ma, questa volta, gli attacchi sarebbero stati rivolti contro obiettivi dello stato russo, inclusi ministeri e giornali in tutta la regione del Caucaso, dei governi

regime fascista. Ad esempio, Nashi, un gruppo giovanile nazionalista sostenuto dal Cremlino, è emerso come plausibile attore principale dell’intera vicenda, avendo guidando le proteste presso l’ambasciata estone a Mosca, parallelamente alle rivolte a Tallinn. 38 Brandon Valeriano, Benjamin Jensen, Ryan C. Maness, Cyber Strategy: The Evolving Char- acter of Power and Coercion, cit. 39 Nel maggio del 2007, un altro toolkit soprannominato “Ottobre rosso” si è infiltrato in agenzie diplomatiche e governative di diversi paesi, inclusi gli Stati Uniti, diffondendosi persino nell’Europa Orientale, sfruttando vulnerabilità del codice usato in Microsoft Word ed Excel per sottrarrei dati da dispositivi mobili, come smartphone, e apparecchiature di rete aziendali. 40 Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers, Anchor, 2019. CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 215 polacco e ungherese, della NATO e dell’Organizzazione per la sicurezza e la cooperazione in Europa (OSCE) (Threat Intelligence 2014)41. Lo spionaggio informatico nella cyberwarfare è anche un mezzo di manipolazione e d’indebolimento delle istituzioni degli oppositori interni. Se- condo FireEye, le campagne di spionaggio informatico di gruppi come APT 28 hanno dimostrato che “la Russia è stata più efficace nell’integrare lo spionaggio informatico in una grande campagna strategica geopolitica – non solo militare, ma economica e politica”. Ad esempio, scoperto per la prima volta nel 2011, il malware che venne usato da Energetic Bear per infiltrarsi nelle reti di aziende associate al settore dell’aviazione e dei principali appaltatori della difesa negli Stati Uniti e in Canada, apparve successivamente nel 2013 all’interno d’importanti aziende energetiche come Exxon Mobile e British Petroleum. È opportuno notare che Energetic Bear è ancora attiva ed effettua attacchi che sono una combinazione di guerra digitale e di guerra cinetica per scopi militari o politici. Energetic Bear utilizza inoltre strumenti che imitano il worm Stuxnet. Il toolkit di exploitation riflette però un nuovo approccio che compromette il sito in aggiornamento per diversi produttori di software ICS attraverso un malware di tipo RAT (Remote Access Toolkit). Il toolkit di strumenti utilizza tre metodi d’infe- zione principali: lo spear-phishing tramite PDF con exploit flash incorporati; programmi d’installazione di software con trojan; e watering hole attacks42. Il malware sembra essere stato adattato dal codice sorgente di malware e trojan disponibili sul mercato nero informatico, ma aggiornato per la cyberwarfare fra importanti players statali. Dal 2008 il gruppo di APT MiniDuke, insieme al gruppo APT CosmicDu- ke, avrebbero agito con scopo di spionaggio – finanziati sempre dall’ex Stato sovietico – apparendo per la prima volta dopo il 5 aprile 2008, data in cui il presidente degli Stati Uniti Obama tenne un discorso in cui sosteneva l’op- portunità di sviluppare e installare uno scudo di difesa missilistica in Polonia. Questi gruppi, altamente specializzati nello spionaggio, risultano tecnologicamente ben equipaggiati, altamente qualificati e organizzati, riuscendo in questo modo a porre in essere elaborati attacchi sulle reti sia con intrusioni rapide sia con azioni a lungo termine, tutte capaci di raccogliere enormi quantità di dati e riuscendo a colpire diverse tipologie di obiettivi che vanno dai governi stranieri alle organizzazioni internazionali operanti sul suolo

41 A differenza dei tradizionali gruppi criminali informatici russi. “APT28 non esfiltrava informazioni finanziarie dagli obiettivi e non vende le informazioni che raccoglie a scopo di lucro”. 42 FireEye contrappone APT 28 alle minacce messe in atto dalla Cina per il furto di proprietà intellettuale. Minacce come APT28 possono mascherare la loro attività attraverso “collegamenti Internet satellitari (in particolare indirizzi IP nei paesi del Medio Oriente e dell’Africa) per nascondere il proprio C2. 216 COSIMO MELELLA russo e non. Nel 2013, il gruppo è stato collegato a una campagna di spear phishing rivolta al ministero degli Affari esteri ucraino. Un’altra variante di Duke, in tre diverse denominazioni, CozyDuke, CozyBear o APT 29, è apparsa dopo il 2014. Questo gruppo di solito mira a rubare informazioni di soggetti strettamente legati agli interessi e alle priorità geopolitiche russe, tra cui: governi occidentali, in particolare informazioni di politica estera e obiettivi relativi alla difesa; istituti di sicurezza internazionale e istituzioni legali come i think tank; infine istituzioni educative. Nel 2014 CozyDuke, in una campagna di spear phishing avrebbe violato obiettivi attraverso allegati video dannosi che una volta aperti e visualizzati hanno esposto diversi device agli attacchi. Infatti alcuni degli attacchi di spear phishing di maggior successo si sono basati proprio su inviti volti a visualizzare un video, Office Monkeys LOL.zip in cui era allegato un malware. Questo tipo di attacchi ha aiutato il gruppo di hacker ad accedere alla rete non classificata della Casa Bianca nel 2014. Il gruppo si concentrò su target di persone con accesso a infrastrutture critiche, attaccandole attraverso campagne di spear phishing socialmente ingegnerizzate che indussero gli utenti a scaricare malware. All’i- nizio del 2015, il gruppo ha utilizzato un malware, HAMMERTOSS, per estrarre dati tramite Twitter, GITHUB e servizi di cloud storage. Lo stile e il contenuto di questi cyber attacchi riflettono due logiche dello spionaggio informatico e del suo potenziale coercitivo. Innanzitutto, l’accesso alle reti di destinazione stabilisce le condizioni per le operazioni di follow- up. In gergo militare indica quelle azioni necessarie a preparare gli ambienti per azioni future. Non solo accedendo a reti e obiettivi sensibili si sottraggono informazioni ma, anche nel caso in cui l’intrusione venisse scoperta, il bersaglio rimane a chiedersi cos’altro sia stato rubato e quali altre reti siano state compromesse lasciandolo in una condizione psicologica d’incertezza.

7. Il dragone cinese Qualche ann o dopo l’implosione dell’Unione Sovietica e il conseguen- te declino del suo potere sullo scacchiere geopolitico mondiale la Cina si è affermata come nuovo grande competitor. Nella sicurezza informatica in particolare la narrazione della minaccia cinese continua a riproporsi con l’imminente sfida cyber del dragone nei confronti dell’avversario americano. Mearsheimer sostiene infatti che la Cina sia l’unica reale minaccia alla sicurezza degli Stati Uniti e dell’Occidente e che le velleità egemoniche cinesi finiranno per portare a uno scontro militare, partendo proprio da una escalation nata nel cyberspace. D’altra parte secondo altri analisti è più probabile CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 217 che la competizione con la Cina possa rappresentare anche una stimolante sfida per gli Stati Uniti, per modernizzazione il settore della difesa43. Secondo l’approccio adottato dalla Cina gli strumenti informatici mirano ad alterare gli equilibri di potere a lungo termine. Vista in questa luce, l’ascesa della Cina arriva con un corrispondente aumento della capacità di Pechi- no di raccogliere informazioni e know how per competere con gli Stati del primo mondo. La connettività del mondo moderno cambia il carattere delle interazioni strategiche e consente alla Cina di concentrarsi non solo su obiettivi militari tradizionali, ma anche su una vasta gamma di obiettivi sociali, politici ed economici. La combinazione di fattori soggettivi e oggettivi, la guerra psicologica e le intrusioni informatiche offrono al potente stato asiatico una prospettiva unica come attore informatico decisivo, grazie a un’attenzione mirata e chirurgica alla ricerca di un vantaggio informativo competitivo dopo essere rimasta per molto tempo indietro. A oggi la Cina è principalmente impegnata nello spionaggio informatico che agisce sia per sottrarre preziose informazioni, alterando l’equilibrio economico e militare a lungo termine, sia allo scopo di sondare le reali capacità dei propri rivali. Le azioni di Pechino tendono però a essere, a dispetto delle aspettative, ancora piuttosto limitate: le sue attività nel cyberspazio mirano soprattutto a cercare vantaggi economici e informativi, talvolta cercando di far leva nei propri hacktivists (tutt’altro che vicini ai loro consimili occidentali) su un sentimento nazionale circa questioni come i diritti alle rotte marittime davanti il Mar della Cina e il trattamento della Corea del Nord. Pechino sfrutta la propria posizione nella quinta dimensione per consentire la propria ascesa a grande potenza. Inoltre, l’approccio cinese al dominio digitale dimostra un’attenzione quasi maniacale all’innovazione volta al controllo e alla ricerca di vantaggi economici. La “Strategia nazionale cinese per la sicurezza del cyberspace” è organizzata dal dicembre 2016 attorno a tre importanti punti: stabilità politica, progresso economico e solidarietà culturale. In questa “strategia” si vede come la concorrenza militare si stia spostando online e che la corsa agli armamenti informatici stia avvenendo solo fra po- chissime nazioni. La dottrina cyber cinese è intrinsecamente collegata alle altre dottrine militari per decenni insegnate nelle accademie d’élite militare e politiche del partito. In effetti, fino all’implementazione della Strategia nazionale del 2016 c’era poco da distinguere tra la guerra dell’informazione dalla cyberwarfare. Wang Pufeng, noto come il padre fondatore della dottrina cinese dell’information security, scrive: “la guerra dell’informazione è un prodotto dell’era

43 Brandon Valeriano, Benjamin Jensen, Ryan C. Maness, Cyber Strategy: The Evolving Char- acter of Power and Coercion, cit. 218 COSIMO MELELLA dell’informazione che in larga misura utilizza la tecnologia dell’informazione in battaglia”. Questa prospettiva è un’evoluzione dei precedenti scritti cinesi sulla guerra dell’informazione basati su un’integrazione tra la teoria strategica classica e comunista. Mao Tse Tung stesso sosteneva che fosse necessario ottenere il sostegno popolare e condurre innanzitutto una lunga lotta di guerriglia prima di passare a operazioni convenzionali. La connettività moderna aumenterebbe il potenziale di mobilitazione e creerebbe nuove geografie di attacco per campagne di guerriglia progettate con mezzi letali o non letali e per logorare il nemico nel tempo. Guardando indietro al concetto di “Guerra popolare di lunga durata” di Mao, il fattore chiave è la profondità della dottrina militare cinese. Se la teoria fornisce una lente con la quale prevedere gli effetti di un conflitto cibernetico, la Guerra del Golfo Persico del 1991 ha fornito agli Stati Uniti il contesto strategico per passare dalla teoria alla pratica, dimostrando in quel conflitto grandi capacità di distruzione delle capacità militari irache- ne. I principali teorici militari dell’Esercito popolare di liberazione hanno giudicato il primo conflitto nel Golfo Persico come un modo nuovo di fare la guerra. Questa rivoluzione nell’arte militare ha fatto emergere due aspetti: mentre gli analisti statunitensi tendono a concentrarsi su come la tecnologia satellitare, le reti di comando e gli aerei abbiano permesso attacchi militari di precisione, gli analisti cinesi hanno appreso una lezione più ampia in particolare sulle informazioni e sulla cyberwarfare. La convinzione cinese che l’operazione Desert Storm fosse stata vinta grazie all’informatica, sulla base dell’ipotesi che gli Stati Uniti avessero attaccato i sistemi informatici dell’Iraq, ha condizionato le scelte strategiche sulle politiche informatiche. Dunque la vittoria degli Stati Uniti è stata determinante per l’affermazione di dottrine cinesi che concepivano una guerra informatica a carattere offensivo. Infatti, il focus iniziale nella formazione delle scelte strategiche cinesi sulle politiche informatiche era basato sul presupposto che l’Iraq avrebbe potuto sconfiggere il suo avversario se avesse colpito in anticipo gli Stati Uniti mentre stavano ancora radunando le forze in Arabia Saudita. Questa convinzione si basa sull’efficacia strategica di attacchi rapidi e chi- rurgici che ha un unico obiettivo: indebolire l’avversario e impedirne la piena mobilitazione e dispiegamento delle forze in campo. Tuttavia l’efficacia strategica di raid “multi dominio” ha avuto senso fino a quando gli Stati Uniti non hanno adottato la dottrina AirSea Battle nel 2010. Sotto AirSea Battle, gli Stati Uniti hanno minacciato attacchi accecanti nei domini cyber, aereo, marittimo e terrestre, ossia contro “Command, Control, Communications, Computer, Intelligence, Surveillance e Reconnaissance” (C4ISR), mettendo in campo un sistema progettato per limitare la capacità cinese. CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 219

Le reciproche minacce d’incursioni sembrano aver prodotto un equilibrio strategico. Invece di cercare un colpo preventivo, Pechino si sta impegnando a utilizzare un mix di minacce e limitati atti diplomatici, incluso il cyber, al fine di contenere la possibilità di una escalation. Anche le azioni e le minacce offensive nel dominio digitale possono svolgere un ruolo difensivo come deterrente. In questo nuovo mondo per gli strateghi cinesi, l’offesa è più efficace e semplice della difesa: il primo contendente che interrompe le informazioni del rivale guadagna una posizione di vantaggio. Il controllo dell’informazione è, infatti, il presupposto per raggiungere la supremazia nelle altre dimensioni. Una strategia informatica efficace è il risultato di una pianificazione con una buona dose di creatività soggettiva che manipoli gli aspetti dinamici dell’ambiente in cui oggi è importante operare strategicamente e che è caratterizzato da condizioni informatiche oggettive. La dottrina informatica cinese in generale si concentra specificamente su tre compiti: identificare le vulne- rabilità ed esfiltrare i dati; individuare reti di comunicazione specifiche per contrastare l’avversario; essere un moltiplicatore di forza.

8. L’information warfare cinese Il primo compito, lo spionaggio, è forse la chiave di volta di tutta la strategia cinese. Seguono i vantaggi ottenuti ricavati dal furto delle informazioni, nonché la convinzione che la supremazia sugli avversari dipenda a lungo termine dalla proprietà intellettuale. L’innovazione è infatti una delle chiavi per la crescita e oggi, nell’era dell’informazione, al centro di essa e dell’aumento della produttività c’è la proprietà intellettuale e i segreti industriali a essa connessi. Bloccare l’avversario e moltiplicare le proprie forze a livello informatico non può avvenire senza il successo ottenuto attraverso il primo compito, ovvero ottenendo il dominio dell’informazione sul fronte della battaglia. Pertanto l’obiettivo che guida la strategia di sicurezza nel mondo moderno è il rapporto tra informazioni e potere. Nell’ultimo mezzo secolo la visione della comunità strategica cinese sulla relazione tra informazione e potere si è cristallizzata: una delle cause è da ricercarsi nella globalizzazione dell’economia mondiale e del maggiore livello d’integrazione tra sviluppo e capacità di processare le informazioni. Questa condizione oggettiva è alla base del concetto di “guerra delle informazioni” per cui la formazione e la scelta degli obiettivi strategici dipendono dalla capacità di controllare le informazioni e di riuscire a concludere in modo efficace l’attacco alle informazioni, incluso il sabotaggio o la distruzione delle infrastrutture, delle fonti d’informazione o dei sistemi impiegati sul campo di battaglia. Quest’ultimo aspetto è ancor più rilevante se teniamo conto che oggi le forze armate di quasi tutti i paese sono 220 COSIMO MELELLA obbligati a dover dipendere dal controllo della rete informatica per la propria sopravvivenza o per il raggiungimento dei propri obiettivi. Dunque il rapporto tra informazione e potere determinato dagli ambienti informatici, crea nuovi modelli strategici. Nel 1995, Shen Weiguang definì la guerra dell’informazione come “guerra per il controllo delle decisioni, in cui proprio l’informazione è l’arma principale progettata per attaccare i sistemi di comunicazione del nemico e influenzare, contenere o modificare le decisioni dei responsabili politici nemici e le loro conseguenti azioni ostili. L’obiettivo principale della guerra dell’informazione sono di fiducia del nemico, e l’obiettivo è esercitare il controllo sulle sue azioni”. Il vantaggio che si riesce a ottenere dal controllo dell’informazione è chiaramente un obiettivo fondamentale e che, oggi, definisce il modo in cui la Cina opera nel cyberspazio. Cercare l’innovazione dei propri settori attraverso la pratica dell’esfiltrazione d’informazioni è ovviamente più rapido che cercare di sviluppare know how attraverso la ricerca e lo sviluppo in nuove aree che richiede investimenti su più anni e con rischi molto più alti. Ma il know how tecnologico non è così semplice da rubare e applicarlo a nuovi mercati. Sottrarre tecnologia richiede anche capacità di adattare il know how: bisogna avere capacità di analisi, di applicazione e di dimostrazione che i prototipi attivi si comportino come previsto. Inoltre, sottrarre informazioni o sfruttare determinate vulnerabilità per ottenere dei vantaggi con delle scorciatoie illecite, ricorda agli avversari quanto essi siano vulnerabili nell’era dell’informazione, costringendoli a cor- rere ai ripari, sfruttando le proprie competenze. Questo processo è stato fondamentale per l’hacking dell’Office of Perso- nal Management (OPM) nel 2014, che ha portato all’acquisizione di 21,5 milioni di account tra registrazioni di dipendenti e persone in cerca di auto- rizzazioni di sicurezza del governo degli Stati Uniti. Attaccando i nodi chiave, gli hacker, che si presume fossero cinesi, sono stati in grado di alterare l’equilibrio delle informazioni tra le due parti a proprio favore. Con questo attacco hacker la Cina, avrebbe messo in evidenza la vulnerabilità americana ma soprattutto avrebbe dimostrato un atteggiamento molto risoluto e nessuna soggezione nei confronti degli Usa, mettendo contemporaneamente però anche in evidenza i potenziali rischi associati a una escalation di attacchi in seguito a eventuali controversie tra il governo di Pechino e Washington. La manipolazione delle informazioni costituisce, inoltre, una componente chiave della moderna guerra dell’informazione. Murawiec osserva come, “proprio come ai tempi di Sun Zu, lo scopo della guerra – o lo scopo della strategia regionale cinese – fosse non distruggere il nemico ma persuaderlo della forza dell’avversario prima di attaccarlo. Nonostante la citazione faccia riferimento a un passato antico, la connettività del mondo moderno offre CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 221 nuovi vettori su cui poter sviluppare le proprie strategie d’influenza e manipolazione che rendono attuale una visione basata sull’intimidazione piuttosto che sul potere effettivo. Ora, poiché le capacità della Cina di raggiungere i propri obiettivi di manipolazione e di controllo delle informazioni sono notevoli, la protezione delle reti diventa il compito chiave delle milizie cinesi. Questo potrebbe sorprendere gli analisti che considerano solo il suo potere offensivo, ma la realtà è ben diversa: la Cina è altrettanto vulnerabile nel cyberspazio come ogni altra nazione avanzata. In effetti il rischio di vulnerabilità informatica è un tema imprescindibile per qualsiasi Stato. Dunque anche la Cina sta iniziando a ricercare tecniche e sviluppare strategie su come proteggere le proprie strutture informative sensibili, ed è una considerazione chiave spesso ignorata quando si considerano le capacità degli APT cinesi. Per comprendere il punto di vista strategico cinese sulla guerra informatica bisogna prima comprendere la posizione di Pechino in questo mondo, le sue aspirazioni, le sue vulnerabilità e le sue possibilità. Le prospettive cinesi sulla guerra dell’informazione emergono dall’intersezione tra la teoria strategica cinese sui conflitti cibernetici e il concetto della “guerra popolare”, adat- tata alle condizioni moderne per sconfiggere un avversario tecnologicamente superiore, come gli Stati Uniti. La Cina preferisce mappare le reti statunitensi per individuare porte d’accesso da usare in un secondo momento piuttosto che mirare a scontri informatici con vantaggi solo a breve termine. Comunque, sia nell’eventualità di accessi a breve termine che nel furto di proprietà intellettuale a lungo termine progettato per alterare gli equilibri di potere nel corso di decenni, Pechino dimostra che le attività spionistiche possono essere una modalità efficace per ottenere esternalità positive nel cyberspazio. Questa logica implica la necessità di una maggiore moderazione strategica nell’attivare strategie offensive per scongiurare possibili escalation nell’e- ventualità di una possibile e imminente guerra informatica tra le principali potenze informatiche. Pechino è impegnata nella classica contrattazione utilizzando un mix di minacce e atti diplomatici limitati, inclusa l’azione informatica, al fine di limitare l’escalation strategica. La principale preoccupazione per lo spionaggio informatico cinese risiede nel modo in cui i dati rubati possano cambiare l’equilibrio del potere relativo nel sistema internazionale.4444 Il predominio strategico sull’economia o in

44 La citazione del generale Keith Alexander, comandante del Cyber Command degli Stati Uniti e della NSA, che invoca lo spionaggio informatico cinese come “il più grande trasfe- rimento di ricchezza nella storia” è illustrativa di due aspetti: sia di come la Cina abbia un controllo della propria posizione dominante sia dell’iperbole legata alle azioni dello Stato. Richard Clarke, ex funzionario della Casa Bianca, ha affermato parallelamente che il vero 222 COSIMO MELELLA ambito informatico che alcuni osservatori attribuiscono alla potenza emer- gente è ampiamente sopravvalutato. Anche se c’è stato un grande trasferi- mento di tecnologia, non è chiaro quanto la Cina abbia effettivamente guada- gnato da un punto di vista strategico. Inoltre il dragone cinese dipende ancora dalla Russia per l’hardware militare e non solo: non è nemmeno chiaro se la loro pianificazione strategica parta ancora dal presupposto di una rapida vittoria in un eventuale conflitto per il controllo su Taiwan. Sebbene si discuta molto del problema di attribuzione, ciò che manca è identificare quali siano le falle che consentano queste esfiltrazioni. La sfida dell’acquisizione d’informazioni si è acuita dopo gli eventi di piazza Tie- nanmen nel 1989 e le successive sanzioni. In quella occasione George H. W. Bush ha sospeso le vendite militari e il Congresso degli Stati Uniti ha votato per sostenere l’ordine esecutivo di Bush e per sospendere tutte le missioni commerciali e i colloqui, fino a quando non saranno compiuti progressi sui diritti umani in Cina. Le misure hanno anche vietato le licenze per la tecnologia e introdotto controlli più stringenti sulle esportazioni per la tecnologia a duplice uso, sia civile sia militare. Le reazioni cinesi a una condanna e alle conseguenti sanzioni a ciò che consideravano un affare interno sono state rapide, e hanno conosciuto un’ac- celerazione a partire dagli anni ’90 fino agli anni 2000. Inkster osserva che “alcuni analisti occidentali hanno interpretato la nuova e più assertiva Cina come il prodotto di una strategia decennale per sostituire gli Stati Uniti come la principale potenza mondiale entro il 2049, in occasione del centesimo anniversario della Repubblica popolare. In quest’ottica, il terreno per l’ascesa della Cina è stato preparato attraverso l’inganno e l’occultamento volti a tran- quillizzare l’Occidente in un falso senso di sicurezza”. Ci sono però prove che gli sforzi cinesi non abbiano avuto molto successo, suggerendo che ci sia un problema di sovrapposizione tra i team di APT che irrompono nei sistemi e quelli che, anche dopo anni, entrano nelle stesse organizzazioni. E il fatto che gli exploit progettati per raccogliere informazioni siano sempre gli stessi suggerisce che in molti casi la Cina non sia riuscita a identificare i principi alla base di quella tecnologia”. Lo spionaggio informatico è difficile, soprattutto se ci sono sfide di coordinamento e apprendimen- to: rubare la tecnologia non implica che si sia automaticamente in grado di utilizzare e implementare quella stessa tecnologia. La storia dell’innovazione

pericolo derivante dal dominio cibernetico da parte di una potenza straniera non è il rischio di subire una Pearl Harbor digitale, ma una morte economica a causa del vantaggio competitivo sul piano dell’innovazione “regalato a terzi”. Tali citazioni sono ovviamente piuttosto esagerate nell’affermare che la Cina domini economicamente gli Stati Uniti. CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 223

è piena di fallimenti a seguito di furti industriali e persino di fallimenti quando viene condotta una collaborazione diretta. Lindsay e Chueng sottolineano che “l’eccessiva dipendenza dallo spionaggio economico potrebbe diventare un ostacolo nella ricerca della Cina per diventare una delle principali superpotenze industriali”. Il mancato sviluppo dell’industria nazionale può essere catastrofico. L’altro fattore di preoccupazione per gli analisti del settore è l’incapacità dello Stato di produrre nuove tecnologie una volta rubate. Il processo d’innovazione è spesso separa- to dal processo di produzione e l’introduzione di un passaggio innaturale che brucia le tappe può “creare dipendenza attraverso investimenti in un effetto di assorbimento su larga scala”. Da parte americana ci sono stati grandi sforzi per smascherare gli agenti cinesi, alcuni dei quali hanno dato risultati positivi e recentemente sono stati scoperti e rimossi dal gioco dello spionaggio diversi hackers. Chiaramente il culmine dell’attività è arrivato nel 2014 quando, con la sorprendente mossa d’indicare cinque ufficiali dell’Unità 61398 dell’EPL, venne compiuto un passo coraggioso da parte dell’Occidente per contrastare la proliferazione degli APT cinesi e per far sapere che gli Stati Uniti potevano fornire prove di azioni specifiche nel cyberspazio. Hannas e altri scrivono, “lo spionaggio informatico è l’ultima e forse più devastante forma di spionaggio cinese, che colpisce il cuore del vantaggio militare americano e della competitività tecnologica”. C’è un altro aspetto in questa storia che potrebbe essere rassicurante ma che potrebbe avere al- tresì risvolti negativi: Inkster osserva che “nel frattempo, il mondo in via di sviluppo è sempre più cablato dalla Cina, quasi certamente in circostanze che consentiranno alla comunità dell’intelligence del paese di accedere alle informazioni che transitano su quelle reti”. Sebbene vi sia stato un netto calo delle operazioni informatiche cinesi dal 2014, la tesi è che la Cina sia già passata a utilizzare operazioni più sofisticate nel cyberspazio. Ma questa conclusione si basa su intuizioni senza prove concrete. In alternativa, la Cina potrebbe aver concluso che un cyberspazio più stabile sia nell’interesse di tutti, specialmente con una popolazione domestica sempre più difficile da controllare e con la presenza di soggetti criminali. Negli ultimi tempi sembra che la Cina si sia concentrata sulle operazioni di spionaggio convenzionali a causa dell’estesa rete di cittadini cinesi negli Stati Uniti e di obiettivi sensibili. Gli accordi firmati tra Cina, Stati Uniti e Canada dimostrano una volontà di evitare lo spionaggio per vantaggi commerciali e l’interesse da parte della Cina di plasmare il sistema normativo nel cyberspazio, dirigendo l’azione consentita lontano dallo spionaggio commer- ciale, e infine che avrebbe deciso di concentrarsi sulle attività di hacking per ottenere un vantaggio militare nell’eventualità di una estesa cyberwarfare. 224 COSIMO MELELLA

Qualsiasi discussione sulle attività cyber cinesi non può tralasciare la co- pertura da parte dello stato delle azioni di gruppi criminali e il ruolo di alcuni gruppi nazionalisti. Il supporto del Partito nei confronti del crimine informatico è stato influenzato dal cambiamento da un approccio marxista-leninista di progresso economico a una svolta capitalista che si concentra invece sulla crescita economica, incoraggiando, di fatto, i cyber criminali ad agire nel cyberspazio. Questo paradigma piuttosto semplicistico evidenzia il vantaggio del crimine informatico in Cina nelle prime fasi d’Internet: la sua totale dere- golamentazione, la mancanza d’interesse da parte dello Stato, che sembrava essere stata rettificata solo nel 2015, e l’accettazione da parte della società dell’aumento di status sociale da parte di alcuni. A causa della mancanza di regolamentazione, il mercato della criminalità informatica è proliferato rapidamente in Cina nei decenni scorsi. Tuttavia c’è stato un ridimensionamento con rinnovato interesse da parte dello Stato a riaffermare il controllo dopo il 2009, e successivamente un focus più deciso. Cercando di sfruttare la forma particolarmente aggressiva del nazionalismo cinese, gli hacker cinesi sono stati incoraggiati a “lottare per l’onore della loro patria”. Il comportamento criminale nel cyberspazio ha motivazioni nettamente diverse rispetto a quelle dello Stato e gli attori criminali hanno capacità di gran lunga inferiori rispetto agli attori istituzionali. Il punto in cui il comportamento criminale e il comportamento dello stato divergono è alquanto interessante per il nostro studio: mentre la Russia dimostra uno stretto legame tra attori criminali e agenti del governo, la Cina non opera a un tale livello in modo coerente anche se la pratica di cooptare i criminali è assolutamen- te possibile. C’è poi da tenere conto del nazionalismo cinese nell’attivismo informatico che può essere ed è stato incanalato da Pechino. Lindsay suggerisce che questi attori saranno i jolly nella cyberwarfare. Nel tentativo di mantenere il controllo sulla popolazione nazionale e sul flusso d’informazioni, un disegno di legge del 2015 imponeva ai fornitori di servizi di dare informazioni sulla crittografia allo Stato, con una misura volte a installare backdoor tanto per i sistemi software che hardware. Queste backdoor servono principalmente a controllare chi sta a casa, non certo chi è all’estero. Il vero obiettivo di molte operazioni cinesi è di controllare le istanze e le aspirazioni sociali, economiche e politiche della propria popolazione: la Cina cerca di mantenere il controllo interno, mantenendo il dominio dei propri sistemi digitali. In un certo senso, l’attenzione ai disturbi e agli attacchi da parte esterna e allo spionaggio ha ulteriormente incoraggiato questo sviluppo e potrebbe essere una fonte per limitare i futuri conflitti informatici avviati esternamente. CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 225

9. Pianificazione difensiva nelle future cyberwars nuove strategie Contrastare attacchi effettuati dagli APT non è semplice: richiede a chi difende un piano d’azione non banale e consapevolezza della propria posizione sul campo e degli errori che si possono commettere. Un’azione poco coordinata sarebbe inefficace e avrebbe effetti addirittura effetti opposti. No- nostante queste operazioni di guerra siano piuttosto singolari, infatti, hanno un significativo impatto nel mondo reale: i prezzi delle campagne politiche colpite da attacchi di questo tipo sono stati esorbitanti. In genere, nella storia militare, il combattimento vero e proprio è quasi sempre preceduto da una lunga serie di frizioni e provocazioni reciproche invece nelle campagne della quinta dimensione è normale che gli avversari passino molto tempo sottotraccia prima dell’attacco, senza che ci siano scher- maglie tra i due. Si può tranquillamente affermare ci sia un rapporto inversa- mente proporzionale tra il tempo passato a pianificare un attacco e il numero di scontri e il tempo impiegato per portare a compimento l’attacco stesso (Sir Freedman, 2015). La fase che precede un attacco è articolata da una serie di azioni di “ricognizione” che iniziano con la scoperta e la mappatura della rete e delle capacità tecniche proprie e dell’obiettivo da colpire, seguite dalla elaborazione degli aspetti tecnici, specifici delle campagne di attacco. Identi- ficato l’obiettivo da colpire, con l’uso di dati dettagliati combinato con specifici toolkits scelti con cura, l’attacco viene lanciato contro il bersaglio nemico. I principali attacchi di questo tipo possono essere classificati in questo modo (Cunningham, 2020): 1°) campagna di spionaggio industriale; 2°) disinformazione; 3°) interferenza elettorale; 4°) raccolta dati; 5°) furto di pro- prietà intellettuale. La natura del terreno di scontro, il campo di battaglia virtuale, potrebbe agevolare la possibilità di una escalation tra i belligeranti. A questo proposito i modelli predittivi esistenti utili a descrivere tanto le “fasi” di attacco quanto le azioni che precederebbero la possibilità di una escalation su larga scala, sono la Cyber Kill Chain della Lockheed Martin o il framework del MITRE ATT&CK45.Queste matrici che analizzano i vari tipi di attacco e di tattiche impiegate sono comunemente considerate essenziali nella predizione del ciclo di vita dell’attacco che è costituito da una successione di “passaggi d’a- zione” che possono aumentare sia sul lato offensivo che su quello difensivo. Tutti gli elementi costitutivi delle matrici sono scelti e incatenati l’uno con l’altro per raggiungere la massima efficacia nell’exploitation del sistema violato. Per il difensore questo significa che intervenendo su uno o più

45 S. Jasper, Russian Cyber Operations: Coding the Boundaries of Conflict, cit. 226 COSIMO MELELLA passaggi del ciclo sarà possibile depotenziare se non annullare l’intrusione, per l’attaccante, invece, significa che per ottenere la massima efficacia della violazione sarà essenziale impegnarsi e modificare continuamente la propria azione contro il sistema violato. Il punto debole di questa strategia è che può essere proibitiva in termini di tempo e costi. Ovviamente questa considerazione è particolarmente indicativa nei precedenti cicli di exploitation, dove uno specifico exploit tecnico doveva essere la leva necessaria per violare il target. Il cambio della tattica, da uno meramente tecnico a uno combinato di tecniche di social engineering con operazioni di false flag, ha profondamente modificato la conformazione strutturale dell’odierna cyberwarfare. Le operazioni di false flag non sono nuove negli scenari bellici però al giorno d’oggi vengono impiegate massivamente nella quinta dimensione. Gli APT russi sono tra i migliori nell’usare tecniche di false flag e di disinformation per reindirizzare la potenziale attribuzione ad altri avversari46. È molto difficile, se non quasi impossibile, classificare tutti questi nuovi tipi di attacco e le loro fasi o “passaggi di azioni”. Nei primi casi di hacking, le operazioni effettuate da gruppi di APT affiliati a Rogue State sono state, almeno in parte, caratterizzate dalla necessità di trovare una vulnerabilità del sistema attaccato e creare un exploit (ossia il malware NotPetya per ricollegar- si alle vicende dell’Ucraina nel 2017) ma già fin da ora, e sempre più massic- ciamente nel prossimo decennio, gli attacchi informatici si muoveranno al di fuori degli schemi convenzionali della Cyber Kill Chain. Lo spazio virtuale è sempre più interconnesso allo spazio fisico e non è più necessario che un attaccante segua pedissequamente la catena di eventi così come definiti nelle matrici convenzionali e com’è avvenuto in passato47. L’uso dei social e la diffusione di tecniche e strumenti avanzati di sfruttamento delle violazioni – grazie a leaks ai danni della NSA a opera degli Shadow Brokers – consente agli APT di operare ormai abitualmente al di fuori dei normali framework, come l’infrastruttura di rete e i domini usati in passa- to48. Infatti i “passaggi d’azione” delle campagne di attacco non sono solo più brevi ma richiedono meno mezzi tecnici ed è persino migliorato in termini di probabilità di successo. Più la tecnologia diventa fruibile, più i nostri stili di vita diventano dipendenti della tecnologia. Probabilmente il nuovo obiettivo delle future campagne d’attacco avrà come obiettivo la manipolazione delle narrazioni sociali

46 S. Jasper, Russian Cyber Operations: Coding the Boundaries of Conflict, cit. 47 B. Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics, cit. 48 B. Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics, cit. CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 227 per favorire conflitti su argomenti d’interesse pubblico sulla scorta dell’antico adagio romano: “dividi et impera”49. I nuovi attacchi saranno probabilmente costituiti da tecniche precedentemente usate, ad esempio come il phishing, ma laddove un tempo gli attacchi si concentravano sull’exploitation di un obiettivo “tecnico” o l’esfiltrazione di dati relativi a un target “rilevante” all’interno dell’organizzazione pubblica e/o privata (whaling attack), in futuro si concentreranno sempre di più sull’influencing e sul ricorso agli influencer. In altre parole l’obiettivo più plausibile delle “campagne di attacco” che si diffonderanno nel prossimo futuro sarà cercare di diffondere fake news e confondere le fasce più suscettibili della popolazione con scopi destabilizzanti. Questo nuovo metodo di azione di cui si vedono già i primi significativi episodi, è meno elegante dello spear-phishing o dell’exploitation tecnico, ma più efficace su larga scala e nel long run. Inoltre le probabilità di successo sono molto più elevate poiché i numeri sono esponenzialmente più grandi. Il nuovo paradigma nelle operazioni di cyberwar è diverso rispetto al passato e richiede un cambiamento di pensiero e dell’agire per poter classificare e comprendere potenzialmente i nuovi vettori di attacco. Questo nuovo approccio è sintetizzabile in queste caratteristiche: 1°) tracciare le campagne di disinformazione; 2°) intercetta e analizza URL e domini potenzialmente dannosi; 3°) tenere traccia delle condivisioni degli influencer; 4°) rispondere e porre rimedio a potenziali “infezioni”; 5°) teorizzare ed eseguire azioni di risposta tecnica per future istanze di attacchi simili; 6°) sensibilizzare attraverso mirate campagne di awareness.

Conclusioni Per avere una speranza concreta di essere sufficientemente preparati a questa nuova tipologia di assalti, sarà imperativo un cambio di paradigma. Sicuramente, non è utile continuare a tentare di mettere in atto isolate soluzioni tecniche a un problema che richiede un approccio con uno spettro più ampio. Sarà necessario partire considerando il cyberspace un dominio di guerra a tutti gli effetti: un esteso campo di battaglia digitale in cui ogni Stato, ogni organizzazione criminale e/o terroristica, persino un singolo utente che abbia accesso alla rete, diventa un pericolo potenziale. D’altra parte è bene ribadire che è anche l’unico luogo dove Rogue State, come la Corea del Nord, possono prendere di mira le superpotenze e colpire con efficacia. Inoltre è impe-

49 J.P. Carlin, G.M. Graff, Dawn of the Code War: America’s Battle Against Russia, China, and the Rising Global Cyber Threat, cit. 228 COSIMO MELELLA rativo accettare il fatto che un danno virtuale abbia effetti uguali o maggiori di un danno fisico. Bisognerà studiare una strategia che coinvolga anche il tessuto produttivo dello Stato: ogni infrastruttura, infatti, può essere dotata di backdoor exploi- tabili (sfruttabili n.d.a.), ed è molto probabile che un attaccante abbia vi già stabilito un punto d’appoggio. Come nessun muro è abbastanza alto o un fossato è abbastanza profondo quando il nemico è all’interno della città assediata, così nessun Firewall né alcun Web Application Firewall può proteggere un sistema informatico già compromesso. E l’uso di strumenti “pesanti” per cercare di stanare gli APT, gli Intrusion Detection System o framework di pacchetti come gli IPSec, risulterà probabilmente inefficace e per di più dispendioso in termini di costi e di tecnologia. Le migliori strategie per la sicurezza hanno come scopo quello di identificare gli obiettivi sensibili “matchando” la vulnerabilità dei sistemi con requisiti specifici di sicurezza così da poter fornire procedure che aiutino a rispondere adeguatamente a un attacco. Le strategie dovranno essere riviste periodicamente e aggiornate anche saltuariamente qualora le congiunture tecniche dovessero richiederlo per assicurare una costante capacità di risposta e una certa flessibilità a causa dei cambiamenti tecnologici. Nelle operazioni difensive, guardando alla pianificazione di una grande organizzazione aziendale o istituzionale, l’approccio non dovrà essere appros- simativo e/o sbrigativo. Sebbene a volte questo stesso approccio possa avere senso per casi urgenti, avere in situazioni normali l’obiettivo di raggiungere troppi traguardi contemporaneamente potrebbe rivelarsi un errore: affinché una pianificazione difensiva sia davvero efficace sarà necessario pianificare per tempo e procedere in successione. Commettere l’errore di avere implementato solo il 90% delle difese in tempi congrui e aver lasciato sguarnito il restante 10% dell’organizzazione sarà un rischio imperdonabile che può rendere inefficace tutto il lavoro fatto in precedenza. Usare la segmentazione della rete, ad esempio, può sembrare una scelta efficiente ma se ci si limita solo a essa è come aggiungere una torre a un castello lasciando il mazzo delle chiavi della porta d’ingresso sul tavolo della taverna. La più grande vittoria di un APT, infatti, non sarà unicamente ottenere l’accesso a un sistema ma penetrare il più profondamente possibile e trovare falle ulteriori per impostare nuove operazioni in futuro. La segmentazione della rete combinata all’applicazione granulare dei controlli di accesso è ciò che riduce al minimo le minacce. In genere i difensori sono alla ricerca di elevati standard di “risposta”, per provare a reagire o per rispondere tatticamente all’avversario nelle fasi successive all’exploitation. Tuttavia in un mondo come quello del cyberspace, in cui CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 229 non ci sono regole d’ingaggio, aspettare e rispondere in una fase successiva, significa lasciare che gli attaccanti prosperino indisturbati, liberi di operare e di avvantaggiarsi tatticamente. Le soluzioni SIEM (Security Information and Event Management – strumenti per l’analisi dell’infrastruttura aziendale) sono state pubblicizzate come se fossero “lo strumento unico di controllo” ma non sono mai risultate all’altezza delle aspettative. Spesso, poi, nella sicurezza informatica anche i CISO (Chief Information Security Officers) hanno poteri ridotti nell’implementazione e nel cambio di paradigma difensivo delle realtà aziendali50. Normalmente aziende e istituzioni pubbliche si affidano ad applicazioni specifiche per interfacciarsi con clienti e cittadini, tuttavia si tratta di applicazioni che dipendono da patch e da codici che devono essere efficacemente sviluppati ed essere prive di bug per garantire la sicurezza. Spesso però si sottovaluta la necessità degli upgrade per anni, in alcuni casi per decenni, rendendo le applicazioni vulnerabili, prive degli aggiornamenti necessari. D’altra parte sviluppatori e programmatori possono purtroppo introdurre minacce in queste stesse applicazioni (o nei device). Molto spesso, infatti, gli sviluppatori lavorano a paghe ridotte in Paesi dove organizzazioni criminali hanno ampio potere di azione e sono in grado di corrompere o fare pressioni sui programmatori allo scopo di introdurre backdoor e difetti nelle applicazioni o nei device. Anche gli utenti stessi possono essere un problema: come già precedentemente affermato, aziende e governi passano sempre più all’approccio BYOD e, poiché un numero sempre crescente di utenti ha una gestione della sicurezza spesso discutibile, la possibilità che le minacce di violazione rag- giungano la sfera lavorativa passando da quella privata aumenta in modo esponenziale. A questo si aggiunge l’adozione di sempre più regole aziendali che favoriscono l’irrigidimento delle procedure aumentando la vulnerabilità dell’azienda agli attacchi esterni (Cunningham, 2020). Inoltre, l’uso e/o l’implementazione di strumenti di sicurezza come i Data Loss Prevention (DLP), la gestione delle password insieme ad altre soluzioni di sicurezza hanno un impatto negativo sugli utenti. Non appena l’utente ha un’esperienza negativa con una delle azioni restrittive di questi strumenti, tenterà di aggirarla o addirittura di farne a meno, sottostimando il rischio di violazioni: se tra la fine degli anni ‘90 e l’inizio del secondo millennio il rischio veniva identificato nei c.d. trojan che bloccavano l’uso del PC, oggi la minaccia fantasma delle violazioni passa inosservata e viene sottostimata.

50 Ciò può essere problematico soprattutto quando le persone a cui i CISO riferiscono, hanno poca o nessuna conoscenza delle operazioni o delle tecnologie adoperate nella cyberwarfare. 230 COSIMO MELELLA

In altre parole, l’ampio uso di strumenti di sicurezza disallineati e altamente restrittivi può favorire l’insorgenza di problemi di sicurezza. La strategia che dovrebbe essere adottata è quella che operi contemporaneamente su più livelli: che cerchi costantemente soluzioni innovative alle minacce, che riduca le vulnerabilità scoraggiando gli avversari e che protegga i sistemi avendo come focus ciò che è realizzabile. Sarà importante, quindi, realizzare progressi tecnici e cambiamenti gestionali tanto nel settore pubblico quanto in quello privato. È inutile proteggere unicamente le informazioni e i sistemi dall’interno se poi ci si limita a una sola cintura di sicurezza. Inve- ce, fare in modo siano usate più soluzioni di protezioni intersecate tra di loro, orizzontali e con un approccio di tipo top down, è sicuramente più efficace. È un dato di fatto che nessun sistema sarà mai unhackable da solo, ed è altresì vero che nessun sistema può essere protetto a meno che non siano protetti anche tutti i sistemi a esso interconnessi. Pertanto, la logica suggerisce che un’organizzazione utilizzi più soluzioni di protezione sovrapposte che funzionino in modo coordinato. In tal modo, il fallimento o l’elusione di uno qualsiasi sistema di protezione adottato individualmente non compro- metterebbe la totalità dell’infrastruttura. Come una cotta di maglia fatta da più anelli intrecciati fra loro: anche quando un anello cede la struttura non è totalmente compromessa. Tutto ciò deve essere eseguito correttamente, concentrandosi sull’acquisizione del controllo di dispositivi e sistemi abilitati dell’utente, proteggendo i dati laddove possibile e sfruttando la potenza del cloud51.

51 Molte aziende adotteranno VPN da sito a sito per connettersi direttamente al cloud e isolare il segmento dotato di connettività cloud. Sebbene questo sia un buon approccio, di solito le VPN da sito a sito hanno un costo aggiuntivo e richiede una manutenzione aggiuntiva. Un’altra opzione consiste nell’usare una route diretta al cloud, ad esempio i sistemi come l’’Azure Ex- pressRoute. Sebbene tu abbia il pieno controllo della rete e della configurazione locali, la rete virtuale cloud sarà qualcosa di nuovo da gestire. Per questo motivo, è importante acquisire fa- miliarità con le funzionalità di rete disponibili nell’IaaS del provider di servizi cloud e su come proteggere questa rete. Usando Azure come esempio, un modo per eseguire rapidamente una valutazione di come è configurata questa rete virtuale è usare il Centro sicurezza di Azure. Il Centro sicurezza di Azure eseguirà la scansione della rete virtuale di Azure che appartiene alla sottoscrizione e suggerirà le mitigazioni per potenziali problemi di sicurezza. L’elenco dei consigli può variare in base alla rete virtuale di Azure (VNET) e al modo in cui le risorse sono configurate per usare questa rete virtuale. Usiamo il secondo avviso come esempio, che è un avviso di livello medio che dice Limita l’accesso tramite end point con connessione a In- ternet. Quando fai clic su di esso, vedrai una spiegazione dettagliata su questa configurazione e su cosa è necessario fare per renderla più sicura. Questa valutazione della sicurezza della rete è molto importante per gli scenari ibridi in cui è necessario integrare la rete locale con un’infrastruttura cloud. CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 231

La formazione dell’utente finale assume un ruolo fondamentale. Forse questo è uno degli elementi caratterizzanti di una strategia di sicurezza: un utente che non sia istruito nelle policy di sicurezza può causare danni enormi alla propria organizzazione. Secondo il Symantec Internet Security Threat Report Volume 24, le campagne di spam sono ancora in aumento rispetto agli anni precedenti e, sebbene oggigiorno si basino su una vasta gamma di tattiche, le più grandi operazioni di spamming di malware dipendono ancora principalmente da tecniche d’ingegneria sociale52. Il problema è che molti utenti adoperano i propri device per accedere alle informazioni aziendali e quando partecipano a false campagne sui social media sono facili bersagli per gli hacker e APT. Quando gli hacker riescono a compromettere i sistemi degli utenti allora sono molto vicini all’accesso dei dati dell’azienda, poiché la maggior parte delle volte gli uni non sono isolati dagli altri. Tutti questi scenari rappresentano solo un piccolissimo esempio di come sia fondamentale educare gli utenti contro questo tipo di attacco e qualsiasi altro tipo di attacco d’ingegneria sociale, inclusi gli “approcci personali”. Inoltre, un aspetto chiave di questa strategia è considerare ogni network, utente, account o altro elemento correlato, potenzialmente violabile. Tutto è potenzialmente una minaccia, sempre. A niente si dovrebbe consentire di funzionare tramite impostazioni predefinite e qualsiasi accesso dovrebbe essere esplicitamente validato prima che possa aver luogo (Forshaw & Mous- souris, 2017). Infine, affinché questo approccio sia efficace, è necessario concentrarsi sui controlli che possono essere effettuati sui nodi chiave per ottenere informazioni sull’operatività del sistema: tuttavia bisogna riconosce- re che questo punto di controllo sarà sempre debole. Il nodo attraverso il quale un utente cerca di accedere a una risorsa aziendale sarà sempre quello più vulnerabile all’interno di una infrastruttura. Per- tanto, è l’accesso da parte di un utente a dover essere considerato sempre una potenziale minaccia fino a prova contraria e la sua verifica dev’essere un passaggio imprescindibile. Tecnologie come la Multi-factor Authentication o autenticazione a più fattori dovrebbero essere usate per la certificazione dell’utente attraverso “una richiesta di autenticazione”. In altre parole, si tratta di un mezzo aggiuntivo per assicurarsi che l’utente sia chi dice di essere prima che abbia accesso alla risorsa richiesta. Gli strumenti di autenticazione a più fattori dovrebbero far parte di un programma chiamato Identity and Access Management o IAM,

52 Un altro mezzo che viene utilizzata per lanciare attacchi d’ingegneria sociale sono i social media. Nel 2019, Symantec ha riferito che i social media sono stati utilizzati in molte campagne per influenzare le persone, in particolare le elezioni. Twitter ha scoperto anche l’uso estensivo di account falsi nelle piattaforme di social media per creare campagne dannose, che li ha portati a rimuovere più di 10.000 account dalla loro piattaforma. 232 COSIMO MELELLA strutturato per consentire l’accesso all’utente facilmente ed eliminare farragi- nose procedure di controllo degli accessi53. Alcuni principi di un nuovo approccio strategico per un’organizzazione possono essere brevemente indicati come segue (Cunningham, 2020): 1°) Tutti i servizi informatici devono essere protetti e mantenuti più al sicuro possibile; 2°) Il monitoraggio e l’analisi vengono effettuati costantemente; 3°) Il monitoraggio e l’analisi dei log volte a garantire l’infrastruttura e quelle a essa associate devono essere il più sicure possibile;4°) Tutte le comunicazioni devono essere sicure, indipendentemente dal fatto che siano fisiche o virtuale;5°) L’accesso è concesso solo alle risorse autorizzate;6°) L’autenticazione avviene rigorosamente prima che avvenga l’accesso.7°) L’infrastruttura è sottoposta a un costante controllo degli accessi, ad analisi scansioni e valutazioni delle minacce, limitazione dei movimenti e convalida continua delle richieste di accesso;8°) La rete è uno spazio “conteso” ed è considerata un’area fonte di minaccia costante; 9°) I controlli devono essere estesi dallo spazio ‘interno dell’infrastruttura all’esterno. In conclusione, nella cyberwarfare, l’attitudine a rapidi cambiamenti è necessaria tanto quanto la tattica e la strategia difensiva e i mezzi applicati. Difendere in modo efficace significa essere pronti ad adottare nuovi approcci per trovare risposte efficaci alle esigenze attuali e future. La guerra è per sua stessa natura in continua evoluzione: come le più alte e possenti fortificazioni dei castelli divennero inutili di fronte alla polvere da sparo, così i sistemi di sicurezza informatici sono condannati per loro stessa natura a una rapida obsolescenza ed a diventare inefficaci se non vengono aggiornati. Rimanere immobili, sottostimando l’importanza vitale delle informazioni e delle dinamiche sempre più integrate tra mondo fisico e mondo virtuale, significa abdicare la propria sicurezza allo status quo, finendo col fi- nire in balia di pratiche destabilizzanti a opera di attori tutt’altro che pacifici.

Bibliografia Carlin, J.P., & Graff, G.M. (2018). Dawn of the Code War: America’s Battle Against Russia, China, and the Rising Global Cyber Threat. PublicAffairs. Cunningham, C. (2020). Cyber Warfare – Truth, Tactics, and Strategies: Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare. Packt Publishing. Forshaw, J., & Moussouris, K. (2017). Attacking Network Protocols: A Hacker’s Guide to Capture, Analysis, and Exploitation. No Starch Pr.

53 C. Cunningham, Cyber Warfare – Truth, Tactics, and Strategies: Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare, cit. CYBERWARFARE: COMBATTERE IN UNA NUOVA DIMENSIONE 233

Frediani, C. (2019). #Cybercrime. Attacchi globali, conseguenze locali. Milano: Hoepli. Frediani, C. (2018). Guerre di Rete. Laterza. Friedman, M. (1998). Future of War: Power, Technology and American World Dominance in the Twenty-first Century. St. Martin’s Griffin. George, R., & Rishikof, H. (2011). The National Security Enterprise: Navigating the Labyrinth. Washington D.C.: Georgetown University Press. Greenberg, A. (2019). Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. New York: Anchor. Hadnagy, C. (2019). Human Hacking. Apogeo. Hassanien, A.E., & Elhoseny, M. (2019). Cybersecurity and Secure Information Systems: Challenges and Solutions in Smart Environments. Berlino: Springer Nature. Jasper, S. (2020). Russian Cyber Operations: Coding the Boundaries of Conflict. Georgetown University Press. Martin, K. (2017). Everyday Cryptography: Fundamental Principles and Applications. Oxford University Press. Rains, T. (2020). Cybersecurity Threats, Malware Trends, and Strategies: Learn to mitigate exploits, malware, phishing, and other social engineering attacks. Packt Publishing. Rovner, J., & Long, A. (2011). Fixing the Facts: National Security and the Politics of Intelligence. Ithaca (NY): Cornell University. Salah, K., & Khan, M.A. (2017). IoT Security: Review, Blockchain Solutions, and Open Challenges. In Future Generation Computer Systems 82 (p. 395-411). Amsterdam: Elsevier. Shulsky, A., & Schmitt, G. (2002). Silent warfare. Understanding the world of intelligence. Lincoln: Potomca Books Inc. Sir Freedman, L. (2015). Strategy: A History. Oxford University Press. Suffia, G. (2018). Geografia dele cyberwars. Uomini e Stati alla prova dello spazio digitale. Milano: Giuffrè. Valeriano, B., Jensen, B., & Maness, R.C. (2020). Cyber Strategy: The Evolving Character of Power and Coercion. Oxford: OUP USA. Questo volume è stato stampato nel mese di maggio 2021 su materiali e con tecnologie ecocompatibili presso la LITOGRAFIA SOLARI Peschiera Borromeo (MI) ISSN 2421-4442 La Rivista semestrale Sicurezza, Terrorismo e Società intende la Sicurezza come una 13 condizione che risulta dallo stabilizzarsi e dal mantenersi di misure proattive capaci di promuovere il benessere e la qualità della vita dei cittadini e la vitalità democratica delle istituzioni; affronta il fenomeno del Terrorismo come un processo complesso, di lungo periodo, che affonda le sue radici nelle dimensioni culturale, religiosa, politica ed economica che caratterizzano i sistemi sociali; propone alla Società – quella degli studiosi e degli operatori e quella ampia di cittadini e istituzioni – strumenti di comprensione, analisi e scenari di tali fenomeni e indirizzi di gestione delle crisi.

Sicurezza, Terrorismo e Società è un semestrale che pubblica 2 numeri all’anno. Oltre ai due numeri programmati possono essere previsti e pubblicati numeri speciali. 13