Terrorism and the Internet: Finding a Profile of the Islamic “Cyber Terrorist”

Countering Terrorism, Preventing Radicalization and Protecting Cultural Heritage 103 A. Niglia et al. (Eds.) IOS Press, 2017 © 2017 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-755-9-103 Terrorism and the Internet: Finding a Profile of the Islamic “Cyber Terrorist”

1 Dr. Stefano MELE Director of “Information Warfare and Emerging Technologies” Observatory, Italian Institute of Strategic Studies “Niccolò Machiavelli”

Abstract. The number of terrorist attacks that have brought about bloodshed and left a mark on recent history have spotlighted once again the need to stem the attempts by terrorist organizations to conduct attacks within the EU, forestalling the intentions of the martyrs-to-be. The Islamic State of Iraq and Syria (ISIS) is un- doubtedly the terrorist group that, more than others, has taken advantage of Internet, not only as a tactical means of coordination, but also as a tool to carry out proselytism, recruitment, propaganda, and fundraising. As one could imagine, constantly monitoring the Internet for these activities is an extremely complex and time-consuming activity, requiring a huge amount of money and manpower, and resulting in very poor – and only temporary – outcomes. To stem this rapidly spreading phenomenon, it can be useful to focus the attention of decision-makers, intelligence and law enforcement on a possible profile of a “cyber terrorist”. This paper aims at tracing the identikit of a possible “cyber terrorist” that is as broad and consistent as possible.

Keywords. Al-Qaeda, cyber terrorist, Internet, ISIS, Islamic State, profiling, propaganda, proselytism, recruiting, terrorist organizations

1. Introduction

The number of terrorist attacks that have brought about bloodshed and left a mark on recent history have spotlighted once again the issue never settled about the need to stem attempts by terrorist organizations to conduct attacks within the EU, forestalling the intentions of the martyrs-to-be. Even though official data are not yet available on the level of such a threat in 2016, the latest Europol “European Union Terrorism Situation and Trend Report 2016”

1 Stefano Mele is “Of Counsel” to the Italian Carnelutti Law Firm, where he is in charge of the Technology, Privacy, Cybersecurity and Intelligence Legal Department. He holds a PhD from the University of Foggia, and cooperates with the Department of Legal Informatics at the Faculty of Law of the University of Milan. He is the co-founder and Partner of the Moire Consulting Group. He is the President of the “Cyber Security Working Group” of the American Chamber of Commerce in Italy (AMCHAM), and member of the “Cyber Security Roundtable” of Regione Lombardia and of the “Advisory Board on Cyber Security” of Assolombarda. He is Director of the “InfoWarfare and Emerging Technologies” Observatory of the Italian Institute of Strategic Studies ‘Niccolò Machiavelli’, and co-founder and President of the CyberPARCO non-profit Organization. Stefano is also a lecturer for several universities and military research institutions of the Italian MoD and NATO, and he authored several academic papers and articles, and provided legal and strategic insights on specialized magazines and websites on cyber security, cyber intelligence, cyber terrorism and cyber warfare topics. In 2014, his name appeared in the list of NATO Key Opinion Leaders for Cyberspace Security. In 2014, the business magazine Forbes listed Stefano as one of the world’s best 20 Cyber Policy Experts to follow online. 104 S. Mele / Terrorism and the Internet: Finding a Proﬁle of the Islamic “Cyber Terrorist” stresses the fact that in 2015 no less than 211 terrorist attacks took place within the Eu- ropean Union, all in the same six Member States: Denmark (2 attacks), France (73 attacks, 15 of which were jihadist attacks), Greece (4 attacks), Italy (4 attacks), United Kingdom (103 attacks) and Spain (25 attacks). Such attacks have caused 151 fatalities and over 360 injured. Meanwhile, still in 2015, 1,077 individuals were arrested for terrorism-related crimes, 687 of whom were charged with conducting religiously-inspired terrorist activities. The highest concentrations of arrests was in France (424 arrests, 377 of which for jihadist affiliation), Spain (187 arrests, 75 of which for jihadist affiliation), Belgium (61 arrests, 60 of which for jihadist affiliation), United Kingdom (134 arrests for non-speci- fied reasons), while 40 individuals were arrested in Italy, all of whom were presumably ISIS members. Almost two thirds of those arrested (63%) proved to be European citizens, 58% by birth.

Figure 1. Europol “European Union Terrorism Situation and Trend Report 2016”.

Figure 2. Europol “European Union Terrorism Situation and Trend Report 2016”. S. Mele / Terrorism and the Internet: Finding a Proﬁle of the Islamic “Cyber Terrorist” 105

2. The Use of Internet for Terrorist Purposes by ISIS

Due to the ever-increasing number of European citizens involved in terrorist acts, experts have focused greater attention on the methods used by terrorists to radicalize and shape the thoughts of European shahid-to-be, despite being so close to Western principles both by birth and culture, and also distant from religious radicalization areas. The Internet is one of the most popular and effective means to this end. Indeed, it is through the Internet that ISIS has cheated geographic distance to gain supporters worldwide, fostering their emotional involvement and adhesion to the principles of jihad and martyrdom. Despite being considered by the media as capable of conducting significant computer attacks, i.e. attacks to national critical infrastructures, or the creation of cyber weap- ons on its own, this terrorist organization has never actually raised the bar. The four main groups supporting the Islamic State – the Cyber Caliphate, the Elite Islamic State Hackers, the Islamic Cyber Arm, and the Islamic State Hacking Division have shown poor capabilities in computer attacks. They have simply carried out Distrib- uted Denial of Service attacks (using very basic software, like the “Caliphate Cannon” DDoS tool), defaced websites and social network accounts, and disclosed personal data of government personnel, obtained through basic social engineering techniques. Instead, what the Islamic State is more focused on is finding the most secure means of communication possible. Using the Internet to recruit new supporters is a double-edged sword; in some cases, ISIS members spreading jihadi propaganda online have been identified, geolocated, and even killed due to the high levels of exposure. This is the case with Junaid Hussain, also known as Abu Hussain al-Britani, born in Birmingham and leading member of the Cyber Caliphate. Al-Britani was located and killed by an American drone in Raqqa last August, as a result of the “traces” left of his on-line activity. Although ISIS propaganda, and subsequently the media, depict ISIS as capable of developing software for secure – as in the recent case with the mobile app called Alrawi – there is actually no trace on the Internet of such software, nor of the Alrawi app. On the contrary, most evidence suggests that ISIS primarily uses popular mobile chat applica- tions like Conversations, Telegram, Threema, and Signal. All the rest is merely propaganda. In this context, in order to deeply understand the role actually played by the Internet and the reasons behind its massive use for terrorist purposes, the “ease” this tool offers must be highlighted. The benefits it offers are obvious: • the opportunity to create long-distance networks of individuals almost effort- lessly, and at a low cost; • the ability to act totally anonymously; • the opportunity to create cost-free, real-time information sharing; • the ability to access shared information worldwide; • the ability to easily reactivate accounts linked to existing “social networks”, in order to prevent a website blackout or removal from jeopardizing the stability of the active network. In addition, terrorist organizations’ broader internet strategy also needs to be inves- tigated. In this regard, it is useful to consider that the use of the Internet:

106 S. Mele / Terrorism and the Internet: Finding a Proﬁle of the Islamic “Cyber Terrorist”

• makes it easier for new recruits to join a terrorist organization; • assures that the organization can communicate with the remotest extremist cells; • allows extremists to easily strengthen their messages and terrorist acts, backing them with videos, sounds and images; • creates a new “social context” where the terrorist-to-be realizes that even the least socially-acceptable and most disgusting ideas are actually considered “nor- mal” and desirable. Hence, by simply analyzing the above elements, it is undeniable that the Internet has acquired quite a significant role in this field, encouraging, increasing, and accelerating the usual process of propaganda and radicalization. Still, mere propaganda and proselytism activities are not the only benefits arising from the use of Internet and technology by terrorist groups, even if they certainly repre- sent the main ones. Further possible activities are to be included in the threat spectrum, such as: • recruit, radicalize and incite toward terrorist acts; • train terrorists-to-be via videos and instructions released on online forums, sites, or direct-messaging platforms; • finance terrorist acts by directly calling for donations, using e-commerce platforms, and online payments or even by creating fake charities; • plan, organize and coordinate terrorist acts.

3. Islamic Terrorists and the Internet: Past and Present Protagonists

As it is easy to guess, constantly monitoring the Internet looking for the above-mentioned events is an extremely complex and time-consuming activity, requiring a huge amount of money and manpower, and resulting in very poor, temporary outcomes. In an attempt to stem such a clearly spreading phenomenon, it can be useful to focus the attention of decision-makers, intelligence, and law enforcement on a possible “profile” of a cyber terrorist. To this end, it is crucial to analyze the information about some of the most important militants active in recruiting online, radicalizing, making propaganda and proselytism, and sponsoring some of the most relevant and bloody terrorist organizations, so as to trace a common “profile” of such individuals, to be used for future investigations.

4. The Case of “Azzam the American”

Adam Yahiye Gadahn, also called “Azzam the American”, is historically the symbol of the West joining the ranks of Islamic radicalism. Born in 1978 to a Jewish father and an Orthodox Christian mother, Gadahn took after his father’s revolutionary and contrarian nature early on. His father, in fact, was first a Jew and then converted to Christianity shortly before Gadahn was born. Keen on death metal music and occultism, Gadahn moved to his grandparents’ house in the summer of 1995 and started working in a computer shop, where he became very interested in the Internet, spending all his free time browsing the web. S. Mele / Terrorism and the Internet: Finding a Proﬁle of the Islamic “Cyber Terrorist” 107

Gadahn soon found in Islam the purpose of his life, joining the Orange County Is- lamic Society in California, and permanently converting on November 17th, 1995. He renounced his past life and became very radicalized, eventually even attacking even the Imam of his mosque, Haitham Bundakji, in May 1997. Shortly after, and through the agency of two militants of the Orange County Islamic Society – Hisham Diab and Khaled Deek – Gadahn travelled for the first time to Pakistan and visited training camps funded by Diab and Deek’s Charity Without Borders. By the time he turned thirty, Gadahn had become an institution in Al-Qaeda’s Inter- net propaganda committee, even heading Osama Bin Laden’s public relations. Al- Qaeda’s media revolution is due almost entirely to Gadahn, thanks to the videos released by “As-Sahab Media”: which, under his supervision, became more elaborate and more adaptable, learning from past mistakes (draping a jute tarp behind Bin Laden was an emblematic gesture, following an attempt made by some geologists to identify the area in which the shooting had taken place).

5. The Case of “Irhabi 007”

If “Azzam the American” is the typical case of a Westerner converted to Islam, then the case of the 22-year old Moroccan Younes Tsouli – alias “Irhabi 007” (“Terrorist 007”) is the classical example of a non-Westerner that was unable to integrate properly in the West. His activities took place in the United States, but in Italy as well. According to Scotland Yard, in fact, he is responsible for the threats sent to Italy by “Khaled ibn al- Walid Brigade” and “Abu Hafs al-Masri Brigade” in the summer of 2004; fortunately, these attacks were never carried out. From 2003 to October 2005, in fact, and without ever leaving his house in London – Younes Tsouli managed to become first the correspondent of Abu Maysara al-Iraqi, then a press agent for Al-Qaeda and Al Zarqawi, eventually becoming a figurehead for Al- Qaeda online propaganda via the forums Muntada al-Ansar al-Islami and al-Ekhlas. 108 S. Mele / Terrorism and the Internet: Finding a Proﬁle of the Islamic “Cyber Terrorist”

Highly computer-literate, Tsouli has always studied and worked, even after moving to London together with his father. Nonetheless, he was unsatisfied with the world around him, and found little solace in the few friends he had; so Tsouli spent many hours at the computer, creating a par- allel life, spent spreading Al-Qaeda decla- rations and propaganda videos. On May 11th, 2004, Muntada al-Ansar al-Islami was the first to release the video showing Nick Berg’s beheading, probably received directly from Abu Maysara al-Iraqi; this so- lidified Tsouli’s role as the encomium of Al-Qaeda propaganda. He has also carried out real hacking, in order to gain access to valid credit card numbers or to breach U.S. companies’ information systems and websites so as to use them for propaganda. He also started projects aimed at using his technical and IT skills by means of e-books, which are still in use today. The international scientific community has paid much attention to the case of Younis Tsouli because he is an unusual exception. An essential aspect to be found in extremist indoctrination and recruitment phases is still mainly linked to the ties established through interpersonal relations. Many experts in the field have in fact highlighted several times that, although the Internet plays a primary role in supporting and facilitating ideological radicalization, it never totally replaces the need for direct human contact between terrorists-to-be and their recruiters. The case of “Irhabi 007” is instead the classical “exception which proves the rule”.

6. The Case of Faisal Errai

Faisal Errai is another Moroccan “leading” figure in Al-Qaeda-related cyber-terrorism. From 2008 until his arrest in 2010, Errai has been the spearhead of the Ansar Al S. Mele / Terrorism and the Internet: Finding a Proﬁle of the Islamic “Cyber Terrorist” 109

Mujahideen forum, despite his young age (26 years old), also becoming the forum webmaster in 2009. At the highest point of his jihadist propaganda career, not only has Errai pursued promotional activities through the forum – earning a prominent role as the contact point for the most relevant terrorist organizations linked to Al-Qaeda – but he has also worked as a recruiter of shahid-to-be, helping them move from virtual world to the reality of training camps. Up to the moment it was temporarily closed, following Errai’s arrest, Ansar Al Mujahideen forum has in fact been considered as one of the biggest and most fruitful channels to distribute “merchandising” material for Al-Qaeda propaganda and recruit future martyrs, totaling 5,500 registered users and over 100,000 published messages. Faisal Errai is very young, has a passion for IT, few friends, and found it difficult to completely integrate with his new environment. So, he created a double life: one in which he seems to be a “westernized” person, even appearing uninterested in religion, and a second which exists in the international jihadist propaganda network, where he is a real Muslim warrior devoted to the common cause.

7. ISIS and Media

So far, no terrorist organization has managed to equal ISIS’s success in exploiting media and the Internet. Massive use of IT means for public communication is an integral part of their strategy to attack the West It is not a case in fact that the speech made on July 4th 2014 – in which Abu Bakr al-Baghdadi officially declared the caliphate – was antic- ipated on Twitter with some pictures taken directly from his speech: it was a device to create the right “waiting” atmosphere for the followers. Abu Amr Al-Shami presently leads the ISIS online propaganda section. A Syrian citizen, but born in Saudi Arabia in 1979, Al-Shami is the head of a very fragmented group of sympathizers scattered around North Africa and the Gulf Region. Led by al- Shami, these sympathizers have made ISIS the most effective and fruitful terrorist group 110 S. Mele / Terrorism and the Internet: Finding a Proﬁle of the Islamic “Cyber Terrorist” online, publishing a modern magazine “Dabiq”, as well as blogs, social media, and websites – all of which are unprecedented in quality and quantity. In addition, the organization’s message is spread through the al-Ḥayāt Media Cen- ter, as well as the mobile app for jihadist propaganda known as “The Dawn of Glad Tidings.” A huge proselytism effort is carried out on alternative and emerging social networks, such as Quitter and Diaspora, or also on websites such as http://www.al- furqan.com/ and https://alhayatmedia.wordpress.com/ (this latter being used as a real channel for recruitment). As of now, only the head of the ISIS propaganda section has been publicly identified; but analysis of contents and IT methodologies suggests that a number of figures lie behind the leader, mainly from North Africa and the Gulf Region. However, these people have such a advanced computer skills that it is highly likely they have been living in Western countries for a long time.

8. The Case of Junaid Hussain

Junaid Hussain was born in 1994 and grew up in Birmingham, England, in a Pakistani- origin family. By day, he was an aspiring rapper. By night, he was TriCk, an outspoken and respected member of the disbanded pro-Palestinian hacker-crew TeaMp0isoN and an ally of the well-known hacktivist collective Anonymous. In 2012, Hussain, then still identifying as TriCk and a member of TeaMp0isoN crew, had been sentenced to six months in prison for hacking the Gmail account of Tony Blair and posting his personal information online. After his short sojourn in prison, Hussain had traded in TeaMp0isoN for ISIS, put- ting his hacker skills to work for the Cyber Caliphate, the “digital army” for the ISIS. By then he was also known as Abu Hussain al-Britani, a charismatic British jihadist and a celebrity for the jihadist network. Hussain, who was married to ex-punk rocker Sally Jones, is thought to have also fled to Syria in 2013 while he was on bail in the UK. In his career as a leading member of the Cyber Caliphate, he is believed to have aided ISIS in obtaining the passwords of the U.S. Central Command’s Twitter and

S. Mele / Terrorism and the Internet: Finding a Proﬁle of the Islamic “Cyber Terrorist” 111

YouTube accounts in January 2015 and briefly using them to send pro-ISIS messages. He was also involved in defacing French websites during the January 2015 Île-de-France terrorist attacks. In March 2015, Hussain released a list of 1,300 U.S. military personnel requesting that ISIS followers execute people on the list. While Hussain claimed to have breached U.S. Department of Defense servers, the FBI insisted that the list was cobbled together from news articles, social media posts, and public records. More important were Hussain’s efforts as an online recruiter. According to court records, he communicated with at least four men in four states, imploring them to initiate attacks or help spread the Islamic State’s message. Hussain was listed as the third highest ISIS target on the Pentagon’s “kill list”, behind Abu Bakr al-Baghdadi and Mohammed Emwazi, due to his role in inspiring international lone wolf terrorism. He was located and killed by an American drone in August 2015, outside Raqqa, because of the “traces” left of his online activity.

9. Islamic Terrorists and the Internet: Who to Look For?

Despite focusing exclusively on the leading figures of the movement, the framework outlined still seems to be useful to trace origins and behavior common to all those active in the field of terrorist propaganda, for whatever reason. The first useful element is about sex and age. All those analyzed are males, with an average age presently identified as ranging between 20 and 35 years old, of whom the highest inclination trend is to be found in those aged 20 to 25. This can also be easily attributed to the higher inclination of users aged 20–25 to be seduced and captivated by propaganda and radicalization activities carried out through the Internet. In addition, “cyber-terrorism” related matters seem to be extremely popular in North Africa. That is in fact where youngsters moved to/born in Europe (or, more generally speaking, in a Western country) draw information from. The Persian Gulf area, instead, is the place where youngsters still living in their birthplace operate. The education level of those analyzed also does not seem to be very low – many of them having attended university, especially if “second generation” or residing in the West for a long time. On the other hand, though, they do not seem to be particularly computer literate and have high-level IT and hacking skills. Although the majority of those aged 20–25 today have an inclination/passion for these subjects, it is jihadist forums and websites that actually train directly on secure communication techniques, how to mask IP (Internet Protocol) addresses, cryptography, steganography, and use of the so-called “darknets” as well as malware. As for behavior, one common factor is that the subjects are poorly-integrated – which is something that often goes unnoticed in everyday life (also inside the mosques) and at work. Even though such individuals are never completely isolated, they spend all their free time on the Internet, creating on jihadist forums and websites their “real” world made of relationships, recognition, and personal revenge. During the first phases of their commitment for the jihadist cause, these individuals – often suffering from an avoidant personality disorder – do not mean to be personally involved in the war of religion they undertake to promote. As time passes, though, they become first eager to visit their families’ place of origin; then, they tend to feel the need

112 S. Mele / Terrorism and the Internet: Finding a Proﬁle of the Islamic “Cyber Terrorist”

(pushed by those around them) to visit training camps and become actively involved in terrorist activities. So, it goes full circle: the propaganda and radicalization process of extremist ideology has in fact its first effects on the very same individuals involved in the propaganda itself. Today the radicalization process is opposite to what happened in the past: starting from the bottom, trying to reach the top. These young people, in fact – more and more frequently “second generation” individuals – while first approaching jihadist ideology through their family or their few friends/acquaintances, then start a lonely, silent research journey to discover jihadist ideology on their own on the Internet, getting radicalized and spontaneously volunteering for the cause, hoping to be “noticed” by the leaders.

10. Identikit of an Islamic “Cyber Terrorist”

SEX: Male.

AGE: 20/35 years old.

CITIZENSHIP: Mainly European or Western, more and more often by birth.

RELIGION: Muslim.

ORIGIN OF THE FAMILY: Mainly North Africa or the Persian Gulf.

SOCIAL STATUS OF THE FAMILY: Lower middle class; in some cases, also middle class.

EDUCATION: Good education, often attended university.

PERSONALITY: Often characterized by behaviors ascribable to or caused by avoidant personality disorders.

BEHAVIOR CHARACTERISTICS: Shy and with few friends but not completely unsociable. Curious about Islamic extremist theological doctrines, become acquainted through family or the narrow circle of friends. Regularly goes to the mosque, but does not discuss his role or the propaganda he carries out on the Internet. Somewhat skilled in the use of the Internet and technologies, but not necessarily an expert. Eager to take revenge on the surrounding society and strongly linked to his family’s (for “second generation” individuals) or his own home country. Looking for a personal identity and a well-defined role in society: religious ex- tremism and the “distance” given by the Internet are a perfect mix. Carries out most of the propaganda usually at home or in places he considers familiar and “safe”. As time passes, he proves available to move from the virtual world to the reality of training camps; something not taken into consideration at all in the first phases of engagement in jihadist propaganda. S. Mele / Terrorism and the Internet: Finding a Proﬁle of the Islamic “Cyber Terrorist” 113

References

Barrett R., “The Islamic State”, The Soufan Group, 2015. Europol, “European Union Terrorism Situation and Trend Report 2016”, 2016. https://www.europol. europa.eu/activities-services/main-reports/european-union-terrorism-situation-and-trend-report-te-sat- 2016. Goldman A., Schmitt E., “One by One, ISIS Social Media Experts Are Killed as Result of F.B.I. Program”, The New York Times, 2016. https://www.nytimes.com/2016/11/24/world/middleeast/isis-recruiters-social- media.html?_r=0 Hegghammer T., “The Rise of Muslim Foreign Fighters: Islam and the Globalization of Jihad”, International Security, Vol. 35, No. 3 (2010), 53–94. http://belfercenter.ksg.harvard.edu/publication/20601/rise_of_ muslim_foreign_fighters.html. Jacobson M., “Terrorist Financing and the Internet”, Studies in Conflict & Terrorism, 2010. Jarvis L., Macdonald S., “What Is Cyberterrorism? Findings from a Survey of Researchers”, Terrorism and Political Violence, 2014. Khatchadourian R., “Azzam The American: The making of an Al Qaeda homegrown”, The New Yorker, 2007. http://www.newyorker.com/magazine/2007/01/22/azzam-the-american?currentPage=all. Kohlmann E.F., “The Real Online Terrorist Threat”, Foreign Affairs, Vol. 85, No. 5 (2006), 115–124. Mele S., “Terrorism: Islamic State”, Cyber Strategy & Policy Brief, Volume 02 – February 2016, 2016. http:// stefanomele.it/public/documenti/452DOC-866.pdf. Neumann P.R., “Foreign fighter total in Syria/Iraq now exceeds 20,000; surpasses Afghanistan conflict in the 1980s”, The International Centre for the Study of Radicalisation and Political Violence, 2015. http://icsr. info/2015/01/foreign-fighter-total-syriairaq-now-exceeds-20000-surpasses-afghanistan-conflict-1980s/. Neumann P.R., “The New Jihadism. A Global Snapshot”, The International Centre for the Study of Radicali- sation and Political Violence, 2014. http://icsr.info/wp-content/uploads/2014/12/ICSR-REPORT-The- New-Jihadism-A-Global-Snapshot.pdf. Sageman M., “Leaderless Jihad: Terror Networks in the Twenty-First Century”, Pennsylvania University Press, 2008. Site Institute, “Irhabi 007 Unveiled: A Portrait of a Cyber-Terrorist”, SITE Report, 2006. Torres-Soriano M.R., “The Hidden Face of Jihadist Internet Forum Management: The Case of Ansar Al Mu- jahideen”, Terrorism and Political Violence, 2014. Von Behr I., Reding A., Edwards C., Gribbon L., “Radicalisation in the digital era”, RAND Corporation, 2013. http://www.rand.org/pubs/research_reports/RR453.html Weimann G., “Cyber-Fatwas and Terrorism”, Studies in Conflict & Terrorism, 2011.

The author(s) of this publication is/are solely responsible for its content. This publication does not reflect the opinion of the publisher. The publisher cannot be held liable for any loss or damage that may occur because of this publication.