Author: SeanLawson

I am an Associate Professor in the Department of Communication at the University of Utah. I write about the relationships among science, technology, and security with an emphasis on new media, information, and communication technologies. Topics of interest include cybersecurity policy, surveillance, drones, network-centric warfare, and military use of social media. My doctorate is from the Department of Science and Technology Studies at Rensselaer Polytechnic Institute. I am the author of Nonlinear Science and Warfare: Chaos, Complexity, and the U.S. Military in the Information Age. Web | Twitter

With Drone Strike On ISIS Hacker U.S. Escalates Its Response To Cyber Attacks

On August 28, the United States admitted to carrying out an airstrike, widely reported to have come from a drone, which killed an ISIS hacker by the name of Junaid Hussain. He was killed in Syria four days earlier on August 24. This strike represents the latest escalation in the United States’ evolving response to cyber attacks.

Hussain was primarily engaged in online recruitment and propaganda. He is also alleged to have participated in the hack of the CENTCOM website and Twitter account, as well as posting personal information online about U.S. military personnel and making threats against them.

Though CENTCOM has described Hussain as “very dangerous” and as having “significant technical skills,” other officials have said that was not the case. These officials note that information Hussain posted online about U.S. military personnel was not the result of hacking, but instead, of aggregating openly available information from the Internet. That is, Hussain engaged in what is called “doxing” in the hacker world.

I agree with those officials casting doubt on Hussain’s status as a skilled hacker. Online propaganda, recruiting, and aggregating otherwise freely available information are not hacking. Breaking into a social media account that seems to have been poorly protected hardly qualifies one for elite hacker status.

In short, this hyped victory over an ISIS “hacker” could well be another data point to add to what we are learning about potential bias in CENTCOM intelligence assessments, which critics claim are being altered to paint a more optimistic picture of U.S. effectiveness in the fight against ISIS.

But the strike is also important because it represents a foreseeable escalation in cyber conflict when we allow hyperbolic rhetoric and threat inflation to go unchecked. The conflation of very different types of cyber conflict, from online activism, to crime, to critical infrastructure attacks under the terms “cyber attack,” “cyber terrorism,” or “cyber war,” invites conflict escalation. If we describe such threats in the same terms, then it is more tempting to respond to them in the same ways, even though not all of them may warrant the same level of response.

In general, U.S. rhetoric and responses to cyber attacks has been heating up over the last year. In May 2014, the United States indicted Chinese military officers on charges related to hacking. Over the summer, there was buzz about the OPM hack, which has been blamed on China, being a “cyber 9/11” or “cyber Pearl Harbor.” Even though Director of National Intelligence, General James Clapper, told Congress that this breach was not a “cyberattack,” the Administration has openly contemplated “retaliation” against the Chinese for ongoing hacking of U.S. public and private networks.

But China is not the only nation to have provoked a heightened response from the United States recently. In February, NSA Director, Admiral Michael Rogers, called the 2014 hack of Sony a “cyber Pearl Harbor.” So far, the only response from the United States that we know about has been imposing sanctions on a handful of North Korean officials. But if we were really to take ADM Roger’s rhetoric seriously, it would seem to justify much more severe responses. After all, the real Pearl Harbor pulled the United States into Wold War II.

Some have even called for physical, lethal strikes in response to hacking in the past. In 2011, a U.S. official said that the U.S. response to a serious enough hacking attack could come in the form of a “missile down one of your smokestacks.” Similarly, retired Air Force Lt. Gen. Harry Raduege suggested that if a cyber attack were serious enough, “America’s response could come in the form of a hellfire missile.” In the case of Junaid Hussain, it did.

So, in addition to ongoing questions about the legality and efficacy of such strikes, this case should also spark a debate about appropriate responses to the full range of malicious online activities in which U.S. adversaries might engage. Among the issues that need much more discussion is when a cyber attack warrants a lethal strike in response. Were Hussain’s online activities alone enough to warrant such a response, even if he had not been part of ISIS and located in Syria? At minimum, we need more clarity on what U.S. policy is on this question and a robust debate about what it should be.

The Death of Cyber Doom? Not So Fast

For decades, we have heard a lot of talk from American officials, industry experts, and others about the supposed threat of a “cyber 9/11,” “cyber Pearl Harbor,” “cyber Katrina,” or even “cyber Sandy.” In short, we have been warned repeatedly that “cyber doom” is coming. Indeed, as recently as this fall, cyber doom was in the news as a result of the cyber attack on Sony.

But the latest World Wide Threat Assessment (WWTA) [PDF] presented to Congress by the Director of National Intelligence, Gen. James Clapper, says that “Cyber Armageddon“ is unlikely. Rather, the assessment “foresee[s] an ongoing series of low-to-moderate level cyber attacks form a variety of sources over time, which will impose costs on US economic competitiveness and national security.” This threat, it says, “cannot be eliminated; rather, cyber risk must be managed.”

Some have argued that such scenarios were always about threat inflation and fear mongering and have applauded the admission by intelligence officials who once trafficked in such rhetoric that these scenarios are unlikely after all. Has the era of cyber doom fear mongering come to an end? Not likely.

Key intelligence officials, like NSA Director Admiral Michael Rogers are still using this rhetoric. Just three days before the release of WWTA, Rogers defined “cyber Pearl Harbor” and said that one had already occurred.

Asked to define a ’cyber Pearl Harbor’, a phrase used in 2012 by then-Defense Secretary Leon Panetta, Rogers replied: ‘An action directed against infrastructure within the United States that leads to significant impact—whether that’s economic, whether that’s in our ability to execute our day-to-day functions as a society, as a nation.’ He added that the hack of Sony Pictures Entertainment last November met that dire criteria. Movie studios fit into the U.S. government’s broad definition of critical infrastructure.

With this comment, Admiral Rogers follows in the footsteps of Amit Yoran, former head of the Department of Homeland Security’s National Cyber Security Division, who claimed in 2009, “Cyber 9–11 has happened over the last 10 years, but it’s happened slowly so we don’t see it.” Of course, there was no evidence then that anything like 9/11 had occurred in or through cyberspace, just as the hack of Sony is nothing like Pearl Harbor now.

Why do such outrageous claims persist even in the face of contradictory evidence and assessments?

One reason is that, despite claims to the contrary, the use of “cyber doom” is primarily about emotions not facts. Its function is to motivate a response through the use of fear, not to describe accurately the true nature of the threat and its likely impacts.

Among those who use cyber doom rhetoric when speaking in public or to the media, there is often a disconnect between the threat as implied in that rhetoric and the diagnosis of threats that these same individuals provide in more formal settings like threat assessments for Congress. For example, though Admiral Rogers warned publicly of “cyber Pearl Harbor” in February 2015, less than a month later, in his testimony to Congress, his description of the cyber threats facing the United States focused primarily on censorship as a threat to “Internet freedom,” theft of intellectual property, and disruption of networks and access to information. Cyber attacks against critical infrastructure were mentioned, but as in the past, were framed as a “potential” future threat that could “perhaps” result in sabotage during a wider conflict (page 10).

Diagnosing the cyber threat as primarily about espionage, theft, and disruption while simultaneously relying on doom scenarios out of step with that diagnosis has been a feature of U.S. public policy discourse on this issue since at least 2008. And as long as officials believe there is still a need to motivate a response, cyber doom will continue to be a feature of U.S. public policy discourse on cyber security, even if their own assessments find such scenarios unlikely.

Finally, even if cyber doom is down right now, it is likely not out. The winds of cyber war discourse are ever changing. Identification of what is threatened, by whom, and with what potential impact has changed over time, often in ways that seem to mirror larger security concerns that are not primarily about cyber security. Through it all, cyber doom rhetoric has survived, again, primarily for its affective characteristics. But even if it is experiencing a decline at the moment, wait a few months and the cyber discourse weather is likely to change and cyber doom could well make a comeback.

The Sony Hack, It’s Still Not War Or Terrorism

For more than a decade we have heard constant warnings about the coming of “cyber war” and “cyber terrorism.” The prophets of cyber doom have promised that cyber attacks are just around the corner that will be on par with natural disasters or the use of weapons of mass destruction. With every new report of a cyber attack, the prophets exclaim that their visions have finally come to pass, and so it is with the most recent attack against Sony. But in most prior cases, after the dust has settled, the belated arrival of cyber war, terrorism, or doom has failed to live up to the initial hype. The same will be the case with the Sony hack. It is neither war nor terrorism as those terms are commonly defined. It certainly is not cyber doom.

Are We There Yet? Not So Fast

The term “act of war” has been used by some, most notably former Speaker of the House Newt Gingrich and Senator John McCain, to describe the Sony hack, which the FBI attributes to North Korea. When people are using this term, what they really mean is that it is an “armed attack,” an act that can justify the use of force in self defense.

But the Sony hack does meet the common definition of that term. The best current guidelines for when a cyber attack can be considered an armed attack come from the NATO Tallinn Manual. The manual’s lead author has analyzed the Sony case and has concluded that it is not an armed attack.

The cyber operation against Sony involved the release of sensitive information and the destruction of data. In some cases, the loss of the data prevented the affected computers from rebooting properly. Albeit highly disruptive and costly, such effects are not at the level most experts would consider an armed attack.

This is because to qualify as armed attack, an action generally must result in “substantial injury or physical damage.” Some of the authors of the Tallinn Manual would also consider an act “resulting in a State’s economic collapse” to be an armed attack. Clearly, the Sony hack fits neither of those descriptions.

If the Sony hack is not war, then maybe it is terrorism. Some have argued that the United States should just “declare” that acts like this are terrorism and their perpetrators terrorists. Though the term “terrorism” has been notoriously ambiguous, nonetheless, it does not mean just anything. In fact, we have a definition of terrorism in U.S. Code:

(1) the term “international terrorism” means activities that—

(A) involve violent acts or acts dangerous to human life that are a violation of the criminal laws of the United States or of any State, or that would be a criminal violation if committed within the jurisdiction of the United States or of any State;

(B) appear to be intended—

(i) to intimidate or coerce a civilian population;

(ii) to influence the policy of a government by intimidation or coercion; or

(iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and

(C) occur primarily outside the territorial jurisdiction of the United States, or transcend national boundaries in terms of the means by which they are accomplished, the persons they appear intended to intimidate or coerce, or the locale in which their perpetrators operate or seek asylum

The Sony case fails to meet this definition, and for the same reasons it fails to meet the definition of armed attack: there was no physical harm. Sure, the hack appears to have been for the purposes of coercing or intimidating a civilian organization and to have transcended international boundaries. But it did not “involve violent acts or acts dangerous to human life” and thus fails to meet the very first requirement of the definition regardless of whatever later parts of the definition may fit. Do not pass go.

Another possibility is that the Sony hack is an example of a sub-category of terrorism, so-called “cyber terrorism,” whose definition could potentially include a wider range of effects. More than a decade ago, Dorothy Denning provided (PDF) one of the clearest and most widely accepted definitions of “cyber terrorism.”

Cyberterrorism is the convergence of terrorism and cyberspace. It is generally understood to mean unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not.

There is more room for debate about whether the Sony hack meets this definition, but it still seems like a stretch. Though economic effects are contemplated, those that would qualify are described as “severe” or directed against “critical infrastructure,” not “nonessential services.” The implication seems to be that the economic consequences should be national in scope, not against one private entity. Though Sony may take a large financial hit as a result of the attack, it is hard to imagine that there will be “severe” impacts on the national economy as a result. It is also a stretch to argue that Sony’s services are “essential.”

Confusing Causes with Effects

It seems clear that the Sony hack does not meet these definitions of war, terrorism, or cyber terrorism. So why are so many using these terms? One answer is fear-induced overreaction. Another, more cynical answer is militaristic animus. One or both of these may play some role for some individuals. But another factor is a fundamental confusion, whether purposeful or inadvertent, of causes and effects in cyber conflict, an issue I have discussed at length elsewhere and to which I will call attention once more.

In each case, the definitions examined above are “effects based.” That is, an attack is an armed attack, is terrorism, or is cyber terrorism based on its effects. If those effects meet certain criteria, cross a certain threshold, then they meet the definition. In each case, physical harm to humans or property is a key criteria or threshold. Denning’s definition of cyber terrorism adds some kinds of severe economic effects. But it is still an effects based definition.

In public debates about the meaning of incidents like the Sony hack, we see a number of disturbing tendencies. We see a tendency to define what counts as war, terrorism, or cyber terrorism based on who conducted the attack and/or what instruments were used in the attack, that is, a shift towards an actor or instrument, as opposed to effects, based definition. In this new scheme, it is tempting to say that if a terrorist group uses cyber instruments, then the incident is cyber terrorism regardless of what actual damage is done. Similarly, it is tempting to say that if a foreign military or intelligence service, especially of a hostile nation, uses cyber instruments in a malicious way, then the incident is armed attack, again, regardless of actual damage done.

Expanding the Definitions of War and Terrorism

The implications of this confusion should be as clear as they are dangerous. Those who call for affixing the war or terrorism label to the Sony hack are not just encouraging us to reconsider how we think about malicious acts in cyberspace. Instead, they are, perhaps inadvertently, encouraging us to redefine what counts as war and terrorism. In doing so, the definitions of both of those terms become absurdly and dangerously broad. Suddenly, financial loss for a multinational media company and embarrassment for its CEO from leaked emails is “war” like World War II or “terrorism” like the attacks of September 11, 2001. This is absurd.

But it is also dangerous. When we accept certain events as really, truly being war or terrorism, then we accept certain kinds of responses to those events that we otherwise would not. We accept the use of physical violence, or actions that could escalate to physical violence, in response to these kinds of events when such responses would not be seen as acceptable if these events were defined differently. To say that the Sony hack is an armed attack by North Korea is to say that it would be legitimate and acceptable for the United States to launch a physical attack on North Korea in response. Some will say, “That is unrealistic. The United States would not actually do that!” But that misses the point. By seriously calling the Sony hack an armed attack or terrorism, we are saying, in effect, “Even though the United States is unlikely to launch a physical attack in response, it would be acceptable for it to do so.” In fact, it would not be.

We should not diminish the seriousness of what happened to Sony. The Sony incident is emblematic of very serious and longstanding threats to cyber security. Indeed, while the world focused on the Sony case, news broke of yet another massive data breach at a major retailer, this time Staples, where information from over one million payment cards was stolen. The Sony incident is a warning that the impacts of such data breaches can be even worse, going far beyond stolen credit card data. But hysterical screams of “terrorism” and “war” are not a serious response to a serious problem. What’s more, such hysterical responses risk broadening the definitions of these terms in a way that is both absurd and dangerous. It is time to take a deep breath and return from the “realm of beyond stupid” before we do something, well, stupid.

TGI Fridays’ Drone Mishap Was Not a Disaster, But It Could Have Been

In recent weeks, the American casual dining restaurant chain TGI Fridays has gotten a lot of buzz as a result of news that it would deploy a mistletoe drone in its restaurants. The idea was that the mistletoe-carrying drone would fly around the restaurant and hover above unsuspecting customers, thereby forcing them to kiss. All of this would be recorded by the drone’s onboard camera, of course.

Drone Disaster?

The restaurant chain got a bit of negative news coverage today, however, when Brooklyn Daily reported that one of its journalists was injured when a small, mistletoe-carrying quadcopter struck her in the face. The reporter sustained a cut on her nose and chin. The headline for the story proclaims, “Drone Strike!” The URL for the story uses the phrase “drone disaster.”

What happened here was hardly a “drone disaster,” however. From the photos provided, it appears that the quadcopter in question was something very similar to this toy available for around $50 on Amazon. From the photos, it also looks like the quadcopter did have prop guards, which could account for why the damage to the reporter’s face appeared to be pretty minor.

But the story could have ended much differently, in something closer to a real “drone disaster.” The Brooklyn Daily piece also includes photos of a much larger, six-bladed “hexacopter” flying without prop guards right above diners. Were the operator to lose control of this larger drone and crash into someone, the chance of serious injury would be much higher. Doing a quick Google search for “quadcopter injury” and “quadcopter cut finger” provides an idea of what can go wrong. As such, having a device like this flying indoors and in such close proximity to people seems dangerously irresponsible.

FAA Rules and Mistletoe Drones

This incident might raise questions about how TGI Fridays can deploy a mistletoe drone. Hasn’t the FAA banned commercial use of drones? It is also likely to provide ammunition for those who want the FAA to take a stronger line against commercial use of drones. There are a couple of things to note, however.

First, though the FAA currently says that commercial use of drones is illegal, that only applies to the use of drones outside. The FAA has the legal authority to regulate the “navigable airspace,” which has not historically included interior airspace inside of buildings. Though the FAA has argued recently that navigable airspace includes all airspace all the way to the ground, even over private property, they have not gone so far as to attempt to include airspace inside buildings.

Second, we learned recently that the agency is leaning towards a scheme in which commercial drone operators would be required to have a pilot’s license for a traditional, manned aircraft to fly the kinds of drones featured in the TGI Fridays story. However, it is unclear whether such rules would be enforceable against someone operating a drone indoors. This is to say nothing about the issue of whether knowing how to fly a Cessna is at all relevant to the safe operation of a toy quadcopter.

In the end, it is likely infeasible and an overreach to have the FAA regulate what can and cannot be done inside homes and businesses with flying toys. A significant portion of safe drone use, whether for commercial or recreational purposes, comes down to good judgment and common sense. Whether the mistletoe drone or other, similar uses meet those criteria is an open question that might only be answered definitely by a court when someone sues after being seriously injured in a real drone disaster.

The Drone Terrorism Case That Wasn’t

Fears related to drone safety, in particular concerns about so-called “near misses” with manned aircraft, have gotten a lot of attention in recent weeks. More detailed analysis, however, has shown those fears to have been greatly exaggerated. Nonetheless, they have resulted in one senator’s call for an expansion of the FAA’s drone ban to include not just commercial drones but all private drones.

Similarly, there was big news recently for anyone interested in drones and national security. National and international headlines informed readers that a Moroccan man had been sentenced for plotting to carry out a terrorist attack inside the United States using a “drone.” Score one for defending “the Homeland” from terrorists, and drones, and most insidious of all, “drone terrorism.

There’s just one problem, as in the case of drone “near misses,” this case of supposed “drone terrorism” has been greatly exaggerated. In fact, neither the charges nor the sentence in this case were related to terrorism or drones. The man in question, El Mehdi Semlali Fathi, is going to jail for perjury, not terrorism. The blatant and rampant misreporting of this story is but one more example of fear-induced technopanic and threat inflation related to domestic “drones.”

The affidavit (PDF) filed in Mr. Fathi’s case indicates that in January 2014 he came under federal investigation as a result of statements indicating his aspirations to carry out bomb attacks against Harvard University and a federal building in Connecticut where he lived. The affidavit stated that in recorded conversations, Fathi had expressed his aspiration to use what the federal agent called “toy planes” or “a remote-controlled hobby-type airplane, to deliver the bomb.”

The government did not wait to find out whether Fathi truly intended to or was capable of carrying out these attacks. During the course of the investigation, they learned that Fathi had lied on his application for refugee status and in statements to multiple immigration judges. The government therefore sought a warrant for Fathi’s arrest on three counts: making falls statements, false swearing in an immigration matter, and perjury. Fathi was only charged (PDF) with one of those, perjury. In short, though statements about bombing with “toy airplanes” may have been the impetus for the initial investigation, he was neither arrested for, nor charged with, making terrorist threats.

Fathi pleaded guilty (PDF) to the one count of perjury. In its sentencing memorandum (PDF), the government admitted that “the evidence remains unclear” whether Fathi’s perjury was actually related to his statements about carrying out bomb attacks or “whether Fathi would have acted on his intentions.” Nonetheless, the government argued that the judge should take Fathi’s statements about bomb attacks–for which he was never arrested, charged, or convicted–into account when deciding upon a sentence. The government urged the judge to impose a sentence of five years, which is three years beyond the two years recommended by the federal sentencing guidelines. The judge instead sentenced Fathi to two years in prison followed by deportation.

Despite these facts, it was common for media outlets to portray the case as one in which Fathi was charged and sentenced for his “drone terrorism” threat. In turn, the case sparked discussions about whether drones are “toys or terrors.” Right-leaning organizations and publications were quick to label the case one of “homegrown terrorism” and use it to criticize the Obama administration. The Fathi case is cited in reports about the NYPD preparing for the possibility of “drone terrorism.” Finally, though there is no indication that the Fathi case influenced its decision, the FAA’s recent ban on model aircraft near stadiums followed closely on the heels of the Fathi case and was done under the auspices of post–9/11 anti-terrorism laws.

As I have written previously, drones have emerged as the newest object of threat inflation and technopanic. Rhetorically, that trend has relied on a number of characteristics, including conflation, projection, exaggeration, and fear appeals. We see all of those at work in this case.

Toy airplanes are conflated with “drones,” which spark images of military aircraft flying over desert landscapes firing Hellfire missiles. As this image represents the dominant use of this technology in American minds, the capability and desire to use anything remotely like a “drone” as a weapon is projected onto others, even when it is not at all clear, as in the case of Fathi, that those others really do have the capability or intent to use them as weapons. Because we use the technology in this way, it is hard to resist the presupposition that others must be using the technology in the same way.

We see exaggeration on both sides of this case. Fathi was clearly a big talker who was exaggerating his ability to use a “drone” to carry out an attack, just as he had lied about his persecution in Morocco. But his drone exaggeration touched a nerve; it tapped into Americans’ fear of terrorism and their emerging fear of drones. We were susceptible to believing his exaggeration and so news media helped the story along.

Exaggeration benefits different groups in different ways, allowing them to see what they want and use it to promote their cause. News media gets a better story. No one cares that a guy lied to a judge somewhere and will now go to jail for it. Throw in the possibility of “drone terrorism,” however, and you have an attention-grabbing headline. Those on the political left can use it as evidence that the Obama administration is tough on domestic terrorism, while those on the political right use it to criticize the President’s immigration policy and to promote fear of domestic terrorism. It can be used to justify more spending for law enforcement. Those who want to restrict civilian use of anything that could be labeled a “drone” can also find fodder in this scare story.

Admittedly, just because model aircraft have not been used as terrorist weapons does not mean that they will not be used that way. And I am certainly not arguing that Fathi was a good guy, did nothing wrong, or that he did not pose a threat. It seems clear that he illegally manipulated the asylum system by lying repeatedly. His statements expressing a desire to carry out bombings were certainly cause for concern and investigation. That he will face prison time and deportation seems appropriate.

Nonetheless, it does us no good from a policy making standpoint to exaggerate the facts of this or other, similar cases. As Gregory McNeal has argued in relation to exaggerated reports of drone “near misses” with manned aircraft, “legislation and policy should be driven by real facts, not anecdotes and inflated stories.” I have made the same argument in relation to public policy debate about cyber threats. The introduction into society of new technologies like drones often leads to “technopanics” about exaggerated dangers posed by those technologies. Similarly, national security discourse is also prone to exaggeration and threat inflation. It is, therefore, particularly important that we take great care to avoid these tendencies, which are perhaps even stronger when new technologies and national security combine.