al Qaeda & the Internet

By Douglas J. Hagmann, Director

9 February 2009: According to the most recent reliable statistics, there are over two billion web sites and approximately 28 billion images spread across the Internet. Thousands more sites and are created and tens of thousands more images are posted every day. Of the two billion web sites, several thousand involve some form of terrorist activity pertaining to terrorism, either directly or indirectly.  According to federal sources recently interviewed by the Northeast Intelligence Network, about five thousand sites, mostly Arabic language Islamic terrorist sites, are under constant surveillance of some form.  Additional Internet locations, not typical web sites but file sharing sites, host various other files, from images to audio and video files.

Since the establishment of the Northeast Intelligence Network in early 2002, we have identified, located and monitored a majority of those Arabic language sites that promote, facilitate or act as communication portals to advance Islamic terrorism.  Most of those sites now require a password to access and in many cases, the permission of the site owner (or forum administrator) to join in an effort to prevent infiltration by counter-terrorist investigators.  The natural barriers created by language and those created by operational security measures are usually sufficient to keep amateur prying eyes out of their virtual classrooms and playgrounds. The initial frenzy of Internet research into such terrorist sites following the 9/11 attacks also resulted in diluting the integrity and importance of the information culled from these sites.

In the past, counter-terrorism authorities have downplayed the role of Internet web sites, chat rooms and forums in terms of the intelligence value they provide.  After all, it is reasoned, no bona-fide terrorist would publish their operational plans on a web site or write about their plans in the plain view of a chat room.  How then, could terrorists use the internet for their vital communication and operational planning?


"Camp al Battar from June 2004"

A Washington Post article dated September 19, 2001 raised the question of how Osama bin Laden and the 9/11 terrorists might have used the internet to advance the planning of the 9/11 attacks.  That article touched on both cryptography and steganography, the latter which involves hiding a file within another file, such as hiding a secret message within a picture, audio or video file that cannot be readily seen without further analysis. According to that 2001 article, federal authorities indeed “had found evidence that bin Laden’s group embedded secret missives in mundane e-mails and on Web sites,” thus verifying the use of steganography.

The Northeast Intelligence Network has previously addressed the issue of steganography as it applies to terrorist communications. In the al Qaeda publication known as “Camp al Battar,” a series of military-style publications previously posted on various Arabic language Internet forums, investigators from the Northeast Intelligence Network cited several references to the use of steganography as a method of communication. In issue 11 released in June 2004, for example, the terrorist author talks about using steganography as an alternative to cellular or satellite telephones to deliver important messages, as the electronic devices are likely being monitored by authorities.


Image courtesy of "Archangel"

It is interesting to point out that nearly four years later, one Arabic language web site is currently providing a “crash course” in the use of steganography, as found by “Archangel,” which is the Internet persona of one of the nation’s leading deep undercover researchers and analysts of Arabic language web sites and other intelligence sources.

Given the ever growing number of files being posted to the internet everyday in addition to those files already in existence within the virtual realm, it would be a nearly impossible task to know where to look for potentially encoded files. Encoded laden images, for example do not necessarily have to be inherently Arabic and could be presented in various forms and formats. Perhaps some might appear in social networking sites, auctions sites like e-bay, or on a variety of commercial or even government sites. They might appear completely  innocuous and far removed from suspicion.  Once found, however, the task of decoding such files would be quite daunting.

In consideration of the above, the most logical question now becomes how investigators and counter-terrorism experts can best utilize their time and resources to locate potentially encoded files, identify the vital files, and then break the code of such communications.  The answer perhaps lies in one of the “mysteries” of 9/11 and by simply recalling and learning the lessons from the history of clandestine communications during warfare.

Ominous (but tellling) 9/11 message from the enemy: “Air Force One is Next”*

“Air Force One is next,” read the message received by the U.S. Secret Service at 9 a.m. Sept. 11, after two hijacked planes struck the twin towers of the World Trade Center in New York. The terrorists’ message threatening Air Force One was transmitted in that day’s top-secret White House code words. As the clock ticked away, the Secret Service reached a frightening conclusion: The terrorists had obtained the White House code and a whole set of top-secret signals.

The above is from a WorldNetDaily Exclusive article published on September 20, 2001 under the title “Digital moles in White House?” Within that article, the question is asked:  “Is there a mole, or more than one enemy spy in the White House, the Secret Service, the FBI, the CIA or the Federal Aviation Administration?” The most likely answer is as disturbing as the nature of the question, although presents investigators with a far more manageable problem than relying solely on analyzing billions of files and communications.

Concurrent with the lessons on steganography as found by deep cover intelligence analyst “Archangel” are lessons on infiltrating critical areas of our national security and infrastructure. Information found in Arabic language terrorist forums provide instructions on how terrorist operatives, facilitators and sympathizers are to secure positions at web hosting companies, major communication companies, and even local, state and federal agencies. Once in place, these operatives can then use the company’s own assets, or our government’s own systems, having complete access to the entity’s computer systems.

In this respect, looking at one potential suspect provides better investigative focus than billions of files uploaded to the Internet.Isolating a human suspect by normal investigatory methods is far more efficient than a random search of files.

Like “dead drops” during the cold war made familiar through spy movies and novels, the entirety of the Internet can be considered one big “dead drop” for terrorist communications. Double agents of that era used dead drops to communicate information stolen or otherwise obtained from the enemy. Surveillance of the dead drops proved useful, but less so without having a suspect on which to focus surveillance. Unlike that era, we are fighting an enemy who uses, in part, legal means to acquire positions of trust and access to information critical to our national security. Instrumental to our enemy are a number of “civil rights” and “advocacy” that utilize all legal means at their disposal to insure that private companies and government agencies alike do not discriminate against anyone because of their religious beliefs (which are irrevocably intertwined with their political agenda).

As a country, we can approach the problem from a less complicated direction, which would be to do our best to insure that enemy infiltration does not occur, and all such enemy assets already in place are immediately removed.  Otherwise, the advocacy groups looking out for the rights of our enemy will insure that we are forced to search for snippets of code within 28 billion images and billions more files of other types rather than stop the flow of communication from within.

*Edited for clarity: The 9/11 Commission Report addresses the alleged threat to Air Force One, code-named “Angel.” There continues to be unresolved conflicting reports about the type and nature of the threat to Air Force One, despite the 9/11 commision investigation performed. At least one former White House official remains steadfast in confirming that a credible threat to “Angel” existed, although not through a complete breach of highly classified security codes as detailed by Debka and cited by WND. Information does suggest that some type of communication intercept or use of classified communication equipment did indeed occur, although much later than 9:00 AM ET.