Underestimate Them at Your Peril

Terrorist groups are not all completely dumb

“You must not fight too often with one enemy, or you will teach him all your art of war” — Napoleon

There is a strong and persistent narrative from some areas of the national security community that maintains that “terrorists became more OpSec savvy after the Snowden leaks, particularly with regards to encryption, and therefore the Snowden documents are directly the source of increasingly sophisticated terrorist tradecraft.” This narrative does not match well with the facts, as publicly available, and is dangerously dismissive of terrorist sensemaking, “lessons learned” and organizational learning capabilities.

It may be comforting to believe that terrorists are unable to develop stronger security practices without someone from the West directly helping them (traitor!), but it is a dangerously naive belief. Underestimating the adaptive learning capabilities of an adversarial group is not a winning strategy.

Theories on Teaching Human Beings

The central thesis of the “Snowden documents betrayed us narrative” is that adjustments in the security posture of terrorist groups are a direct result of reading the Snowden docs. This thesis requires that reading documents is one of the most effective means of learning that leads to altered behavior. This is, shall we say, not a widely held belief within the academic community, particularly amongst those who study learning.

Human behavior is very simple, in some regards. Reading is a relatively poor way to learn new behavior. Actively practicing is a better. But for something to really stick, nothing beats experiencing a painful lesson from failure. The timeline of ISIS’ advancing sophistication in COMSEC practices quite clearly shows that reading Snowden docs has not been as informative as directly experiencing security failures.

Personally, I would be hesitant to attribute terrorist OPSEC procedures directly to the Snowden revelations. On a scale of “import” I wouldn’t rank the documents as high as: sensemaking following direct observation of operational failures due to use of non-secure tools, techniques and procedures.

Terrorist Security Improvements

At least with ISIS, the movement towards encryption happened far after the Snowden revelations and seems to be part of a “lessons learned” process where they are actively migrating away from techniques that have been shown to be compromised.

I have collected what is directly documented about ISIS COMSEC practices in a timeline. A timeline of Snowden documents releases is available from WikiPedia. Using these timelines, as well as other events, it is possible to see which events had direct impact on hardening terrorist security practices.

Legion of Doom Conference Call (AQ) — August, 2013

In late 2013, months after the Snowden leaks began, there was a story about “the conference call” of “the Legion of Doom.” Intercepted messages between far flung leaders of the al Qaeda network were leaked to journalists, along with a lot of background. The technology involved was not actually phones, as later corrected.

CNN has also learned that the al Qaeda leaders communicated via some kind of encrypted messaging system, with multiple points of entry to allow for various parties to join in. — Source

Given al Qaeda’s long standing love affair with private forums, it was likely some type of message forum with a chat backend.

Jihadi shares screengrab of his desktop while in LightC chatroom with now dead forum jihadi (https://t.co/aWqUAskyly) pic.twitter.com/0BjtbrxZm1

— switched (@switch_d) February 6, 2014

Despite the Snowden leaks clearly showing that NSA hacks web servers, al Qaeda were still using them as core pillar of their COMSEC strategy. After the revelations in the media, al Qaeda ceased using this form of communication. Lesson learned.

Charlie Hebdo (al Qaeda and ISIS) — January 7 & 8, 2015

“The phone tapping yielded nothing,” Marc Trévidic, the chief terrorism investigator for the French judicial system, said in an interview. “If we had continued, I’m convinced it wouldn’t have changed anything. No one talks on the phone anymore” [emphasis added] Source

The Charlie Hebdo attack (attributed to al Qaeda in the Arabic Peninsula) and the related assault on a Jewish grocery store (attributed to ISIS) revealed a bit of information about the COMSEC practices of the two terrorist cells. The first cell, which targeted Charlie Hebdo’s offices, was comprised of two brothers who lived together. Clearly, face to face meetings would be sufficient for planning (they did not seem to leave a digital trail of communications activity.) The second cell, consisting of only Amedy Coulibaly, attacked the kosher deli.

Coulibaly was a single operative in extensive contact with a handler based “outside France,” most likely in Syria. The two used email, mostly encrypted but also plain text, as well as multiple SIM cards, and email accounts. Encryption was not the central security component of their COMSEC procedure (it was used inconsistently.) Migrating through email addresses (a known technique used by AQAP) along with the handler using an IP masking technology (the IP was traced to the US) were also important. For ISIS, this was a successful operation even though they were inconsistent with their use of encryption.

Verviers (ISIS) — FOILED January 15, 2015

An ISIS cell based in Verviers, Belgium, was controlled and directed by Abaaoud from Athens, Greece. This control was managed using plain telephone calls (and SMS). Timing wise, the ISIS operatives, particularly their “emir” Abaaoud, must have been aware of the Snowden revelations — and yet… they used phone calls. Over a year after the Snowden documents revealed that the NSA was actively monitoring phone calls! This is not an organisation that has learned from the Snowden documents.

At this time (January 2015) Abaaoud’s ISIS cell knows less about operational security than either the AQAP cell that attacked Charlie Hebdo, or the ISIS operative that attacked the kosher grocer, earlier that month. After the Verviers cell was interdicted by Belgian security forces the use of telephone calls for operational direction appears to have ceased. Lesson learned.

Garland, Texas (ISIS) — May 3, 2015

Two men, acting under the direct encouragement of ISIS (possibly Junaid Hussain), failed in their attack on an event in Texas. There were at least “109 encrypted messages” exchanged between the attackers and their contact at ISIS. Given the timing and possible link to Junaid Hussain, the messenger user was very possibly SureSpot. [Any additional information on these points is welcomed.]

Although the attack itself was a dismal failure for ISIS, the attackers were not interdicted due to COMSEC failures. Using an encrypted messenger (possibly SureSpot) was sufficient to allow direct contact with ISIS member’s (possibly Junaid Hussain) without compromising the operation. Lesson learned.

A Note on Encrypted Messengers

If ISIS learned to use encrypted messengers from reading the Snowden documents, then they would, in theory, treat them all equally. One encrypted platform is as good as another, after all. ISIS actually has strong preferences though:

1. Android is a requirement, Apple iOS is forbidden by fatwah (they believe it is used for tracking by the CIA)
2. Free. ISIS operatives, as a rule, don’t buy software from the Google Play Store
3. Strong network effects. Although ISIS has put out documents ranking secure messengers, they seem to follow “fads” just like everyone else

For a while, in 2015, ISIS was promoting the use of the SureSpot encrypted messenger. Even though it is an encrypted messenger, and therefore should be “a post-Snowden solution,” there is a clear indication that they stopped using it after it was demonstrated that it was a fatal tool. Junaid Hussain used it to communicate with supporters in multiple countries. After SureSpot was used as the vector to locate and kill Hussain, ISIS stopped using and promoting it. Lesson learned.

Reda Hame, ISIS Operative — August, 2015

One example of a technique used by ISIS that should, in theory, be known as a “bad idea” because of Snowden document releases, is the TrueCrypt volume on a file sharing site (digital dead drop) taught to Reda Hame in mid 2015.

Snowden documents released in late January 2015 clearly state that NSA actively monitors file sharing sites. This was widely reported. It is well known that encrypted content does not protect metadata, and that encryption itself attracts attention. Snowden commented directly:

@rcallimachi 2) That they're using filelockers for comms — of which monitoring was public — underlines how little ISIS learns from news.

— Edward Snowden (@Snowden) March 29, 2016

@rcallimachi 3) From personal experience, nothing drew my interest more than encrypted traffic from a known target. It "glows on the wire."

— Edward Snowden (@Snowden) March 29, 2016

@rcallimachi 4) Remember: even w encrypted comms, metadata reveals *all* on-net activity. That comms happened? Always yes. Content of? no.

— Edward Snowden (@Snowden) March 29, 2016

An organisation that used the Snowden documents as a counterintelligence primer on NSA capabilities would know that:

1. File sharing sites are actively monitored by LEVITATION
2. Encrypted data attracts NSA attention (they archive it indefinitely)
3. Metadata via network traffic flows is collected by NSA

Therefore, uploading an encrypted file from France, and downloading it in Syria, would be exactly the sort of thing that NSA would notice immediately. And yet ISIS used — or at least trained one person to use — that very technique. Apparently ISIS is not learning as much from the Snowden docs as has been alleged.

The capture of Hame was not related to this secure communication technique because he never used it. Information he revealed about a fellow ISIS operative sent to Europe at the same time allowed security forces to interdict him. Poor OPSEC practices (bad compartmentation) allowed one operative to compromise another cell. Abaaoud would learn this lesson by the time he initiated the Paris operation.

Paris (ISIS) — November 15, 2015

For the Paris operation ISIS began sending operatives into Europe months in advance. At this point in time Abaaoud has learned that secure communication using mobile messengers is possible (he has been in contact with his female cousin via WhatsApp for months). ISIS knows that using face to face meetings is a secure method of communication. And indeed, the operatives make extensive use of communal safe houses indicating that they were in face to face contact.

ISIS has learned about OPSEC, as shown by the capture of two operatives in Austria. These two, who maintained contact with ISIS via WhatsApp, were meant to join up with Abaaoud’s cell in Belgium and take part in the Paris attacks. Due to delays in their travel they were too late to participate.

They knew their destination was France, but the men said they had not been given precise instructions on when or where the attacks would unfold. They also were unaware of the identities of the other Paris attackers besides the two Iraqi militants they had traveled with. They were to get further instructions along the way.

The Islamic State commander who spoke to The Post said that was the way the group was seeking to operate.

“The cells don’t necessarily know one another; that’s to protect other operatives,” he said. “So even if one or two get arrested, they won’t be able to lead to other operatives, because they don’t know them…” — Source

The Paris operation was organised using a combination of face to face meetings in safehouses, burner phones, possibly encrypted messengers (probably Telegram, maybe WhatsApp), phone calls and SMS. The extensive use of burner phones for very short durations could suggest that Abaaoud believed his failure with the Verviers cell may have been related to using the same phone and SIM for too long. There’s no clear link to a Snowden document for this tactic. For a terrorist organisation, a successful operation involving many COMSEC tools, techniques and procedures doesn’t provide granular feedback. Failure is the better teacher.

Mecca (ISIS) — FOILED, May 6, 2016

An ISIS cell in Mecca was interdicted by Saudi security forces. By this time ISIS militants are using Android phones with taped over cameras (the black tape on a white phone really attracts attention) and mobile messaging apps, such as WhatsApp, no SMS. The webcam on the laptop is also taped over.

There is not enough public information on this event to tell what lead security forces to interdict this cell. However, the accumulation of lessons learned from years of experience is clearly on display.

Credit where credit is due

In an adversarial conflict between organizations, there is going to be evolution in tools, techniques and procedures (TTP) over time. The “blame Snowden for everything” approach seems to rely heavily on “trust us, we know” statements from intelligence officials, but ignores direct evidence that terrorists can learn to adapt, and indeed the timelines of documented terrorist security changes indicate that direct experience plays a stronger role in adjusting OPSEC procedures than the Snowden papers (many of which were written before secure messaging apps for smartphones even existed.)

The public evidence shows that Snowden had less of an impact than some people suggest. There is extensive evidence of islamic terrorist interest in encryption predating Snowden by over a decade. Terrorists are just as capable of sensemaking and adjusting their procedures as any other organization.

The “Snowden fucked us!” rhetoric places blinders on security forces because they fail to observe the direct evidence that terrorists are capable of organizational learning. Insisting that terrorists only use encryption because of Snowden is to ignore the evidence that terrorists are adaptive and capable of learning from mistakes; that they operate in ways which contradict the Snowden docs; and that they have been using encryption since before the Snowden docs were leaked.

In short, they’re learning by experience, not by reading the manual.

Disclaimer: I am not taking a position on Snowden’s actions. Simply attempting to point out that the data strongly suggests terrorists organisations are capable of learning from mistakes. There is no political point I’m advocating, other than — security forces should not underestimate terrorist group’s ability to learn and adapt from experience.