Monitoring and tapping the mobile activity among prisoners is another option for law enforcement. The intelligence gathered from listening in could, among other things, shed light on how illicit networks operate. A more subversive solution could be to intentionally co-opt the contraband networks by getting devices into prisoners’ hands that are actually filled with traps to inadvertently give up information. Loaded with malware that will allow activity on each phone to be traced, these phones would be designed to give up secrets easily without inmates’ knowledge. This may ultimately prove more effective than human informants, and safer, too.

Some societies will ensure that a prisoner disappears from the Internet entirely while behind bars. By court order his virtual identity would be frozen, laws would prevent anyone from trying to contact, interact with or even advertise to his frozen profile, and once he was released, he would be required to provide his probation officer with access rights to his online accounts. The digital-age equivalent of an ankle bracelet will be government-imposed software that tracks and restricts online activity, not just for the obvious cases like child molesters (whose Internet activity is sometimes restricted as a condition of probation) but for all convicted criminals for the duration of their probation.² Someone found guilty of insider trading could be temporarily barred from all forms of e-commerce: no trading, online banking or buying things on the Internet. Or someone subjected to a restraining order would be restricted from visiting the social-networking profiles of the targeted person and his or her friends, or even searching for his or her name online.

Alas, many of these solutions will be circumvented in the age of cyber terrorism, as more and more criminals operate invisibly.

The Rise of Terrorist

Hackers

How serious someone considers the threat of cyber terrorism likely depends on that person’s view of hacking. For some, the image of a basement-dwelling teenager commandeering phone systems for a joyride endures, but hacking has developed considerably in the past decade, transformed from a hobby into a controversial mainstream activity. The emergence of “hacktivists” (politically or socially motivated hackers) and groups like the hacking collective Anonymous signals a maturation of message and method and hints at what we can expect in the coming years. Increasingly, hackers will find ways to organize themselves around common causes. They will conduct sophisticated attacks on whomever they deem a proper target and then publicize their successes widely. These groups will continue to demand attention from the governments and institutions they attack, and their threats may come to be taken more seriously than one might expect judging from today’s activities, which mostly seem like stunts. The story of WikiLeaks, the secrets-publishing website we discussed earlier, and its sympathetic hacker allies is an illustrative example.

The arrest of WikiLeaks’ cofounder Julian Assange in December 2010 sparked flurries of outrage around the world, particularly among the many activists, hackers and computer experts who believed his indictment on sexual-assault charges was politically motivated. Shortly thereafter, a series of cyber attacks crippled, among others, the websites for Amazon, which had revoked WikiLeaks’ use of its servers, and MasterCard and PayPal, which had both stopped processing donations for WikiLeaks.

This campaign, officially titled Operation Avenge Assange, was coordinated by Anonymous, a loosely knit collective of hackers and activists already responsible for a string of prominent DDoS attacks against the Church of Scientology and other targets. During Operation Avenge Assange, the group vowed to take revenge on any organization that lined up against WikiLeaks: “While we don’t have much of an affiliation with WikiLeaks, we fight for the same reasons. We want transparency and we counter censorship. The attempts to silence WikiLeaks are long strides closer to a world where we cannot say what we think and are unable to express our opinions and ideas. We cannot let this happen.… This is why we intend to utilize our resources to raise awareness, attack those against and support those who are helping lead our world to freedom and democracy.” The corporate websites were back online within several hours, but their disabling was very public and could have affected millions of customers. Most of those customers had no idea the websites were vulnerable in the first place. In other words, the hacktivists made their point. A string of global investigations followed, leading to the arrest of dozens of suspected participants in the Netherlands, Turkey, the United States, Spain and Switzerland, among other states.

Neither WikiLeaks nor groups like Anonymous are terrorist organizations, although some might claim that hackers who engage in activities like stealing and publishing personal and classified information online might as well be. The information released on WikiLeaks put lives at risk and inflicted serious diplomatic damage.³ And that’s the point: Whatever lines existed between the harmless hackers and the dangerous ones (or between hackers and cyber terrorists, for that matter) have become increasingly blurred in the post-9/11 era. Decentralized collectives like Anonymous demonstrate clearly that a collection of determined people who don’t know each other, and without having met in person, can organize themselves and have a real impact in virtual space. In fact, no critical mass is necessary—an individual with technical prowess (computer-engineering skill, for example) can commandeer thousands of machines to do his bidding. What will happen in the future when there are more of these groups? Will they all fight on the side of free speech? Recent examples suggest we should begin preparing for other possibilities.

In 2011, the world met a twenty-one-year-old Iranian software engineer, apparently working in Tehran, who called himself Comodohacker. He was unusual compared to other hacktivists, who generally combat government control over the Internet, because as he told The New York Times via e-mail, he believed his country “should have control over Google, Skype, Yahoo!, etc.” He made it clear that he was intentionally working to thwart antigovernment dissidents within Iran. “I’m breaking all encryption algorithms,” he said, “and giving power to my country to control all of them.”

Boasting aside, Comodohacker was able to forge more than five hundred Internet security certificates, which allowed him to thwart “trusted website” verification and elicit confidential or personal information from unwitting targets. It was estimated that his efforts compromised the communications of as many as three hundred thousand unsuspecting Iranians over the course of the summer. He targeted companies whose products were known to be used by dissident Iranians (Google and Skype), or those with special symbolic significance. He said he attacked a Dutch company, DigiNotar, because Dutch peacekeepers failed to protect Bosnian Muslims in Srebrenica in 1995.

Just months after Comodohacker’s high-profile campaign, another ideological hacktivist from the Middle East emerged. He called himself OxOmar, claimed to live in Riyadh, Saudi Arabia, and declared that he was “one of the strongest haters of Israel” who would “finish Israel electronically.” In January 2012, he hacked into a well-known Israeli sports website and redirected visitors to a site where they could download a file that contained four hundred thousand credit-card numbers (most of these were duplicates, and the total number of compromised cardholders was closer to 20,000). He claimed to represent a group of Wahhabi hackers, Group-XP, who wrote in a statement, “It will be so fun to see 400,000 Israelis stand in line outside banks and offices of credit card companies … [and] see that Israeli cards are not accepted around the world, like Nigerian cards.” Weeks later, when the websites of Israel’s El Al Airlines and its stock exchange were brought down with DoS attacks, OxOmar told a reporter that he had teamed up with a pro-Palestinian hacker group called Nightmare and that the attacks would be reduced if Israel apologized for its “genocide” against Palestinians. Israel’s deputy minister of foreign affairs, Danny Ayalon, said he considered it a “badge of honor that I have been personally targeted by cyber-terrorists.” He later confirmed the attacks on his Facebook page but added that hackers “will not silence us on the Internet or in any forum.” Was Comodohacker really a young Iranian engineer? Did OxOmar really coordinate with another group to launch his attacks? Were these hackers individuals, or actually groups? Could either or both of these figures just be constructs of states looking to project their digital power? Any number of scenarios could be true, and therein lies the challenge of cyber terrorism in the future. Because it is very difficult to confirm the origins of cyber attacks, the target’s ability to respond appropriately is compromised, regardless of who claims responsibility. This obfuscation adds a whole new dimension to misinformation campaigns, and no doubt states and individuals alike will take advantage of it. In the future, it will be harder to know who or what we are dealing with.