Jared Cohen - The New Digital Age

It takes only one mistake or weak link to compromise an entire network. A Navy SEAL Team Six member we talked with described a top al-Qaeda commander who was exceptionally cautious around technology, always swapping phones and rarely speaking for very long. But while he was careful with his professional life, he was careless with his social one. At one point, he called a cousin in Afghanistan to say he planned to attend a wedding. That one misstep gave authorities enough information to find and capture him. Unless a terrorist is acting completely alone (which is rare), and with perfect online discipline (even rarer), there is a very good chance that somewhere in the chain of events leading up to a planned attack, he will compromise himself in some way. There are simply too many ways to reveal oneself, or be revealed, and this is very encouraging in contemplating the future of counterterrorism.

Of course, amid all of the smart and savvy cyber terrorists there will be dumb ones, too. In the trial-and-error period of connectivity growth, there will be plenty of demonstrations of inexperience that might seem laughable to those of us who grew up with the Internet. Three years after the Canadian journalist Amanda Lindhout was kidnapped in Somalia—she was held for fifteen months by al-Shabaab extremists and finally released for a hefty ransom—her former captors contacted her on Facebook, issuing threats and inquiring about more money. Some were dummy accounts, set up with the sole purpose of harassing her further, but others appeared to be genuine personal Facebook accounts. It seems unlikely that the terrorists understood the degree to which they’d exposed themselves—not just their names and profiles, but everyone they were connected to, everything they’d written on their own and others’ Facebook pages, what websites they’d “liked,” and so on. Each such exposure, of course, will represent a teachable moment for other extremists, enabling them to avoid the same errors in the future.

It is estimated that more than 90 percent of people worldwide who have mobile phones keep them within three feet of themselves twenty-four hours a day. There is no reason to believe this won’t be true for extremists. They might adopt new routines that help protect them—like periodically removing the battery from their phones—but they won’t stop using them altogether. This means that counterterrorist raids by militaries and law enforcement will result in better outcomes: capture the terrorist, capture his network. Interrogations post-capture will remain important, but each device used by a terrorist—mobile phones, storage drives, laptops and cameras—will be a potential gold mine. Commandeering a captured terrorist’s devices with the rest of his network unaware will lead his cohorts to unwittingly disclose sensitive information or locations. Additionally, the devices might contain content that can be used to expose hypocrisy in a terrorist’s public persona, as American officials did when they revealed that the computer files taken from Osama bin Laden’s compound contained a large stash of pornographic videos. Of course, once this vulnerability becomes apparent, more sophisticated terrorists will combat it by having an abundance of technology with misleading information on it. Deliberately storing personal details about rivals or enemies on devices that find their way into the hands of law enforcement will be a useful form of sabotage.

No Hidden People Allowed

As terrorists develop new methods, counterterrorism strategists will adapt accordingly. Imprisonment may not be enough to contain a terror network. Governments may determine, for example, that it is too risky to have citizens “off the grid,” detached from the technological ecosystem. To be sure, in the future, as now, there will be people who resist adopting and using technology, people who want nothing to do with virtual profiles, online data systems or smart phones. Yet a government might suspect that people who opt out completely have something to hide and thus are more likely to break laws, and as a counterterrorism measure, that government will build the kind of “hidden people” registry we described earlier. If you don’t have any registered social-networking profiles or mobile subscriptions, and on-line references to you are unusually hard to find, you might be considered a candidate for such a registry. You might also be subjected to a strict set of new regulations that includes rigorous airport screening or even travel restrictions.

In a post-9/11 world, we can already see signs that even countries with strong civil-liberties foundations jettison citizen protections in favor of a system that enhances homeland surveillance and security. That will only accelerate. After some cyber-terrorist successes, it will be easier to persuade people that the sacrifices involved—essentially, a heightened level of governmental monitoring of online activity—are worth the peace of mind they will bring. The collateral damage in this scenario, besides the persecution of a small number of harmless hermits, of course, is the danger of the occasional abuse or poor judgment by government stewards. This is yet another reason it will be so important to fight for privacy and security in the future.

The push-pull between privacy and security in the digital age will become even more prominent in the coming years. The authorities responsible for locating, monitoring and capturing dangerous individuals will require massive, highly sophisticated data-management systems to do so. Despite everything individuals, corporations and dedicated nonprofit groups are doing to protect privacy, these systems will inevitably include volumes of data about non-terrorist citizens—the questions are how much and where. Currently, most of the information that governments collect on people—their addresses, ID numbers, police records, mobile-phone data—is siloed in separate places (or is not even digitized yet in some countries). Its separation ensures a degree of privacy for citizens but creates large-scale inefficiencies for investigators.

This is the “big data” challenge that government bodies and other institutions around the world are facing: How can intelligence agencies, military divisions and law enforcement integrate all of their digital databases into a centralized structure so that the right dots can be connected without violating citizens’ privacy? In the United States, for example, the FBI, State Department, CIA and other government agencies all use different systems. We know computers can find patterns, anomalies and other relevant signifiers much more efficiently than human analysts can, yet bringing together disparate information systems (passport information, fingerprint scans, bank withdrawals, wiretaps, travel records) and building algorithms that can efficiently cross-reference them, eliminate redundancy and recognize red flags in the data is an incredibly difficult and time-consuming task.

Difficult does not mean impossible, however, and all signs point toward these comprehensive integrated information systems’ becoming the standard for modern, wealthy states in the near future. We had the opportunity to tour the command center for Plataforma México, Mexico’s impressive national crime database and perhaps the best model of an integrated data system operating today. Housed in an underground bunker in the Secretariat of Public Security compound in Mexico City, this large database integrates intelligence, crime reports and real-time data from surveillance cameras and other inputs from agencies and states across the country. Specialized algorithms can extract patterns, project social graphs and monitor restive areas for violence and crime as well as for natural disasters and other civilian emergencies. The level of surveillance and technological sophistication of Plataforma México that we saw is extraordinary—but then, so are the security challenges that Mexican authorities face. Therein lies the challenge looking ahead: Mexico is the ideal location for a pilot project like this because of its entrenched security problems, but once the model has been proven, what is to stop other states with less justifiable motivations from building something similar? Surely other governments can play the security card and insist that such a sophisticated platform is necessary; what might stop them?