A cyber-security OPSEC manual has apparently been making the rounds in Islamic State circles. Wired Magazine, which originally reported the existence of the OPSEC manual was given it by Dr Aaron Brantly of the West Point military academy's Combating Terrorism Center. It details how to encrypt one's communications in order to prevent their interception by security services and governments.
While the Paris attackers that have reignited the debate over encryption did not in fact use encryption, one might imagine that protecting private communications would rank high in importance in the minds of those plotting terror attacks. This manual may go towards further confirming the fact that IS militants and other terrorist groups do indeed use encrypted communication, potentially accelerating the passage of counter-legislation like the oncoming Investigatory Powers Bill.
The manual not only teaches the reader how to encrypt their communications to a fairly high level for a civilian, but recommends certain apps and pieces of software like, predictably TOR as well as things like Protonmail, an encrypted email service started by CERN.
It also tells users how to remove the geotag data on photos, which, if left on, would allow anyone to see the exact location where the picture was taken. This is sometimes noted as a common mistake for IS militants using social media.
In the case of short range communications, in the event of local internet services being cut off, the manual recommends things like The Serval Project which allows those with the application to communicate directly within 200 metres of each other. SCMagazineUK.com spoke to Paul Gardner Stephen, the technical architect and co-founder of the project who said, “we create our software to enable vulnerable people to improve their situation. We do not condone or support violence by anyone.” As to whether the serval project ‘enables' terrorism: “We all wish that toilets, roads, electricity and air could only be used responsibly, but their utility necessarily creates risk of their being misused.”
Gardner has a point here: These apps were not created for enabling of terrorism, and as Brantly said, there is no sign that IS has invented its own encryption programmes. Brantly claimed to Wired that he and other from the Center had seen links to this particular manual on IS forums and social media accounts. But the manual itself did not originate with IS.
Cybervok, a Kuwait-based security company, originally published the manual for journalists reporting in Gaza during Operation Protective Edge last year. SCMagazineUK.com spoke to Abdullah AlAli, the CEO of Cybervok who repudiates the idea that the manual his company created was an IS Opsec Manual: “We didn't find any evidence that the manual was abused by IS”, in fact the version uploaded by Wired was apparently modified.
Alali also notes that considering the Center ran the manual, originally written in Arabic, through Google Translate and may have not used an Arabic translator, stilts the ability to actually analyse the document, even if it were authored by IS.
Cybervok wrote the manual for reporters in Gaza during the summer of 2014. AlAli noted that, “journalists in Gaza use Internet connectivity provided through Israel, Egypt or Hamas, and it is therefore subject to surveillance and control from different authorities, all of which can impose their own prerogatives. Journalists in Gaza need to use certain security practices to protect their stories from manipulation, and their sources from exposure.”
From this point it may have reached the hands of individuals affiliated with IS, the modified version seen by Wired was apparently uploaded by someone describing themselves as “Khaled from Gaza”.
AlAli also says that, “We also believe ISIS cannot make a lot of use of the content of the guide, since the guide focuses on integrity of information, privacy and authentication of communication parties.” He added that, “A militant group would theoretically be more interested in technologies that allow them to blend in, be anonymous, and be fully disposable.”
Still, Brantly's claim is not that it was an IS authored manual, but that it is being circulated on IS channels. If that is true, then terrorist groups like IS have their hands on what Brantly described in Wired as the means to become, “as good at OPSEC as you can get without being formally trained by a government.” It also means that the means of encrypting communications and potentially, say, planning large terror attacks with a diminished risk of being surveilled by security services, is not too hard to acquire for militants. This kind of technology is not just easy, but readily available; perhaps putting terrorists one step ahead of the governments that are so eager to have access to encrypted data, articulated in proposed acts of government such as the Investigatory Powers Bill.
SC also spoke to Emily Taylor, associate fellow for international security at Chatham house and an internet governance expert who said that while there might be reasons to fear IS, “weakening encryption is not an effective response.” Backdoors might sound good in theory but, “in practice they pose an even greater threat to the security of communications. This is because the backdoors would also be exploited by bad actors.” Taylor added that what is required is, “targeted surveillance with suspicion, and old-fashioned methods such as infiltration, and reconnaissance. We also need to redouble our efforts to prevent the radicalisation of young people within our own societies.”
Still, as Brantly told Wired, IS isn't made up of the cyber-masterminds that it might like to think: “There's a whole section on hacking” within the IS forums but, “They're not super-talented hackers, but they're reasonable.”Brantly and West Point's Combating Terrorism Center did not respond for comment.