The use of technology by terrorists is nothing new. Any technology is inherently dual use. For example, Russian-made Sky Grabber software, which costs $26 and was designed to access free-to-air satellite TV channels, was used by Al-Qaeda to intercept video feeds from US drones.
The threat posed by a technology is dependent upon its user. A smart phone being used by a criminal is still a smart phone; however, the conversations it now enables are very different from those for which it was designed. Similarly, the use of the application WhatsApp by ISIS battlefield commanders in Syria is perceived as a technology threat, while the use of the peer-to-peer application FireChat by Hong Kong democracy protesters recently is seen as laudable.
Featured Download: Social media access at work. Do your employees know the rules?
The reported use of WhatsApp and social media by ISIS as ‘a command and control network’ is just the latest example, but it raises some interesting dilemmas. It reopens the ‘common carrier’ debate: should service providers, not currently responsible for the content of messages crossing their networks, be responsible for identifying potential terrorist or criminal users? Governments may see this as desirable, but in practice, it is unlikely to be successful, as businesses have very little information about signs of terrorist activity, plus the potential to infringe on users’ civil liberties is a clear and present danger.
The debate today focuses on ‘ease of interception’ rather than actual feasibility. In the UK in 2011, police attempts to intercept riot organisers’ communications sent via Blackberry Messenger (BBM) were thwarted by the application’s encryption. The UK has since had marginal success in addressing this issue, at least in their own jurisdiction, but this does not always translate to international boundaries.
The lack of co-operation between technology companies and governments within the US and the UK highlights deeper mistrust and the unpredictable attitudes of society towards privacy. Ultimately, for any business, the need to attract and retain customers presents a greater incentive than going beyond simple compliance with legislation and regulation. As a result, businesses are likely to be faced with tough choices – the rumoured payment of $10m to security company RSA by the US Government to weaken its encryption products indicates that such action was not carried out for patriotic reasons alone. It is unlikely that an advert extolling the benefits of a product’s increased compliance with law-enforcement and interception will increase customer numbers.
In the future, the use of technology by terrorists is unlikely to change. Terrorist organisations are not bound by policy or business cases, and they assimilate new technologies more quickly than governments. Organisations must ensure products are both secure and private by design,while balancing their responsibilities to countries or governments alike. The balancing act of usability versus security will continue, with governments facing an immediate need to rebuild trust with society and align their incentives with those of businesses.
What is clear is that this is no longer an issue that can be addressed by nations in isolation. Security and privacy have a truly global remit: governments and multinational businesses must closer align their expectations with their approaches to ensure they continue to meet the needs of their citizens and their customers lest these conflicts inevitably endure.
By Daniel Carr, Cyber Security Specialist, AEGIS London
About AEGIS London
AEGIS London is a specialist insurer trading as a syndicate on the Lloyd’s of London insurance market in London, UK. It offers a range of cyber liability and insurance products and was the first insurer to launch a product focusing on the protection of operational technology against cyber attack.