In the wake of the demise of Baitullah Mehsud, Reuters blog did a piece on whether or not this would have any impact on the Pakistani insurgency. They quoted my statistical analysis of the decapitation strategy (not cutting off heads - eliminating the leaders of terrorist groups). My findings were, in short, that, well, it depends. As it happens I am revisiting the paper now and the fact that it pops up so quickly when researching the issue only shows how thin research on the topic has been.
Broadly, I believe there are four categories of group in terms of their vulnerability to decapitation. Some groups are held together by a strong personality and may be vulnerable to decapitation strikes. Some groups are very robust, have extensive capabilities and deep benches of alternate leaders - these groups can and will respond to the loss of their leaders with revenge attacks. There are groups that will become more radicalized when they lose their leader. All three of these groups are the outliers. The most common groups will not necessarily be capable of carrying out a revenge strike, but will also not collapse at the loss of their leader. The open question then is whether or not the decapitation strike at least degrades the group's capabilities.
Mehsud probably falls in this category. The Pashtun insurgency is deep and has multiple components, it isn't going away quickly. However, it may be a step in the right direction - at the very least it is difficult to see how the Pashtun insurgency can become more radical than it is already.
To cite the classic maxim of academia, "More research is needed."
Here's the Reuters post:
Targeted killings inside Pakistan — are they working?
The death of Pakistani Taliban leader Baitullah Mehsud in a U.S. Predator strike last week - now considered a certainty by U.S. and Pakistani security officials - and subsequent reports of fighting among potential successors would seem to justify the strategy of taking out top insurgent leaders
The Taliban are looking in disarray and fighting among themselves to find a successor to Mehsud, the powerful leader of the Tehrik-e- Taliban Pakistan, the umbrella group of militant groups in the northwest, if Pakistani intelligence reports are any indication. Top Taliban commanders have since sought to deny any rift, but they certainly look more on the defensive than at any time in recent months.
So is decapitation or targeting the heads of militant groups, as a strategy to destroy these organisations, beginning to work in Pakistan ?
A considerable amount of research has gone into such a snake-head strategy, or the killing or capture of militant leaders, since Israel went down this road decades ago and the results are mixed.
Daniel Byman, Director of the Center for Peace and Security Studies at Georgetown University, says that while the U.S. strategy could tamp down the threat from al Qaeda, it can neither defeat the group nor remove it from its stronghold in Pakistan. In a piece for Foreign Affairs, Byman who previously studied the Israeli campaign of targeting enemy leaders, lays out the gains as well as the limits to such a strategy.
- A sustained campaign of targeted killings can disrupt a militant group tremendously, as slain leaders are replaced by less experienced and less skilled colleagues. This can lead the group to make operational and strategic mistakes, and over time, pose less of a danger. Moreover, constant killings can create command rivalries and confusion. Most important, the attacks force an enemy to concentrate on defense rather than offense.
And the limits as in Pakistan’s case are:
- The Predator strikes can force al Qaeda to watch its step in Pakistan, but it can still carry out some operations. Moreover, their local jihadi partners (such as Lashkar-e-Taiba) remain unaffected. So far, the strikes have been confined to tribal areas near the Afghan-Pakistani border, meaning that al Qaeda and the Taliban have been able to relocate parts of their apparatus further inside Pakistan, which may work to actually widen the zone of instability
- Although Israel achieved some success through its campaign of targeted killings during the second intifada in the early years of this decade, it was able to fully shut down Palestinian militancy only by reoccupying parts of the West Bank and building a massive security barrier between itself and much of the Palestinian territories — options that are not available to the United States in Pakistan, Byman notes.
Over the longer term the results of the decapitation strategy are even more mixed. Aaron Mannes, a researcher at the University of Maryland, says his study “in general found that the decapitation strategy appears to have little effect on the reduction of terrorist activity.”
In fact he found a distinction between groups that are ideologically driven or nationalist- separatist ones like the IRA and ETA - and religous groups such as al Qaeda or Hezbollah. While the ideological groups were forced to restrict acivity following a decapitation strike, the religious groups actually grew even more deadly. Hezbollah and Hamas are more reboust organisations, which is an important criterion for surviving the loss of a leader, his study found
Revenge also plays a key role in upsurge of violence following the loss of a leader. Another explanation might be the rise of the most violent elements within a religious militant group to the fore. “Based on this data, decapitation strikes are not a silver bullet against terrorist organisations. In the case of religious groups, they may even be counter-productive,” he says.
Ultimately, as Nighwatch intelligence here notes, there is no alternative but to destroy the sanctuaries in which militant groups operate. And it is hard to see that being done through these “bolts from the blue.”
[File photograph of Baitullah Mehsud at a news conference, and a village in South Waziristan cleared of fighters loyal to him]
Mostly about terrorism, world affairs, a little computational modeling and big data, some political science, plus history, travel, philosophy and whatever else grabs me! Opinions strictly my own.
Saturday, August 15, 2009
Wednesday, August 5, 2009
Real Cyberwar: Mannes & Hendler in the Washington Times
This morning, The Washington Times ran an op-ed on cyberwar I co-wrote with my friend (and former boss) Jim Hendler. Much has been written about cyber-war, but very little of it is grounded in reality. Many over-hype the issue while others discount it completely. Much of the misinformation about cyberwar revolves around denial of services attacks, which are serious criminal activity but not much of a national security concern - we've written on this topic in the wake of Russian conflicts with Estonia and Georgia.
Here we try to inject a bit of sober and informed reason into the discussion.
Wednesday, August 5, 2009
Profile of a real cyberwar
Aaron Mannes and James Hendler
The denial-of-service (DoS) attacks that started on July 4 garnered typical headlines about cyberwar, but in fact, from a technical standpoint, those "attacks" may be the opposite of real cyberwar. A much less noticed report in Israel's leading daily, Ha'aretz, on Israel's operations against Iran's nuclear program may give greater insight into how cyberwar actually will work.
It is no secret that several countries, including the United States, China, Russia and Israel, have examined cyberwar capabilities. What those capabilities might be or how a cyberwar might look are shrouded in mystery. The denial-of-service attacks that made headlines are not it.
Those attacks are nothing more than the sending of enormous numbers of requests to servers, preventing Web sites from responding to legitimate traffic and interfering with e-mail. Competent information-technology professionals usually can mitigate these attacks, and even when successful, their impact -- from a national security standpoint -- is marginal.
The DoS attacks are carried out by botnets, thousands of compromised computers that can be commanded to simultaneously send e-mails or visit a Web site. The botnets are built using malware that attacks individual computers, often simply taking advantage of software that has not downloaded current security patches. Computers linked to government agencies have been compromised and have become part of botnets -- but this does not necessarily have tremendous security implications. Real cyberwar may require the opposite of the skills required for the DoS attacks that make headlines.
According to the article in Ha'aretz, Israeli intelligence has sought to systematically insert malware that can damage information systems within the Iranian nuclear program. It is believed those systems are not connected to the broader Internet and that the malware is inserted into equipment sold to the Iranian government.
This is the probable future cyberwar. Modern societies are complex networks of people, information systems and equipment. Enormous advantages will be obtained by powers that can quickly identify and neutralize critical nodes within the systems.
Critical government systems are run on Intranets, networks that are separate from the Internet. The most crucial systems, such as the command-and-control system for nuclear weapons, are believed to be air-gapped -- that is, they do not link to other systems. Most government Intranets do have points at which they interface with the Internet, and Intranets have been infected with malware from the Internet. However, Intranets are relatively controlled environments, so anomalous activity (at least theoretically) can be controlled and isolated quickly.
Because compromising those networks may be crucial in a military conflict, nation-states with serious cyberwar ambitions will carefully tailor malware for specific systems. This is the opposite of the malware that builds botnets by seeking low-hanging fruit.
The most serious cases of identity theft usually involve social engineering, tricking the target to reveal crucial information that facilitates the crime. The same may be true in tailoring attacks to critical networks. Most advanced nation-states have extensive infrastructures of contractors and academics that have both public roles and contacts with the security establishment. Social-network analysis could be used to identify individuals who are likely to have contacts within the security establishment and attempt to insert malware through them.
Imagine the now ubiquitous phishing attacks masquerading as e-mail from banks and credit card companies but instead designed by sophisticated intelligence agencies and carefully targeted at small communities.
What the malware might do when it gets into a system is an open question. Chinese hackers reportedly have infiltrated computers and manipulated them to remove sensitive documents, log keystrokes and trigger Web cameras. Whether these capabilities could operate for a substantial length of time on a secure Intranet is an open question. Any malware that entered a sensitive system might have a short life span and its designers would need to consider carefully how best to use this window. Alternatively, this malware may be embedded for long periods of time and activated when needed. Options might include relaying valuable information, manipulating information, damaging the network or providing information on the real-world location of crucial network nodes so that they can be destroyed physically.
However, cyberwar capabilities cannot be used lightly. Once malware is detected, the defenders can counter it and make their system stronger and more resistant to further infiltration.
In the heat of battle, the ability to penetrate an enemy information network could be crucial. However, in the long-term dialectic of war, in which sides continually respond to one another's innovations, cyberwar will become another facet of conflict -- at times decisive and at other times peripheral. The nations that first master cyberwar could obtain a fundamental advantage at the beginning stages of a conflict. Nations that ignore cyberwar will do so at their own peril.
Aaron Mannes is a researcher at the University of Maryland. James Hendler is a professor of computer science at Rensselaer Polytechnic Institute.
Here we try to inject a bit of sober and informed reason into the discussion.
Wednesday, August 5, 2009
Profile of a real cyberwar
Aaron Mannes and James Hendler
The denial-of-service (DoS) attacks that started on July 4 garnered typical headlines about cyberwar, but in fact, from a technical standpoint, those "attacks" may be the opposite of real cyberwar. A much less noticed report in Israel's leading daily, Ha'aretz, on Israel's operations against Iran's nuclear program may give greater insight into how cyberwar actually will work.
It is no secret that several countries, including the United States, China, Russia and Israel, have examined cyberwar capabilities. What those capabilities might be or how a cyberwar might look are shrouded in mystery. The denial-of-service attacks that made headlines are not it.
Those attacks are nothing more than the sending of enormous numbers of requests to servers, preventing Web sites from responding to legitimate traffic and interfering with e-mail. Competent information-technology professionals usually can mitigate these attacks, and even when successful, their impact -- from a national security standpoint -- is marginal.
The DoS attacks are carried out by botnets, thousands of compromised computers that can be commanded to simultaneously send e-mails or visit a Web site. The botnets are built using malware that attacks individual computers, often simply taking advantage of software that has not downloaded current security patches. Computers linked to government agencies have been compromised and have become part of botnets -- but this does not necessarily have tremendous security implications. Real cyberwar may require the opposite of the skills required for the DoS attacks that make headlines.
According to the article in Ha'aretz, Israeli intelligence has sought to systematically insert malware that can damage information systems within the Iranian nuclear program. It is believed those systems are not connected to the broader Internet and that the malware is inserted into equipment sold to the Iranian government.
This is the probable future cyberwar. Modern societies are complex networks of people, information systems and equipment. Enormous advantages will be obtained by powers that can quickly identify and neutralize critical nodes within the systems.
Critical government systems are run on Intranets, networks that are separate from the Internet. The most crucial systems, such as the command-and-control system for nuclear weapons, are believed to be air-gapped -- that is, they do not link to other systems. Most government Intranets do have points at which they interface with the Internet, and Intranets have been infected with malware from the Internet. However, Intranets are relatively controlled environments, so anomalous activity (at least theoretically) can be controlled and isolated quickly.
Because compromising those networks may be crucial in a military conflict, nation-states with serious cyberwar ambitions will carefully tailor malware for specific systems. This is the opposite of the malware that builds botnets by seeking low-hanging fruit.
The most serious cases of identity theft usually involve social engineering, tricking the target to reveal crucial information that facilitates the crime. The same may be true in tailoring attacks to critical networks. Most advanced nation-states have extensive infrastructures of contractors and academics that have both public roles and contacts with the security establishment. Social-network analysis could be used to identify individuals who are likely to have contacts within the security establishment and attempt to insert malware through them.
Imagine the now ubiquitous phishing attacks masquerading as e-mail from banks and credit card companies but instead designed by sophisticated intelligence agencies and carefully targeted at small communities.
What the malware might do when it gets into a system is an open question. Chinese hackers reportedly have infiltrated computers and manipulated them to remove sensitive documents, log keystrokes and trigger Web cameras. Whether these capabilities could operate for a substantial length of time on a secure Intranet is an open question. Any malware that entered a sensitive system might have a short life span and its designers would need to consider carefully how best to use this window. Alternatively, this malware may be embedded for long periods of time and activated when needed. Options might include relaying valuable information, manipulating information, damaging the network or providing information on the real-world location of crucial network nodes so that they can be destroyed physically.
However, cyberwar capabilities cannot be used lightly. Once malware is detected, the defenders can counter it and make their system stronger and more resistant to further infiltration.
In the heat of battle, the ability to penetrate an enemy information network could be crucial. However, in the long-term dialectic of war, in which sides continually respond to one another's innovations, cyberwar will become another facet of conflict -- at times decisive and at other times peripheral. The nations that first master cyberwar could obtain a fundamental advantage at the beginning stages of a conflict. Nations that ignore cyberwar will do so at their own peril.
Aaron Mannes is a researcher at the University of Maryland. James Hendler is a professor of computer science at Rensselaer Polytechnic Institute.