Authors: Adam Henschke and Scott Robbins
Keywords: encryption, hacking, dark-web, cyberspace, tor
This paper looks at cyberspace as a zone of conflict: a ‘space’ in which terrorists now operate and in which counter-terrorist operations are conducted. Terrorist groups like Al-Qaeda (AQ) and so-called IS are particularly active in cyberspace; they use it to organize their actions, spread propaganda, recruit foreign fighters and remotely radicalize lone wolf/small group actors in domestic terrorism. Running parallel to this is the recognition by many governments that cyberspace presents a general challenge to national security.
There are three sorts of conflicts happening in the zone of cyberspace: what can be loosely termed physical conflicts, logistical conflicts, and informational conflicts. Physical conflicts in cyberspace result in impacts in the physical world, e.g. Israel’s cyber-attack on the Syrian radar site at Tall al-Abuad. These can inflict harm on people or cause physical damage, but also include political, economic and social impacts in the world beyond cyberspace. This type of conflict in cyberspace by and large has not occurred with terrorists as protagonists; however, recent examples involving state actors show that this is a possibility which cannot be ignored. Logistical conflicts in cyberspace involve criminal activities like recruitment, financing, logistics, communication etc. Approximately 20% of the foreign fighters who joined with so-called IS were recruited from the West. Informational conflicts are the attempt to control narratives surrounding events in order to promote one’s agenda. So-called IS’s use of the internet to distribute beheading videos is a prime example of this.
In order to use cyberspace effectively as a zone for these conflict, terrorists and counter-terrorism agencies use a variety of tools and tactics specific to cyberspace like encryption, hacking, and ransomware. The tools used by (or could be used by) terrorists will be listed and described. Finally, cyberspace presents opportunities for counter-terrorism.
The “Morris Worm” in 1988 was one of first cyber-attacks and affected around 60,000 computers – rendering them unusable. Since then there has been an evolution in cyber-attacks and tools to prevent them. Symantec discovered over 430 million “new unique pieces of malware in 2015” with a 35% increase in ransomware compared with 2014. Cyberspace is a space in which malicious actors increasingly operate.
Terrorism is typically defined by reference to physical violence or its threat; it is the deliberate use of violence and/or a threat to use violence against innocent people for political or ideological ends and does so by spreading fear (terrorizing) through maximizing publicity of their violent. To date, there have not been accounts of terrorist organizations using cyberspace to inflict physical harm. Focusing therefore on non-violent aspects of terrorism, communications have long been a key part of any terrorist activity. Historian Walter Laqueur claims (in A History of Terrorism):
The success of a terrorist operation depends almost entirely on the amount of publicity it receives…Thus in the final analysis, it is not the magnitude of the terrorist operation that counts but the publicity; and this rule applies not only to single operations but to whole campaigns.
Cyberspace is of course ideal as a communication tool. Psychological impacts are essential to any effective differentiation of terrorism from other acts or threats of violence. What cyberspace adds is a set of ways that influence and extend those psychological impacts. A focus on communications and psychological impacts fits with current trends in academia and policy where focus is placed on the role the internet plays in spreading terrorist propaganda or supporting terrorist actions.
To explain what this means, a paradigm example of a terrorist act might be the bombing of a market place to undermine confidence in a government’s abilities to keep its people safe. If the terrorist act was planned and coordinated using encrypted email services, then cyberspace has enabled the terrorist action. Further, if the terrorist group filmed the event and distributed the footage using platforms like YouTube and social media like Twitter, then cyberspace has acted as a way to enable global distribution of the terrorist’s message. In this case, cyberspace is part of the larger complex terrorist action. While the recent trend of low tech attacks using knives, guns and cars harkens back to a pre-dynamite era of terrorism, the opportunities of cyberspace where propaganda outlets like Rumiyah mean that terrorist groups can orchestrate, communicate and claim to be the inspiration for technologically unsophisticated acts through technologically advanced means. While modern terrorism still relies on acts of violence, cyberspace changes how those violent acts are communicated and understood.
The two main terrorist actors in cyberspace are AQ and so-called IS (and their affiliates). Looking at their practices and evolution, there is a strong argument to be made that cyberspace has played the key role in the evolution of modern terrorism. The former Director of the UK’s signals intelligence service, the General Communications Headquarters (GCHQ) Robert Hannigan wrote in November of 2014 that “[t]he web is a terrorist’s command-and-control network of choice”. AQ, for example, used the internet for recruiting, training, and operational planning.
Seeing the opportunity offered by cyberspace, the notion of an ‘internet jihadi’ was supported by leading jihadist forums al-Fida and Shumukh al-Islam:
[A]ny Muslim who intends to do jihad against the enemy electronically, is considered in one way or another a mujaheed, as long as he meets the conditions of jihad such as the sincere intention and the goal of serving Islam and defending it, even if he is far away from the battlefield. He is thus participating in jihad indirectly as long as the current contexts require such jihadi participation that has effective impact on the enemy
This has prompted national security agencies to recognize that the internet has come to be the prominent instrument used by terrorist organizations to radicalize youth – maybe more important than conventional meeting spaces.
So-called IS took the AQ interest with cyberspace and developed it even further. IS has a sophisticated understanding and use of social media to support its goals. They have been particularly active on Twitter. A 2015 study by the Brookings Institute showed that around 46,000 Twitter accounts were created and used by IS supporters. Furthermore, their actions on Twitter indicate a high level of creativity and care. They have hijacked hashtabs like #Brazil2014 during the World Cup to spread their propaganda videos. Following directly from global media coverage, so-called IS were then able to use social networking and secure communication websites as part of their international recruitment campaigns. Further to this, given the security risks posed by activity on social media, they have taken steps to ensure that social media is only used for propaganda – not logistical and operational planning which could be vulnerable to surveillance.
Similarly, so-called IS gained early notoriety by posting graphic videos of beheadings online. Again, displaying a close attention to how they are perceived, once the initial shock had worn off, these highly gruesome videos were scaled back somewhat, as it seemed that their extremely graphic nature was no longer attracting foreign fighters. This parallels so-called IS’ concern to present a complex and religiously devout image of their actions online. In addition to the shocking and glossy images, they showed images of soldiers eating Snickers bars and taking care of kittens. This could make the caliphate more inviting.
The dimensions of the conflict in cyberspace can be broken up into physical, logistical and informational outreach. While these distinctions overlap (the political impact, for example, is in part about informational outreach), the point here is to draw out the different ways that cyberspace can be used by malicious actors.
4.1 The Physical Dimension
Cyberattacks – where cyber actions with malicious intent have impacts on the physical world – have so far not been the province of terrorist actors. That said, physical cyberattacks can and do occur. The development and deployment of Stuxnet, where a complex computer virus caused physical damage to Iranian nuclear enrichment facilities is a well referenced example showing a proof of concept – cyber means can cause physical damage. More recently, a series of power grids were shut down in the Ukraine through cyber means. It is therefore possible that terrorists could use cyber means to cause physical damage. And, insofar as physical damage constitutes a terrorist act, then we have the possibility for cyberterrorism. To date, however, cyberattacks causing comprehensive and significant physical impacts are typically constrained to extremely well resourced complex actions, which are dependent upon a state or equivalent body to provide the resources. Thus, though physical acts of cyber violence are possible, it is to date, improbable.
Considering impacts in the physical realm beyond the strictly physical, cyberspace also impacts our world in political, social and economic ways. On political impacts, there are a range of ways that cyberspace plays an important role in politics. Parts of the hacker group, Anonymous, were actively engaged in supporting the Arab Spring events of 2011 through technical support of. A number of liberal democracies are increasingly worried that their elections have been influenced by state-based hacks and active distribution of ‘fake news’. Hillary Clinton attributed part of her election in 2016 loss to alleged Russian hacking of her campaign email. The release of government and national security documents by WikiLeaks and Edward Snowden have had widespread domestic and international political impacts. Cyberspace impacts politics, and if we take terrorism to have a political agenda, then we have proof of concept that cyberspace can enable terrorist activities.
Acts in and using cyberspace can also have economic impacts. The US, for example, claims that hacking and data exfiltration have led to the loss of intellectual property worth hundreds of millions of dollars and has national security implications. Similarly, Russia has been accused of being behind a series of complex cyber-attacks on internet-reliant services in countries like Estonia, Georgia and the Ukraine. North Korea was accused of hacking the Japanese private company Sony and releasing private emails. In each case, the disruptions directly cost millions of dollars and likely had an indirect negative impact on ongoing investment and development in those countries due to a loss in confidence.
Given its integration into people’s lives and its spread of beyond geographic boundaries, cyberspace can also have social impacts. For instance, cartoons seen to be disrespectful to Mohammed by Danish newspaper were circulated on the internet, enflaming tensions and leading to riots in and a series a deaths. Similarly, so-called IS received global media coverage of their actions through savvy use of social media, leading to a surge in foreign fighters. The point here is that cyberspace affords social impacts, and modern terrorists are willing to use the global spread of the internet to disrupt cultures and communities around the world.
4.2 The Logistical Dimension
Cyberspace affords terrorists the capacity to coordinate activities and to plan terrorist acts in a way that is not bound to geography and – depending on the skills and commitment to informational security – that is protected against surveillance.
4.2.1 Logistics: Internal Communications
Following the sustained military campaigns against them in Afghanistan, AQ saw a need to disperse geographically. However, this simply increased the need for communication. Cyberspace afforded AQ the tools to decouple itself from a particular geographic location. But the ability to command and control people through cyberspace brings with it issues of communications security. For instance, AQ used the Dark Web as a communication tool for senior AQ officials. They also used one email account for multiple users to communicate, writing emails and saving them as drafts so that these messages could not be intercepted.
In 2008, the group Lashkar-e-Taiba (LET) mounted a coordinated series of attacks in the Indian city of Mumbai, resulting in 172 deaths and 308. What marks the LET attacks as special is their use of cyberspace as central to their planning and coordination prior to the attack, and their active use of cyberspace for command and control during the attack itself. It was found that they used Google Earth and mobile phones to gather intelligence and logistical support. As part of their planning, one member of LET, David Headly, visited Mumbai five times, gathering intelligence on locations and targets using GPS, videos and photographs. LET also leveraged cyberspace during the attack itself. In one example, the attackers confirmed a particular target in a hotel through confirmation of the person’s identity with Google. In a second a tweeted picture from the BBC gave away the location of Indian counterterrorism forces which helped the terrorists form a counter attack.
4.2.2 Logistics: Training
What marks AQ and so-called IS from other terror groups is their active use cyberspace to distribute glossy magazines like Inspire, Dabiq and Rumiyah. In addition to recruitment, these magazines are used as proxies for training, including articles like “How to Make a Bomb in the Kitchen of your Mom”. AQ’s Inspire magazine gave instructions for car bombs and attacks on civil aviation. But, to date, there is little evidence that these instructions have been effective in the western countries targeted by AQ – Britain, France, the US etc. This is because car bombs and similar actions are complicated, immediately dangerous and complex – they require a series of steps which must all be successful; it is not so simple to make a bomb in the kitchen. Second, unsurprisingly, making explosives is dangerous to those seeking to make them. And, by and large, making explosives requires past experience, access to particular chemicals and the space to experiment and practice safely, away from possible exposure. Finally, such actions are complex, and are likely to involve more than one or two people to plan and carry them out.
This is not to say that such actions are impossible; the May 2017 bombing attack at the Ariana Grande concert in Manchester is evidence that such attacks can occur. The point is rather that simply providing the information over the internet is not enough. This borne out by recognition that the Manchester bomber had been in Libya prior to launching his attack and was part of a larger radicalized group. Training people over the internet is not sufficient for complicated and dangerous attacks. A late 2016 edition of so-called IS’ Rumiyah, for example, instructed people to use knives in smaller crowds. This is due in part to the recognition that complex group actions with large scale weapons like explosives increase both the risk of exposure and harm. This indicates that simply posting instructions on cyberspace alone is not sufficient for training.
4.2.3 Logistics: Financing
The ease at which money can be transferred internationally, the rise of anonymous currencies like Bitcoin and the development of hard-to-crack cryptography, suggest that terrorist groups and acts can receive financial support using cyberspace. This is definitely the case with criminal activities more generally – Silk Road, for example, was a website that used the anonymity of virtual currencies like Bitcoin to allow people to trade in illicit and criminal activities, like drugs and assassinations. However, despite its potential, the role of cyberspace in funding terrorism is very limited. So-called IS, for example, have been described as the most well-funded terrorist organization encountered in counter-terrorism. However the primary funding sources were ‘internal’: Oil, antiquities, loot and extortion/taxes on people and businesses operating in their captured territories. While some funding came from Gulf and European donors, the amounts were relatively small. This could be, in part, due to international cooperation in combatting financial support for terrorism.
4.3 The Informational Dimension: Outreach
In contrast to use of cyberspace for internal communications, it provides ways and means for terrorists to distribute their messages, ideologies and attract people.
4.3.1 Information and Outreach: Communications
Given the ease that one can use cyberspace for outreach, it presents a myriad of opportunities for terrorists to produce and distribute their messages. AQ used and uses cyberspace to further their operations and avoid problems associated with the physical distribution of materials. AQ also disliked traditional media outlets editing Bin Laden’s messages and therefore preferred to distribute videos online. They also actively used the internet for both planning of operations and distribution of tactics and explanation of strategy, through online magazines like the Technical Mujahid Magazine.
In 2013, the AQ affiliate Al-Shabab mounted an attack on the Westgate Mall in Nairobi. This attack, “which killed 72, was the first time that a group which had mounted a terrorist operation used Twitter to claim responsibility for it”. Al Shabab tweeted about its rationale for the attack and operational details of the attack in real time.
4.3.2 Information and Outreach: Recruitment
One of the greatest challenges faced in counter-terrorism is how cyberspace enables recruitment. By 2006, some were arguing that “90 percent of terrorist activity on the Internet takes place using social networking tools. . . . These forums act as a virtual firewall to help safeguard the identities of those who participate, and they offer subscribers a chance to make direct contact with terrorist representatives, to ask questions, and even to contribute and help out the cyberjihad”. So-called IS use social media to target prospective recruits.
Some of the reasons why social media plays such an important role are that these channels are used frequently by their target audience and are both reliable and free. As with communication, the success of modern terrorist groups like so-called IS points to their sophisticated use of social media for outreach and recruitment. The combination of graphic violence declaration of a caliphate in Iraq and Syria and extensive media coverage internationally in 2014-2015 lead to a surge in foreign fighters. Comparing their means to marketers, terrorist groups can view people’s profiles and approach each individual based on that profile.
There are a variety of tools with which can be used to facilitate the physical, logistical, and informational conflicts on cyberspace. These tools are used both by terrorists and counter terrorism agencies. Many of the tools discussed below refer to a type of tool rather than a specific instance. These tactics are constantly evolving and becoming more sophisticated. Many of the tools and tactics below can be, and are, used in combination.
A Distributed Denial of Service attack is an attempt to slow or crash a target system. This is accomplished by sending a target system a flood of traffic so that it becomes overwhelmed with data. There are many versions of a DDOS attack with different technical specifications. In a nutshell, an attacking computer generates DNS (Domain Name Server) requests with a forged IP address. The forged IP address directs the DNS responses to the victim’s computer (or server, router, etc.). Small requests can generate large responses which overwhelm the victim’s computer leading to a severely slowed down system or a complete crash.
The most discussed version of this attack is the botnet DDOS attack. In this version many computers, IoT (internet of things) devices, routers, etc. are ‘recruited’ by placing malware on them. Then these become ‘zombies’ which can be controlled by an attacker to generate requests and direct the traffic to the target – or, more simply, to have those zombies continuously ‘visit’ the website. Too much traffic can make even the biggest websites crumble.
In one example, on October 21st of 2016 the Mirai botnet DDOS attack brought down servers operated by the company Dyn which controls much of the internet’s domain name services. This caused websites including Twitter, Netflix, Reddit, and CNN to be inaccessible. The botnet included over 100,000 “zombies” – mostly IoT devices. The attack directed 1.2 Tb of data per second to the Dyn servers – the largest attack on record.
Ransomware is a technique that uses encryption to encrypt an individual or institution’s system and demanding payment for the keys to re-gain access. The first step is to infect a system with malicious code which can encrypt an entire hard drive or server. Second, a ransom is demanded by the attacker – usually in the form of a crypto currency like Bitcoin (because Bitcoin is anonymous). Finally, when the ransom is paid, instructions are supplied to the victim which will allow them to re-gain access to their system or files. Ransomware attacks are on the rise and it is estimated that the market for Ransomware is somewhere around $200 million a year.
Doxing refers to collecting, aggregating and publishing information from an individual without their consent – causing humiliation or embarrassment. Often this is used for blackmail or embarrassment. Examples of Doxing include the theft and posting of nude photographs of celebrities and the blackmail and posting of user information of those who signed up for the adult cheating website Ashley Madison. Terrorists have used this technique by, for example, publishing private addresses, emails, etc. of retired U.S. generals. Criminals and terrorists must first gain access to this information. This is usually done through hacking – gaining unauthorized access to data in a server or computer. In this case a hacker is able to obtain files or document containing personal information.
Hacking is a broad term referring to someone gaining unauthorized access to a server or computer. There are many techniques, methods, and tools associated with hacking and they are used by both attackers (black hat hackers) and security analysts (white hat hackers). Methods include: dictionary attacks, brute force attacks, port scanning, packet analysing, phishing, etc. I will briefly describe these tools and methods below.
Dictionary attacks simply uses a file with a list of words to try as passwords for a user account. Because passwords are often quite weak – fifty percent of people use one of the top 25 most common passwords and 1 in 5 people use the password “123456”. Dictionary attacks are therefore quite useful and fast for gaining access to computer or account. Brute force attacks is a fancy way of saying “password guessing”. The attack literally checks all possible combinations of numbers and letters until it succeeds. Computers are able to check passwords very quickly, so short passwords are easy to crack using this method.
Port scanning involves checking for openings into a system. There are many “ports” on computers which listen for messages. For example, port 80 is the port which listens for web requests – when you access google.com there is a server with port 80 which accepts that requests and returns the website information to your computer. Some ports can be exploited to gain access to a machine.
Packet analysing refers to the intercepting of data packets which are sent over a network. These packets can be analysed to discover content – like passwords – which can be used to gain access to a system.
Phishing attacks are attacks whereby a hacker tries to act like someone else in order to trick a user into handing over account information. For example, a recent phishing attack sent emails from which appeared to come from someone the recipient knew. There was attached Google document which if clicked asks for you to give it permission to access to a fake Google docs application. This then sent out the attack to the recipients contact list.
Methods to prevent hacking include: strong passwords, encryption, and awareness. Dictionary and brute force attacks, for example, are not possible for strong passwords. Good encryption prevents packet analysers. Awareness is the only way to stop a phishing attack.
Encryption is a way of scrambling a message so that others cannot read it. In its simplest form we can think of it as a safe protecting a message or some data. You put the message in the safe and then only someone with a key can get access to that message. If you put a file in a ‘zip’ folder, for example, there is an option to password protect the folder. Then only someone with that password can unzip the file.
More common with today’s messaging services is ‘end to end’ encryption. This works by giving each user a set of keys – a public key and a private key. When someone sends you a message they encrypt (lock) the message with your public key. This makes it so only your private key is able to decrypt (unlock) the message. Even the messaging service itself could not read your message. Popular applications like WhatsApp and Signal use this type of encryption. This locking and unlocking using keys happens in the background so that the user does not need to understand what is going on.
Encryption strength is measured by the number of ‘bits’ used to encrypt a message. A 1-bit key has two combinations, a 2-bit key has four, and a 3-bit key has eight, and so on. Basically it is 2x where X is the number of bits. Current keys are often either 128 or 256 bit. Every 30 bits makes a key 1 billion times more difficult to crack. This makes a 128 bit keys extremely difficult to crack. Even if you were to try 1 billion key combinations a second, it would take about 30 years to crack a 60 bit key. Breaking encryption is exceptionally difficult; however, intelligence agencies have had some recent success. The NSA, for example, has been able to decrypt VPNs (virtual private networks) and Secure HTTP (HTTPS) and there is some research suggesting that digital forensics can access user information from the cloud and mobile phone applications – see more below on this.
AQ saw anonymity as a core part of their practice, seeking to instil it in members. Anonymity online can be accomplished by using a TOR network, or by foregoing the surface internet (the one we know – with Google and Facebook) and using the so-called Dark Web. The TOR network “bounces internet users’ and websites’ traffic through ‘relays’ run by thousands of volunteers around the world”. If you visit a pro-terrorist website using TOR, it will be near impossible for someone monitoring the website to know who was visiting and where they are from. TOR is a not for profit originally funded by the US state department. They offer a web browser for anonymous browsing.
TOR also allows one to access the dark web – the web that most users are unable to access. On the dark web there are websites and services which are only discoverable or known to the people who have been told about them – their addresses are secret. A simple example of a dark web website is the WikiLeaks upload system. You can only access their upload system via a TOR browser and by typing in their address (which they have made public): slupld3ptjvsgwqw.onion. Anyone can set up a dark web service or website and only let specific people know about the address. This allows for completely private hosting of a service allowing a small group of people to access it completely anonymously.
4.5 Counter-Terrorism Tools In Cyberspace: Intelligence, Counter-Narratives And Corporate Responsibility
The discussion has so far been focused on the ways that terrorists use cyberspace. Many of the same tools are part of the means of counter-terrorism. TOR, for example, was set up by the US Navy as a way of protecting the communications of US intelligence operatives in hostile regions. One of the most obvious areas where cyberspace directly links to counter-terrorism is in intelligence gathering. This covers the widespread surveillance of internet and telephone communications, social network analysis of who is in communication and connection to who and access to a suspect’s digital media subsequent to arrest. However cloud storage like Dropbox and mobile phone use of encrypted communications tools like WhatsApp and Telegram present some opportunity for digital forensics, though the capacity to reconstruct user activities varies along device type, Android devices allow for more reconstruction than Windows phones, and Telegram offers the least data on users and metadata.
Artificial intelligence (AI) is being used by companies and counter terrorism agencies to gain an advantage in the informational conflict in cyberspace. This can be done by using AI to help identify terrorist accounts on social networks and terrorist content. Using human moderators to classify terrorist accounts and terrorist content and feed these classifications into AI algorithms, AI can detect new accounts and content – preventing them from being created or posted.
Two recent examples illustrate this. First, Google’s Jigsaw program aims to prevent potential ISIS recruits from radicalizing using AI. The program ‘learns’ about what potential recruits search for, and then places ‘ads’ which are displayed to counter the terrorist narrative. These ads include “testimonials from former extremists, imams denouncing ISIS’s corruption of Islam, and surreptitiously filmed clips inside the group’s dysfunctional caliphate in Northern Syria and Iraq.”
Second, Facebook is using AI to prevent terrorist propaganda from ending up on their platforms (including WhatsApp and Instagram). For example, when an image is uploaded to one of Facebook’s platforms it is checked against previously images classified as terrorist propaganda. Given the large amounts of information that needs sifting, AI is needed to identify a match. More interestingly, Facebook uses AI to detect new terrorist propaganda. AI will classify an image or video which depicts a beheading, for example. Facebook also uses AI to detect accounts being used by terrorists to spread propaganda. Facebook hopes to use AI to prevent these accounts from being created in the first place.
Cyberspace represents novel challenges and solutions to terrorism in how counter-terrorism agencies can engage with possible targets for recruitment. This is the area of counter-narratives and deradicalisation, often combined under the umbrella term ‘countering violent extremism’ (CVE). One approach seeks to apply a public health model to CVE and terrorism, which looks at primary, secondary and tertiary programs. The primary programs “focus on the prevention of radicalisation. CVE focused prevention programs are designed to educate individuals about violent extremism and to prevent the emergence of conditions, behaviours, and attitudes which may be conducive to the radicalisation of individuals”, whereas the secondary programs “facilitate interventions for those displaying ‘symptoms’ of radicalisation”, while “tertiary-level CVE programs are designed to work with radicalisation ‘after the fact’”. On this model, cyberspace presents options at the primary and perhaps at the secondary levels.
Parallel to this, others argue that effective counter-terrorism practices revolving around cyberspace need to take the potential targets of radicalisation and propaganda into account. “Perhaps the most important method of bringing some conceptual sophistication and clarity to these problems regarding the relation between a terrorist group’s cyber communications strategy and real world terrorist attacks is to shift focus from predominantly studying extremist online content to better understanding the varied and diverse audiences who consume it”.
Another approach is concerned with controlling access to undesirable material. This can be done at the jurisdictional level and the organizational level, and might involve filtering of content, or shutting off services. Combinations of these result in different impacts to cyberspace and access more generally.
At the jurisdictional level, for instance, Turkey shut off access to Wikipedia in mid-2016, while Ethiopia has shut off access to the internet itself three times since 2015. In some countries, controlling access occurs at a range of levels; online expression in China is censored both by blocking thousands of websites as well as blocking material based on keyword.
The political context and cultures in which online counter-terrorism activities operate is obviously important, as things like free speech and press freedom vary across political contexts and cultures. Active censorship of the internet in liberal democratic societies, while it does occur, is arguably more contentious and contended: In the US for example, the First Amendment poses significant challenges to the idea of censoring the internet.
Filtering and removal also occurs at the institutional level, with terrorist content being actively removed from social media. Though YouTube, Twitter and Facebook etc., have been more active in removing objectionable content from their platforms, following the Manchester attack of May 2017, UK Security Minister Ben Wallace “accused internet giants of being “ruthless money-makers” who have deceived the government over tackling terror online…. Saying that data encryption is allowing jihadist cells to emerge unnoticed [and that the firms need to] spend more of their “billions” on automatically taking down jihadist videos that are radicalising Britain’s youth”.
Building from this point, a third challenge involves corporate responsibility – Given that much of the tools of cyberspace use or rely on private infrastructure and services – YouTube, Twitter, WhatsApp and Telegram for instance, what are the responsibilities of private companies to reduce terrorist use of cyberspace? Though this may seem simple, the relations between private companies and state security agencies are complex and contentious. One of the big reveals by Edward Snowden was that many internet companies like Apple, Google etc. were working with the US National Security Agency to give access to personal information. In 2016, the FBI and Apple were in a high profile tussle about the FBI cracking encrypted data on a terrorist suspect’s phone. In 2017, the ‘WannaCry’ ransomware was used, and impacted people and institutions around the world, including many hospitals in the UK. The NSA came under attack as it has been alleged that the hackers originally stole this vulnerability from the NSA. Further, the NSA were accused of knowing about the vulnerability, but kept it secret in case they wanted to use the vulnerability themselves. Microsoft President and Chief Legal Officer Brad Smith said “The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits”. Clearly, the responsibilities, capacities, limits and limitations of counter-terrorism practices and policies in cyberspace are complex.
 This addition of ‘malicious intent’ is intended to remove from the analysis unintended or accidental physical impacts enabled by cyberspace (Dipert, 2010).
 TOR is an acronym for “The Onion Router”. TOR encrypts a user’s traffic multiple times (like layers of an onion) and then routs that traffic through randomly selected “relays” (routers which could be located anywhere in the world) – each of them decrypting a layer off of the original traffic until it ends up at its destination.