Euro Security Watch with Mathew J. Schwartz

Cybersecurity , Encryption , Forensics

Attacks in Paris: The Cyber Investigation Police Launch Cyber Investigation Into Paris Terror Strikes
Attacks in Paris: The Cyber Investigation
Paris, near Place de la République (Source: Mathew Schwartz)

Police and intelligence officials in France and Belgium, as well as across Europe and the United States, have begun working together to identify and disrupt the network of people that planned, supported and launched the Nov. 13 terror attacks in Paris that left at least 129 people dead. Experts say investigators are already sharing and reviewing communications and surveillance data to help police capture members of the network of people who facilitated the attacks.

See Also: 2016 State of Threat Intelligence Study

The coordinated attacks in Paris targeted multiple locations, including the Stade de France - where French President François Hollande was attending a soccer match - as well as locations in a variety of vibrant, multicultural neighborhoods regularly thronged with Friday-night revelers, including areas around Place de la République and the Boulevard Voltaire.

"The main task now is to try to find out who comprises the extended network of those who pulled the triggers and set off the bombs." 

Hollande has characterized the attacks as being "an act of war" carried out by the Islamic state terror group, also known as ISIS or ISIL, and has launched military strikes against its northern Syrian stronghold in Raqqa. To date, the group has operated primarily in Syria and Iraq, although it recently claimed credit for downing a Russian airliner over Egypt that killed all 224 people on board.

The association of European police agencies known as Europol says it is assisting French authorities with their investigation. "Europol strongly condemns the attacks in Paris," it says. "The agency has offered its full assistance to the French authorities and is currently providing active support to the ongoing investigation."

"The main task now is to try to find out who comprises the extended network of those who pulled the triggers and set off the bombs," University of Surrey computer professor and Europol cybersecurity adviser Alan Woodward tells me, noting that he cannot offer full details of related investigatory tactics. "Whilst there has been much talk of the seven or eight [attackers], they would not have been able to conduct this horrible exercise without significant assistance and support from others. In many ways it is those who have the more detailed technical expertise of, for example, bomb making, that the authorities need to find in order to prevent them enabling another group from conducting similar atrocities."

Seven suicide bombers died in the attacks, and French and Belgian police are mounting a cross-border manhunt for an eighth suspect, 26-year-old Salah Abdeslam. Officials say he is the brother of two of the dead attackers and that he was "directly involved" in the attacks.

As The Wall Street Journal notes, the Nov. 13 attacks showed a much greater degree of sophistication and coordination than was seen in the January attacks in Paris that targeted the satirical newspaper Charlie Hebdo and a kosher grocery store, which were perpetrated by supporters of the Islamic State (see Paris Attacks: The Cyber Investigation).

Manhunt Underway For Eighth Suspect


French and Belgian police are seeking an eighth suspect they say was "directly involved" in the Nov. 13 terror attacks.

Surveillance Powers, Limits

The January attacks led Hollande to push for sweeping new surveillance laws, which some likened to the U.S. Patriot Act (see Europe Seeks More Mass Surveillance). Even so, French counterterrorism officials have warned that there is no easy way to battle the new breed of AK-47-toting gunmen who since 2014 have launched attacks not only in Paris, but also Brussels, Copenhagen and in the capitals of Mali and Tunisia, The Wall Street Journal reported.

The January attacks also impacted surveillance-related discussions underway across Europe and the United States, as last week's terrorist attacks will no doubt do now. In the United Kingdom, for example, the country is now debating the length of time that communications-related data should be retained and made available to police and intelligence agencies (see U.K.'s Snowden Response: Surveillance Debate).

Tracking Communications

In the wake of the Nov. 13 attacks, police and intelligence services will now be attempting to map the network that supported the perpetrators. To make this happen, Woodward says there will be "intense collaboration" behind the scenes among countries, sharing communications data and other surveillance-related information.

"A key part of tracking these terrorists' 'enablers' is to look for communications - and other electronic links - between those now known and the as-yet-unknown," Woodward says. "It is for that very reason that the U.K. government wants records kept for a year so that they can go back through them and look at the run-up to events such as the murders of last Friday. If you don't have the historical data, you can't conduct this kind of analysis." And for anyone who's been identified as a "person of interest," police will then use "good old-fashioned police work" to see if they were involved, he adds.

Officials in the United States and Europe have reported that the Paris attackers communicated with known Islamic State members in Syria in the lead-up to the attacks, The New York Times reports, which suggests that rather than just inspiring the attackers, the Islamic State may have been directly involved.

The Encryption Debate

Woodward cautions that if related police investigations find evidence that terrorists used encrypted communications, that should not be used as an excuse to call for encryption to be outlawed or to try and restrict access to the anonymizing Tor browser.

In fact, the use of encrypted communications - or using hidden messages, which is known as steganography - can sometimes tip off intelligence and law enforcement agencies to suspicious behavior. "Encryption doesn't stop link analysis [from] working," he says. "If anything, by encrypting messages it draws attention to those messages. A bigger concern is something like Tor or steganography which frustrates - but doesn't necessarily defeat - effective link analysis."



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network