Is the Islamic State a Cyber Threat?
In May, hackers claiming to be affiliated with the Islamic State in Iraq and the Levant (ISIL) released a video threatening a series of cyberattacks against the United States, Europe, and Australia. “Praise to Allah,” a hooded figure with an altered voice began,
Today we extend on the land and in the internet. We send this message to America and Europe. We are the hackers of the Islamic State and the electronic war has not yet begun. What you have seen is just a preface of the future. We are able until this moment to hack the website of the American leadership and the website of the Australian airport and many other websites.
Both the video and ISIL’s threats were generally greeted with deep skepticism by most Western cybersecurity experts. One prominent writer on cyber issues criticized the media’s over-hyped response to ISIL’s claims: “Toss out a shitty video that claims that you do things that you’re not — doesn’t matter, we’ll still overact.” He went on to complain that instead of responding calmly, “we lose our shit,” failing to recognize that ISIL’s cyberattacks have been unsophisticated and were likely perpetrated by “either sympathizers or people doing it for shits and giggles.”
Federal authorities and U.S. planners, however, viewed the threat as something worthy of more than scatological dismissals. The Wall Street Journal reports that when ISIL hackers posted the names, addresses, and photos of U.S. troops on Twitter and urged followers in America to find and kill them, the FBI and Defense Department established 24-hour guards around targeted service members. More significantly, U.S. forces recently conducted a targeted drone strike in Raqaa, Syria, reportedly killing Junaid Hussain, a British citizen in his early 20s believed to be a leader in the terror group’s hacking division.
In the wake of Hussain’s death, it is worth considering whether or not ISIL’s cyberwarfare efforts are cause for concern. Are they dangerous enough to necessitate a separate line of effort, even warranting kinetic operations targeting key figures in the group’s cyber division? Or, to paraphrase one expert, would we be better off keeping our shit together and focusing on other aspects of ISIL’s threat to U.S. national security?
As Israeli cyberwar expert Gabi Siboni notes, ISIL’s “main effort to date in cyberspace has focused on psychological warfare by generating fear through flooding the internet with video clips portraying the brutal acts of beheading and mass executions.” ISIL’s media arm Al Hayat has produced hundreds of films — including many high-quality productions involving Hollywood-style techniques and special effects — to promote the group’s propaganda. The militants are adept at spreading their message using Western-based social media sites such as Twitter, Facebook, Tumblr, YouTube, Instagram, and SoundCloud. ISIL has a vast network of “fanboys” who watch social media and disseminate the group’s online propaganda, and it is estimated that ISIL’s followers have at least 46,000 accounts on Twitter, allowing it to disseminate links to digital content hosted on other online platforms. If their accounts get closed down, they simply register under new names. ISIL has also cleverly organized “hashtag campaigns” to raise its online profile and uses social media “bots” to hijack popular hashtags, as it did with #Brazil2014 during the World Cup. Thanks in large part to these Twitter and Facebook campaigns, thousands of Westerners are now fighting for ISIL in Syria and Iraq, and many who cannot reach Syria have attempted “lone wolf” attacks in their homelands.
Although the jihadists’ skill at conducting information operations has thus far outstripped their capacity for cyberwar, they have executed several high-profile attacks online. This January, on the same day President Obama delivered a major address on cybersecurity, ISIL-affiliated hackers seized control of CENTCOM’s official Twitter and YouTube accounts. The self-proclaimed “CyberCaliphate” has also since hacked Newsweek’s Twitter account and replaced live programming on France’s TV5 Monde with pro-ISIL propaganda. In July, a group of hackers claiming affiliation with ISIL took down the Syrian Observatory for Human Rights’ website and threatened its director. And in the August incident that put the FBI and DOD on alert, the “Islamic State Hacking Division” claimed responsibility for hacking into the social media accounts of hundreds of U.S. military personnel and published lists of 1,481 names, departments, email addresses, passwords, and phone numbers, warning: “We are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data.”
Other cyber “attacks” claimed by ISIL, however, constitute more sizzle than steak. A previous “hit list” posted by the Islamic State Hacking Division in March turned out to be merely a compilation of names and addresses gleaned from Google, rather than the result of a cyber-intrusion. Meanwhile, French authorities investigating the TV5 Monde attack have attributed it to a group of Russian hackers known as APT28 who had previously targeted the White House and the computer systems of NATO members. Thus, while occasionally dramatic, ISIL’s cyberattacks have, at best, consisted of little more than rudimentary website defacements.
This does not mean the terrorist group does not merit monitoring as a potentially serious cyberwar threat, however. There are at least three reasons why ISIL’s efforts to grow a cyberwarfare capability should be closely monitored. First, whereas building a conventional army or a missile program requires extensive resources, the costs of acquiring a significant cyber capacity are low enough to allow weaker states — or non-state actors — to obtain capabilities that threaten U.S. interests. Terrorist groups like ISIL may lack the educational institutions or technological resources of nation-states like China or Russia with which to produce large numbers of advanced cyberwarriors. But the abundance of hacking talent available on the dark net means they can either hire the services of hackers from criminal groups around the world or buy sophisticated zero-day attacks to deploy themselves. David DeWalt, former chief executive of McAfee, concurs: “Offensive tools are so available that sometimes they can be purchased on eBay, and sometimes on the dark net. It takes thousands or tens of thousands of dollars; it doesn’t take a lot of means or expertise.” This is particularly troubling where ISIL is concerned, given that the terrorist proto-state is reportedly earning $1–2 million per day through illicit oil sales. The chairman of the House Homeland Security Committee’s cyber subcommittee, Rep. John Ratcliffe (R-TX), cautions that ISIL is “taking a significant percentage of those profits right now to recruit hackers.”
Junaid Hussain is a good case in point. Operating under the handle “TriCk,” Hussain was part of a British hacking collective called Team Poison that claimed responsibility for a number of significant breaches, including hacking into the Scotland Yard telephone system. He was convicted of hacking offenses in 2012, but after his release in 2013 he jumped bail for another offense and fled to Syria, eventually joining ISIL. Closer to home, last week 17-year-old Ali Shukri Amin of Manassas, Virginia, was sentenced to 11 years in prison for providing information on encryption and Bitcoin to potential ISIL recruits. Although neither Hussain nor Amin quite rises to the level of cyber threat that could, or even legitimately seeks to, bring America to its knees — something akin to Javier Bardem’s character in Skyfall — they are representative of the tech-savvy Western recruits ISIL seeks. Indeed, in ISIL’s e-book outlining its plan to destroy Israel, Black Flags From Palestine: Magic, Deception & War, the terrorist group praises Edward Snowden and predicts tech geeks will be among the converts helping the Islamic State in the cyber battle.
Second, even if ISIL’s manifesto subtitles are risible and its previous cyberattacks rudimentary, this does not mean the group’s cyberwarfare capacity will remain in a primitive state indefinitely. Like ISIL, Iran’s cyber efforts began as a concentrated program to conduct information operations promoting the Iranian government’s political narrative online in response to the 2009 Green Movement and to restrict Iranians’ internet access during the uprisings. Whereas prior to 2012, Iranian cyberattacks were largely limited to simple website defacements, Iran’s “Izz ad-Din al-Qassam Cyber Fighters” created the “Brobot” botnet for 2012’s “Operation Ababil” targeting American banks such as Citigroup, JP Morgan Chase, and Bank of America. This botnet attacked at a rate of 50 million packets per second, a figure dwarfing the 2007 Russian cyber-militia attack that crippled Estonia. In 2013, Iranian hackers infiltrated the U.S. Navy’s unclassified Intranet, an incident which one former U.S. official described as “a real eye-opener in terms of the capabilities of Iran to get into a Defense Department system and stay in there for months.” These advances prompted security firm Cylance to dub Iran “the new China”. This is telling given that both Chinese and Iranian hackers started with simple website defacements similar to the CyberCaliphate’s, before moving on to more sophisticated and destructive attacks. Thus, it would be dangerous to assume ISIL’s cyber capabilities will always remain undeveloped.
Finally, cyberattacks theoretically allow potential adversaries to bypass America and its allies’ conventional military superiority in order to directly attack civilian infrastructure and economic targets. To be sure, there are actors in the cyber arena (i.e. Russia and China) who likely have the capability to initiate a “catastrophic” cyberattack — one that causes physical damage and loss of life, or strategic damage to the U.S. economy. Yet both nations’ economies are sufficiently integrated with America’s that a catastrophic cyberattack on U.S. infrastructure would risk a pyrrhic victory in which they would also suffer economic damage. Consequently, they do not have the intent to conduct such attacks, and instead have focused primarily on cybercrime or stealing U.S. military secrets. Conversely, Assistant Attorney General for National Security John Carlin warns that ISIL, “along with other terrorist groups … [has] declared [its] intent to use cyber-enabled attacks.” Although ISIL currently lacks Russia or China (or Iran’s) technical capabilities in the cyber arena, it does not face any restraints or deterrents that prevent it from pursuing a “total war” strategy. There is ample evidence that ISIL believes it is fulfilling Islamic End Times prophecies, and it has demonstrated that it is comfortable with committing nihilistic violence against non-combatants. The only constraint on ISIL’s use of violence thus far appears to be its relatively limited capabilities. Hence, if ISIL were to gain a significant offensive cyber capability, it stands to reason that none of the factors that restrain China and Russia from conducting catastrophic cyberattacks against U.S. infrastructure would apply.
Ultimately, ISIL’s cyber threat falls somewhere in between the nonchalance with which its propaganda has been greeted and the catastrophic scenarios envisioned in warnings of “cyber 9/11.” At present, the real danger of ISIL’s cyber efforts is that the group could inspire and facilitate symbolic attacks against U.S. service members. Preventing domestic attacks and reversing ISIL’s gains in Syria and Iraq must remain the priority of effort in the U.S. campaign against the terror group. Yet it would be a mistake to dismiss ISIL’s hackers as the jayvee team of cyberwarfare and assume the threat they pose will remain static. In addition to the five mutually reinforcing lines of effort “to degrade and destroy ISIL” set forth in September 2014, a sixth line of effort to monitor and counter its cyber efforts should be added. This would potentially include offensive technical measures against its social media networks, better monitoring of the group’s efforts to recruit or rent skilled hackers via the “Dark Web,” and the intelligence sharing necessary for the identification and arrest of hackers either sympathetic to or cooperating with ISIL. But most importantly, the computer networks upon which U.S. critical infrastructure depends must be made more cybersecure in preparation for the day ISIL’s cyberwar capabilities match their intent. Although the effort to improve cybersecurity in both government and the private sector has been ongoing for over a decade, the persistent flood of headlines trumpeting the latest major cyberattack — from Target, to Sony, to OPM — demonstrates America still has much to do in this endeavor.
Benjamin Runkle is a former Defense Department official, Director on the National Security Council, and Professional Staff Member on the House Armed Services Committee. He is the author of Wanted Dead or Alive: Manhunts from Geronimo to bin Laden.
Photo credit: Colin