war on the rocks

Killing Jihadist Hackers Sets a Flawed Precedent

February 2, 2016

For much of the early 2000s, the worst job in terrorism was “Al Qaeda’s third-in-command.” During one hot streak, as Timothy Noah reported, the United States killed four of the men in that seat in as many years. Today, in one sign of how much warfare has since evolved, individuals who lead Islamic State hacking efforts have an even shorter life expectancy. With the recent announcement that a U.S. airstrike killed Siful Haque Sujan, described by CENTCOM as a British-educated systems engineer, two of the group’s “cyber experts” have been successfully targeted in the last four months alone.

While their battlefield impact will be minor, these strikes are the first known cases in which hackers have been deliberately killed in wartime — and they set a flawed precedent.

For years now, experts have debated how to address the role of hackers in armed conflicts. Much attention has focused on responding to cyber operations that resemble the use of force: the sabotage of a dam or electrical grid, say. When the Tallinn Manual — a study of key legal issues in cyber-warfare commissioned by NATO — drew press in 2013 for suggesting that civilians who take part in that kind of digital disruption can lawfully be targeted, Professor Michael Schmitt, who directed the project, made clear that he didn’t have low-grade hacktivists in mind. “I can assure you NATO is not going to launch jets to hunt down Anonymous members tomorrow,” he told Mother Jones.

The digital wing of the Islamic State resembles Anonymous more than it does a sophisticated cyber-warfare service. Still, the United States has launched jets to hunt it down all the same. This may be lawful, but it reflects a poor strategic playbook for future conflicts. More and more, state and pseudo-state actors will draw on digital irregulars: patriotic or jihadist hacktivists, civilians with spare time and a working knowledge of the Internet. The anti-Islamic State coalition is setting a model for those wars, whoever fights them. And under the standard set by recent strikes, oceans of amateurs would crowd kill lists. From the evidence available, lethal action seems to have been taken too quickly.

Neither of the Islamic State members targeted was especially sophisticated (or as the security researcher who goes by “the Grugq” put it, “Cyber Terrorists Can’t Cyber”). Sujan inherited his “top hacker” title from Junaid Hussain, whose capabilities — we’ve argued before — were often overstated in media reports. While Hussain had enjoyed some notoriety for a string of nuisance attacks, both before and after he enlisted with the Islamic State, none of his activities posed a grave threat to anyone’s national security.

Sujan, who the Pentagon said was “supporting [Islamic State] hacking efforts, anti-surveillance technology and weapons development,” doesn’t seem to have been much more talented. Granted, it’s difficult to inventory the toolkit of a blackhat whose achievements are filtered through jihadist propaganda on the one hand and CENTCOM press releases on the other. “Anti-surveillance technology,” for example, could be a reference to the operational security manuals that the group distributes — and plagiarizes — or to reports that the militants are building custom encrypted applications.

Still, neither activity is very concerning right now. In the second case, Sujan’s work may have been a boon to the American-led coalition. Secure communications are notoriously difficult to implement well, and it’s unlikely the Islamic State has managed to do so using the small technical workforce it has on hand. It’s difficult, in that case, to imagine a better target for the National Security Agency than amateur encryption used only by terrorists.

By the same token, it’s hard to know what Col. Steve Warren meant by “weapons development,” but most interpretations would involve the Islamic State wasting its resources. Most digital capabilities that the group could want would be better bought than developed indigenously. Trying to design homegrown malware would be a poor use of its time and human capital, a hobby that the United States and allies have little reason to fear. And while the militants have the funds to finance more ambitious capabilities, a concern worth keeping in mind, nothing to date suggests that such an effort is underway.

In short, technical skills alone don’t make the case for prioritizing strikes on Sujan and Hussain. Now, it may be that their cyber operations played a smaller role in the targeting decisions, behind closed doors, than they have in public comments. Hussain was also active in social media recruiting and incitement; Sujan, for his part, had an undefined role involving “external operations.” Unfortunately, intentionally or not, the Pentagon has let the media run away with the impression that the pair were killed for their hacking. This is one of several respects, as Scott Englund recently argued at War on the Rocks, in which the opacity of the targeted killing campaign can generate unintended narratives about American priorities. Here, the effect is to elevate the profile of radicalized hackers.

In the near term, this seems like a tactical error. For one, Sujan and Hussain may well be more valuable to their organization as martyred examples than as living, breathing assets. Neither had a skill set that would be irreplaceable for a group with the Islamic State’s recruiting reach; if anything, their deaths will likely nudge more recruits to review resources like Anonymous’ “Noob Guide” to hacking. Nuisance attackers will proliferate.

What’s more, both likely would have been valuable to the coalition as targets for SIGINT collection. “Now that he’s dead,” Col. Warren said in the Pentagon’s announcement, referring to Sujan, “[the Islamic State] has lost a key link between networks.” If that’s true, he could have been usefully left in place, his devices exploited, and his communications tapped. Insofar as Islamic State “hackers” are nodes in the group’s network, they should be leveraged to map the more directly belligerent sections of that web. Western governments have been erring on the wrong side of a similar debate about jihadist recruiters on social media, who, once banned, become all the harder to track.

In the long-term, this approach — if it is a systematic approach — will be strategically untenable.

In more and more wars with a digital component, these low-skilled sympathizers will outnumber talented, enlisted hackers, the kind capable of life-threatening disruption. A capacity to discriminate between the two will be essential to any war-fighting effort. If nothing else, there comes a point at which killing “script kiddies” is disproportionate; the bar set by recent targeting decisions seems too low. Primitive cyber operations alone — website defacement, denial of service attacks, the malicious disclosure of personal information — generally won’t merit a kinetic reply.

But from a practical point of view too, countering hacktivist affiliates will take more intelligence than force. Like Anonymous, these digital auxiliaries will tend to be heterogeneous, distributed across national borders, and only loosely tied to command-and-control structures. Because their tools and scripts are easily shared, drone strikes won’t much diminish their capacity to cause mischief. This sort of collective is anti-fragile; no individual member is so important that their death would tip it into collapse.

Managing the threat they pose will take the kind of strategic patience that law enforcement agencies show when rolling up cybercriminal networks. To catch underworld hackers, the FBI and its international partners tend to emphasize thorough intelligence gathering followed by mass, simultaneous raids. The effect is to rip out bad actors at the roots, an approach that makes it more difficult for their organizations to regenerate. In a wartime context — where detention may be impractical and assassination excessive — disabling or wiping target devices en masse would be an analogous strategy.

By countering nuisance with nuisance, in essence, states can prevent hacktivists from maturing beyond modest capacity — at lower tactical or strategic cost than airstrikes incur.

For now, these considerations won’t make or break the war on the Islamic State any more than the group’s computer experts will shape the rise and fall of their caliphate. But the effort to blunt the militants’ digital arm will set a model for future operations, in which amateur hackers will increasingly engage larger powers in low-grade digital conflict.

Today, the United States’ playbook for countering them leans too heavily on kinetics. With a dose of perspective, this war could be the proving ground for a smarter approach.

 

Meg King is Director of the Digital Futures Project at the Wilson Center. Grayson Clary is a Research Associate with the Digital Futures Project. The views expressed are their own.

 

Photo credit: Kiran Foster (adapted by WOTR)