We’re hearing mixed reports on the Islamic State’s supposed tech savvy. But does it even matter?
Last August, 21-year-old British-born Pakistani Junaid Hussain logged into the Islamic State Hacking Division’s Twitter account to post a new message. “NEW: U.S. Military AND Government HACKED by the Islamic State Hacking Division!” Hussain wrote, adding a link to a 30-page document.
“[W]e are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts,” the document read, according to a U.S. Department of Justice statement. “[W]e are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!” The rest of the document listed page after page of names, email addresses, passwords, locations and phone numbers for more than 1,350 American military and government personnel.
While Americans trembled to read the messages, experts shrugged off the cyber terrorist attack and others like it as as unsophisticated. Media and intelligence agencies found that documents containing much of the government personnel data from this and other similar “hacks” were publicly available, just a few Google searches away. Data dumps and Twitter hacks can’t match up to the U.S.’s recent debut of “cyber bombs” against Islamic State fighters. But does it matter?
Yes, the terrorist network’s disorganized, underfunded guerrilla cyber jihadis are no match for the NSA’s highly-trained and equipped army — but our total reliance on a massive technology infrastructure might make us even more vulnerable whenever Islamic State recruits hit upon a winning strategy. In other words: our advanced cyber skills may come back to bite us.
The Internet underlies virtually all of America’s critical infrastructure activities, including military, defense, commerce, finance, energy, transportation and healthcare. “[O]ur reliance on things like satellites and the Internet has led to real vulnerabilities that our adversaries are eager to exploit,” Defense Secretary Ash Carter said at a technology forum in September 2015. Attempts by terrorists at penetrating our power grid, industrial control systems and financial transactions are inevitable. A 2015 USA TODAY analysis of federal energy records found that part of the nation’s power grid is struck by a cyber or physical attack about once every four days. But the Internet of Things, increasing interconnectedness of technology, and rise of drones and self-driving cars will make the U.S. even more vulnerable to being hacked. A smartly-targeted, asymmetrical attack could bring the country to its knees.
Is the Islamic State capable of producing such a destabilizing feat? The consensus among cybersecurity experts and defense officials is a resounding no. The young men behind the “hit list” of U.S. military and government personnel were two of the Islamic State’s most advanced hackers. And both are now out of the picture: Junaid Hussain was killed in an American drone strike on Syria later that month, and his accomplice Ardit Ferizi has been extradited to Virginia, where he faces up to 35 years in jail. In December, online threat intelligence company Recorded Future told the New York Times that it has seen no indication that the Islamic State’s cyber operations have recovered from losing Hussain and Ferizi. The Times also spoke to security researchers, who said the Islamic State’s cyber capabilities are not much more sophisticated than those of your average teenage amateur hacker.
But while the Islamic State’s operations may be insufficient to strike such a strategic blow currently, experts and officials say we cannot afford to get cocky. While the Islamic State’s hacking groups are still operating unofficially with with little funding or organization, a new report from Flashpoint finds that the merge of several previously disparate pro-ISIS hacking collectives into the new United Cyber Caliphate is of “high concern.”
“Until recently, our analysis of the group’s overall capabilities indicated that they were neither advanced nor did they demonstrate sophisticated targeting,” Laith Alkhouri, Flashpoint’s director of Research & Analysis for the Middle East and North Africa, told media in a statement. “With the latest unification of multiple pro-ISIS cyber groups under one umbrella, there now appears to be a higher interest and willingness amongst ISIS supporters in coordinating and elevating cyber attacks against governments and companies.”
That’s in line with what defense officials are saying. Adm. Michael Rogers, commander of U.S. Cyber Command, warned the Senate Armed Services Committee this month that it “would not be difficult” for ISIS to conduct cyberattacks on critical U.S. infrastructure. “It’s not beyond their ability if they made that decision,” he said, though they do not yet “view cyber as a weapon system.” That very real threat, combined with the small-scale, unadvanced Islamic State attacks we see sprinkled throughout the country, create a culture of anxiety where amateur hacks of Twitter accounts can cause disproportionate fear.
In the end, that’s what terrorism is about.
