In light of the recent major terrorist attacks - both the siege in Paris and the downing of a Russian airliner on the Sinai Peninsula – concerns about ISIS and its seemingly growing capabilities have been a major topic of discussion. The Paris attacks have sparked a host of coverage of issues surrounding encryption and terrorist operational security measures, but a slightly different – though related – question of importance is whether ISIS has been developing increasing cyber capability. Depending on whom you ask, either “we needn’t fear the Isis hackers” or it “would be a mistake to dismiss the Islamic State's hackers.” So which of these opinions is correct?
A recent and interesting report by researchers commissioned by the US Military - SOCCENT (Special Operations Command Central) - compared ISIS to a host of jihadist organizations and regional affiliate groups around the world on several axes including marketing/branding, attack sophistication, leadership and human capital, and finally cyber sophistication. On all of these characteristics – notably cyber sophistication – ISIS scored as the highest or most unique. So there is evidence to suggest that ISIS is somehow working at an advanced level – at least relative to those groups it is competing with ideologically - on the capabilities that make up “cyber sophistication.” Others have attempted similar comparative analysis of terrorist cyber capabilities.
Two points of note:
1) It is important to distinguish ISIS – the organization – from individuals and organizations sympathetic to ISIS. Though all can contribute to the aggregate effect of ISIS cyber capabilities, they are in fact different.
2) It is also important to distinguish varieties of organizational use of information technology – ISIS, and its partisans, use the internet and computers for propaganda, for defensive purposes (i.e. operational security measures like the use of encryption) and, potentially, for offensive purposes or “attack” (i.e. the use of Malware to unmask enemies). These are different in fundamental ways, and it is not clear that capabilities in one domain necessarily reflect capabilities in another.
ISIS vs. Sympathetic Hackers and Hacktivists: Blurry Lines and Shared Capabilities
JM Berger, one of the most knowledgeable people following the online presence of ISIS says that “ISIS has been recruiting hackers for some time now…” This is part of a broader drive to recruit technocrats and technically minded members of numerous stripes. It is also important to note that while Berger may be correct and ISIS itself may indeed be developing such cyber capabilities internally, there is in fact a broader constellation of organizations and individuals that, while perhaps not part of ISIS per se, can provide the organization with significant cyber capabilities.
Perhaps the clearest example of this comes in the form of Junaid Hussain, sometimes called Abu Hussain al-Britani, who appears to have been killed in an airstrike in Syria last August. Hussain was considered a major figure in several cyber-focused organizations in the ISIS orbit including the Islamic State Hacking Division, Cyber Caliphate and TeaMp0isoN, an organization Hussain founded. He was a prolific hacker in his teenage years in the United Kingdom, and conducted attacks ranging from telephonic denial of service attacks on the Metropolitan Police Services’ terrorism hotline, breaching email accounts of government officials and stealing personal information, and breaching and recording sensitive phone conversations of law enforcement officials involved in computer crimes investigations. It was later, after a short stint in a British prison that Hussain made his way to Syria where he served as an ISIS propagandist and was ultimately killed. There has been at least some speculation that Hussain and his type of expertise could be tied to some of ISIS’s more sophisticated offensive cyber efforts, as well as to some high profile cases like the CENTCOM twitter hijacking.
Hussain seems to have moved from an enthusiast and advocate to an actual part of the ISIS cyber and media team over time, having served both as part of the constellation of partisans as well as part of its actual organization. The sorts of “cheerleaders” and “freelancers” that Hussain initially represented are important for thinking about the development or adoption of capabilities by an organization like ISIS. While Berger points out that ISIS is attempting to recruit such hacking talent to their organization, these affiliated and sympathetic hackers may do much to supplement those capabilities.
Propaganda vs. Defensive vs. Offensive Usage of Cyber
There is no question that ISIS has a sophisticated online presence for propaganda and social media. This has been documented in a host of ways – from fascinating press coverage of their extensive media teams by the Washington Post, to in-depth studies of their vast presence on Twitter by researchers at Brookings. There is little debate about how sophisticated the ISIS social media and recruiting infrastructure has become, in fact those efforts were extensively described in several pieces in a recent special issue of the journal Perspectives on Terrorism dedicated to the Islamic State. The Post also notes that media officials are given ranks comparable to military leaders, suggesting that ISIS is not merely good at crafting its public message, but takes the role as seriously as it does its military operations. It is worth noting however, that even ISISs command of social media remains imperfect.
It is then in the areas of the defensive and offensive use of cyber that the real questions lie. There seems to be increasing evidence of the many ways in which ISIS, its cadres, and its supporters use cyber capabilities in a defensive context. Some of the best documentation of this comes from those organizations that monitor jihadi media. For example, MEMRI has documented messaging from ISIS to followers suggesting a host of encrypted apps be used for communications ranging from SureSpot, to Wickr, to Kik to Telegram. This kind of operational security is not new, as earlier MEMRI reporting showed efforts to instruct recruits and sympathizers on how to establish hard-to-trace social media accounts, to use The Onion Router (TOR) and to mitigate the threats associated with mobile devices that have Global Positioning Systems embedded in them.
Beginning with issue three of its English-language magazine Dabiq, ISIS began including a public key for encrypted communication with its media wing Al Hayat. This is hardly new or surprising. In 2010 the inaugural issue of Al Qaeda in the Arabian Peninsula’s Inspire magazine featured a section entitled “How to Communicate With Us” that included numerous email addresses, but more importantly a public key for the Asrar al Mujahideen encryption program. Asrar al Mujahideen has been discussed publicly since its 2007 release by the Global Islamic Media Front (GIMF); and as such the embrace of encryption tools by jihadist terrorists dates back at least a decade.
The think tank Demos in the United Kingdom has also offered some analysis of the defensive use of cyber by the Islamic State, and their attempts to evade surveillance. It is also worth noting that the SOCCENT commissioned research paper, noted earlier, describes cyber sophistication in terms that seem to focus overwhelmingly on the propaganda and defensive elements of cyber:
“The Cyber Sophistication of ISIL shows the expertise and diversity of their cyber and media team. After profiling this group’s use of cyber technologies for over a year, we have determined that they use a variety of technological platforms, diverse languages, and tailored messaging. The cyber technologies facilitate internal coordination (e.g., command and control) and focuses information flow externally with the broader Umma and potential foreign fighters (see section on Cyber Capabilities). “
Thus, the biggest questions moving forward will be whether ISIS can or does develop meaningful offensive cyber capabilities. Unfortunately, the initial evidence is more than a bit worrying.
The seemingly starkest indicator is information that has come to light surrounding a malware campaign targeting enemies of ISIS in the Syrian city of Raqqa. This campaign, described in some depth by the Citizen Lab at the University of Toronto, suggests that ISIS - or an organization sympathetic to it - is using malware delivered through social media to find identifying information about critics and other enemies of ISIS. This campaign targeted a citizen media organization that has attempted to document the abuses and atrocities ISIS has committed in Raqqa using a “customized digital attack designed to unmask their location.” While Citizen Lab was not able to definitively attribute the attack to ISIS, they did say that the malware “differed substantially” from that used in similar campaigns that the Assad regime has conducted.
Indicators like this, combined with the arguably “offensive” actions undertaken by hackers like Junaid Hussain suggest that, at least at the lower level, such capabilities are either already available to ISIS or are only a few recruitments away. At the more complex level though, the question is far less clear – and frankly some of the rhetoric surrounding the question may not be helpful.
Headlines like “Islamic State Terrorists Plotting to Kill Brits in Sophisticated Cyber Atatcks, Says Osborne” are certainly shocking and draw attention. What is less clear is whether, in fact, ISIS has either the intent or the capability to grow its cyber expertise to a level of sophistication that would enable more complex offensive cyber attacks, like those that could potentially result in the loss of life. Does it make sense to invest in cyber capabilities when attacks like those in Paris and Sinai seem to accomplish so many of the organizations goals? The targeting of infrastructure for cyber attack or electronic disruption that results in physical damage is neither new, nor does it necessarily require the technical sophistication of a nation state; that said it is also much harder than is often imagined or described, and the capability to use social media and defensive cyber tools for operational security effectively is decidedly not the same as the ability to use offensive ones. Either way, it is an issue that concerns the US Attorney General moving forward.
In the interest of avoiding threat inflation, it is important to avoid equating success and sophistication in one area of the employment of information technology (say the leveraging of social media) with success and sophistication in another (like conducting offensive cyber operations). It’s simply not the case that those organizations that excel in public messaging on social media are necessarily going to be able to leverage their broadly defined “cyber capabilities” for the offensive capacity to conduct cyber attacks. Numerous analysts have warned against this tendency to conflate these threats; yet it continues to occur, often implicitly.
That said, while the skies are not as gloomy as the Cassandras might suggest, neither are they as clear as the skeptics are fond of suggesting – a range of non-state actors are increasingly able to leverage a mix of off-the-shelf attack tools, “freelance” and “cheerleader” hackers and hacktivists, and real internal capabilities to offer up progressively more sophisticated cyber attack capabilities. Among non-state actors, few are angrier, more capable, and more dangerous than ISIS. This is a real challenge, and one that is only likely to become more pronounced.