Experts say the Islamist militants' social media savvy doesn’t translate into a real cybersecurity threat against the U.S.
The Islamist militants who have taken over swathes of Syria and Iraq have proven remarkably adept at using 21st century technology.
In the Islamic State of Iraq and Greater Syria’s (ISIS) drive to establish what it calls a new caliphate, the group has gathered between 20,000 and 31,500 fighters, partly thanks to its recruitment campaign over social media networks like Facebook, Twitter and YouTube. Widely disseminated video footage of executed American and British citizens have become ISIS’s tools for terror; the Internet is ISIS’s vehicle.
Today, ISIS’s adroit use of modern technology is raising a new specter: cyberterrorism. Several prominent national security experts and cyber analysts warned this week that ISIS could someday threaten the United States, elevating fears about the West’s vulnerability to a cyberattack.
“ISIS has already had success in utilizing technology, using the web for recruiting, distribution of terrorist information and scare tactics,” David De Walt, the chief executive of tech security company FireEye told the Financial Times this week. Now, De Walt said, “[w]e’ve begun to see signs that rebel terrorist organizations are attempting to gain access in cyber weaponry.”
And on Tuesday, National Security Agency Director Michael Rogers warned that the U.S. needs to bolster its defenses against digital attacks from terrorist groups like ISIS.
“It’s something I’m watching,” Rogers said of ISIS’s aggressive use of Internet technology at a cybersecurity conference in Washington, D.C. “We need to assume that there will be a cyber dimension increasingly in almost any scenario that we’re dealing with. Counterterrorism is no different.”
But do we really need to fear a cyber attack from ISIS? As it turns out, probably not: ISIS’s social media savvy doesn’t necessarily translate into a real cybersecurity threat against the United States, and much of the talk about the group’s growing cyber-prowess overstates the point, experts told TIME.
“I don’t think anyone has any proof that there’s an imminent attack or that ISIS has acquired the manpower or the resources to launch an attack on the infrastructure of the United States,” said Craig Guiliano, senior threat specialist at security firm TSC Advantage and a former counterterrorism officer with the Department of Defense. “It could be a potential threat in the future, but we’re not there yet.”
ISIS, a group with little technological infrastructure, doesn’t have many resources to wage a cyberwar against the United States. Compared to larger, state-sponsored hacking operations, ISIS is miles behind. Chinese hackers, for instance, who have been accused of attacking U.S. businesses and government contractors, are reported to have wide-ranging support from Chinese authorities, with many of the hackers hailing directly from the Chinese army.
A few ISIS-related figures have been connected with cyberattacks or cybercrime. Abu Hussain Al Britani, a British hacker who has since moved to Syria and begun recruiting for ISIS, was jailed in 2012 for hacking into former Prime Minister Tony Blair’s Gmail account. One of the more prominent tech-savvy ISIS supporters, Al Britani maintains a Twitter account that calls for new ISIS recruits.
And a group called “Lizard Squad” that has claimed responsibility for high-profile cyberattacks that have brought down the websites of the Vatican, Sony and others has tenuously been linked to ISIS on the basis of tweets like this one:
But ISIS doesn’t appear to have the manpower to launch sophisticated attacks against the United States. “You need some resources. You need access to certain kinds of technology. You need to have hardcore programmers,” Jim Lewis of the Center for Strategic and International Studies said. “ISIS doesn’t have those capabilities.”
Unlike China’s state-sponsored hackers, who have a strong interest in attacking U.S. businesses to hawk trade secrets and intellectual property, ISIS is more concerned with taking real-world territory and controlling it. ISIS’ first priority is establishing control over the disparate desert regions from the outskirts of Aleppo in Syria to Falluja in Iraq and creating an Islamic caliphate—not an expensive and often intangible cyberwar against American websites.
“ISIS wants to conquer the Middle East, not hack websites in Omaha,” said Lewis.
That’s not to say that ISIS is incapable of launching an attack in the future. ISIS is believed to be well-funded, likely capable of purchasing simple malware on the black market and using it against the West. But the kinds of attacks ISIS would be able to carry out would likely be more of an annoyance than a debilitating strike on the United States’ infrastructure, the kind of attack that national security experts really worry about.
During the most recent spate of violence between Gaza and Israel, for example, hackers on both sides launched distributed denial of service (DDoS) attacks, which involves using multiple servers to overload a website and briefly disable it. That kind of attack is a far cry from shutting down power plants in the U.S. or attacking nuclear reactors. Still, the threat of a cyber strike, particularly against financial institutions as a means of funding ISIS’s expansion, may grow over time.
“ISIS is continuously looking for new ways to carry out high impact high visibility events to bring attention to their cause,” said John Cohen, recently the counterterrorism coordinator at the Department of Homeland Security and currently a professor at Rutgers University. “One has to speculate they are looking at the results of major cyber breaches such as Target or Home Depot and against critical infrastructure, and thinking about them as a potential avenue.”