Our cyber-security challenge goes far beyond our inability to secure our businesses and organizations over the past three years. As we continue to (some would say) ignore the business and financial cyber-threat on the ground here at home, there is a more serious threat developing that does indeed pose an existential test of our willingness to defend our way of life on an even larger stage.
We have seen in the last few weeks both the vulnerability and the resilience of ISIS as it struggles to hold on to territory in Syria and Iraq. A new analysis of the battlefield shows that territory held by ISIS has shrunk 12% this year, with losses in both western Iraq and northern Syria.
But then, who needs physical territory when you can build a Caliphate on the web? Cheaper, better, faster, more.
We now see that ISIS groups are using a clever variety of digital tools and online services that allow them to grow and maintain a strong online presence, while also helping them remain undetected by adversaries. This Jihadist tool box and the online campaigns are relatively unknown to the general public though their recent use of social media has begun to attract significant attention in security circles over the past few weeks.
Because mainstream communication applications do not offer the sophistication these groups require for their security needs, the jihadists are forced to seek alternative ways to communicate which now include secure browsers, Virtual Private Networks (VPNs) and proxy services, protected email services, mobile security applications, and encrypted messaging services. These guys have become cyber-smart.
In addition, they now employ mobile propaganda applications designed to help supporters disseminate and view propaganda with greater ease, speed, accessibility and complete anonymity.
They are using highly secured browsers like Tor and Opera which enable them to operate clandestinely without divulging their IP addresses and to avoid risking third-party surveillance, while the use of VPNs along with proxy services help them further obfuscate their identities during their online activities.
Their advanced use of protected email services prevent intelligence agencies from monitoring their messaging and they’re taking advantage of security features such as end-to-end encryption and temporary, anonymous account capabilities.
And just to be extra sure, ISIS now uses only encrypted messaging for social media to insure that the channels through which they broadcast their propaganda provide a layer of security that absolutely prevents detection and that their identities and the messages themselves are protected from all except their intended recipients.
Their reliance on and adoption of technology for expansion, growth and survival is now commonly known and almost impossible to defend against in an open Internet world. Even though the overall cyber capabilities of the Islamic State as an entity is still relatively weak and appears to be underfunded and poorly organized, the individual operators are managing to quickly learn, adapt, and advance through the most current and leading edge technological tools. It wouldn’t surprise me if they started showing up at DEFCON and competing in tournaments.
In addition, ISIS now employs a vast network of “fanboys” who monitor social media sites and disseminate the group’s online propaganda. It is currently estimated that ISIS’s followers have at least 96,000 accounts on Twitter, allowing it to easily distribute their favorite links to digital content hosted on other online platforms. If their Twitter accounts get closed down, they simply register under new names as they have demonstrated earlier this year on two occasions.
Thanks in large part to these Twitter and Facebook campaigns, thousands of Westerners are now fighting for ISIS in Syria and Iraq, and many who cannot reach the physical Syrian state have attempted “lone wolf” attacks in their homelands as we have recently seen both in the US and in Western Europe.
Although the jihadists’ skill at conducting information operations has thus far outstripped their capacity for cyberwar, they have managed to execute several high-profile attacks online. This past January, on the same day President Obama delivered a major address on cybersecurity, ISIS-affiliated hackers made an elaborate and well-timed statement by seizing control of CENTCOM’s official Twitter and YouTube accounts. The message wasn’t lost on many of us.
And in the incident that put the FBI and DOD on full alert, the “Islamic State Hacking Division” claimed responsibility for hacking into the social media accounts of hundreds of U.S. military personnel and published lists of more than 1,400 names, departments, email addresses, passwords, and phone numbers, warning: “We are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data.”
There are at least three reasons why ISIS’s efforts to grow a cyber-warfare capability should be taken seriously.
First, the costs of acquiring a significant cyber capacity are low enough to allow weaker states — or non-state actors — to obtain capabilities that threaten U.S. interests. ISIS may lack the educational institutions or technological resources of nation-states like China or Russia which would enable them to produce large numbers of advanced cyber warriors, but the abundance of hacking talent available on the dark net means they can either hire the services of hackers from criminal groups around the world or buy sophisticated zero-day attacks on the Dark Web to deploy themselves. As we know, these exploit kits are cheap and require virtually no skill to deploy and they are even available on eBay.
Second, as we have just seen with the tools being used currently, ISIS’s cyberwarfare capacity will not remain in a primitive state indefinitely. Both China and Iran started with simple website defacements similar to the CyberCaliphate’s, before moving on to more sophisticated and destructive attacks like the one in 2013 where Iranian hackers infiltrated the U.S. Navy’s unclassified Intranet, an incident which one former U.S. official described as “a real eye-opener in terms of the capabilities of Iran to get into a Defense Department system and stay in there for months.”
Third, cyberattacks allow potential adversaries to bypass our conventional military superiority in order to directly attack civilian infrastructure and economic targets.
While the major actors in the cyber arena (Russia, China, etc.) who have the capability to initiate a “catastrophic” cyber-attack are deterred by economies which are sufficiently integrated with America’s that a catastrophic cyber-attack on U.S. infrastructure would insure a victory in which the perps would also suffer economic damage, ISIS does not face any similar restraints or deterrents that prevent it from pursuing a total cyber-war strategy.
So, it would be a mistake to dismiss ISIS’s hackers as the jayvee team of cyberwarfare and assume the threat they pose will remain static.
Late last year, the FBI warned U.S. lawmakers of the challenges in monitoring encrypted online communications among Islamic State terrorists, while calling for new laws requiring technology firms to provide backdoors to decrypt messages among jihadists. To date, no one company has cooperated and it continues to be an important debate as to whether in fact they should.
In the meantime, the computer networks upon which U.S. critical infrastructure depends must be made far more cyber secure not just to assure the continued freedom to conduct business, move capital, operate and support public service organizations but in preparation for the day that ISIS’s cyberwar capabilities swell to match their intent.
Many economists believe that we are on the brink of another bank-induced global economic crisis and if I were advising ISIS, I would suggest they target an International banking institution. Any new banking crisis will do more to undermine the West than a thousand cases of stolen email or hacked social media accounts. And since most economists believe our financial system is more precarious now than even before the “Great Recession”, banks should hold a special allure to cyber-terrorists
All banks today are networked and completely dependent upon inter-bank lending and derivative transactions, both domestically and internationally. Any perceived problem at one bank will quickly infect others and spread across the financial system in electronic time. Public finance problems will immediately follow as governments and central banks are forced to prop up the infected bank to ensure continuance of essential payment and credit flows. The outcome would be instantaneous and horrendous.
Although the effort to improve cybersecurity in both government and the private sector continues to crawl along as it has now for over a decade, the persistent flood of headlines trumpeting the latest major cyber-attack demonstrates that America is clearly losing this war.
Earlier this year, the Pentagon declared the start of our first cyber war against the ISIS jihad, aimed specifically at disrupting their command-and-control communications, and as President Obama said in April, to put pressure on their cyber-ambitions.
Last week, the White House released a framework for handling cyberattacks with a vague cyber-attack severity scale. Level 4 of 5 is called critical and is supposed to turn red when the threat is “likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties.”
The key word in level 5 or severity black is “immediate”.
As Ed Lucas says in his book Cyberphobia, “Possibly even more catastrophic are hackers at a national level that have begun stealing national security, or economic and trade secrets. The world economy and geopolitics hang in the balance.”
Do you think Ed might be on to something, or is he just hyper-phobic too?