- The Islamic State will continue efforts to improve its capabilities in communication and offensive attacks in cyberspace.
- The availability of cybercrime tools and services on underground criminal markets will allow the Islamic State to further bolster its existing abilities.
- The geographic spread of the Islamic State's online presence and its ability to tap into underground markets mean that efforts to counter the group's online activities will occur in countries other than Iraq and Syria.
- Regardless of offensive capabilities in cyberspace, the Islamic State's online activities will continue to focus on disseminating propaganda in efforts to draw recruits and funding.
On Nov. 13, armed militants killed 130 people in Paris. On Nov. 14, unarmed militants from the public relations branch of the Islamic State sat down at their computers, signed in to their social media accounts — accounts from which they could reach virtually anyone in the world — and claimed responsibility for the attacks.
Propaganda is immensely important to the Islamic State. Part of its mission is to convince the world it is as dangerous as it claims to be, so it is little surprise that the group's behavior on the Internet is every bit as theatrical as its behavior on the battlefield. Even some of the venues of the Paris attacks — a soccer stadium, a concert hall — are structures of performance meant to host large crowds. In that sense, the Islamic State achieved precisely what it intended to on Nov. 13: It commanded the attention of a global audience, which it can use to spread its message and recruit new members.
Islamic State's first claim of responsibility for the Paris attacks was disseminated through a popular instant messaging service, Telegram, which allows end-to-end encrypted communication. A month earlier, the Islamic State's media wing began encouraging its supporters to use the service. After the initial release of the message, the rest of the Islamic State's social media network operators and supporters amplified it further. The initial call to use Telegram drew focus to the Islamic State's technical capabilities in cyberspace, particularly when coupled with the group's repeated claims that it has offensive online capabilities.
Since the Islamic State's online presence began to grow rapidly in 2014, culprits claiming affiliation with the group have carried out numerous unsophisticated online attacks, such as hijacking social media accounts and defacing poorly secured websites. Online harassment of individuals, organizations and whole populations is a tactic frequently used to foster fear without any actual threat of violence. The Islamic State's online media machine has also made claims of hacking U.S. government networks, on some occasions by posting names and personal details claimed to belong to government and military personnel. In addition to carrying out cyberattacks, whether real or fabricated, the Islamic State has more recently attempted to educate its supporters in rudimentary operational security measures when communicating over the Internet.
The Islamic State has indeed given some attention to building up its technical online capabilities and will likely continue to do so. But these capabilities have largely focused on theatrics in online media in an attempt to maintain the group's image as an expanding threat despite losing the momentum it had in 2014, rather than presenting any significant threat to public safety. These capabilities carry even less significance on the battlefields in Iraq or Syria. Nevertheless, the Islamic State likely will continue to incorporate the use of information technology and attempt to expand its technical capabilities in cyberspace.
For more than a decade, transnational jihadists have turned to the Internet to spread claims of terrorist attacks. However, the Islamic State has built up a particularly robust and effective online media machine that has placed its propaganda, and a glimpse into its recruitment efforts, on some of the most popular public mediums in the West, including Twitter and Facebook.
The Islamic State has leveraged this social media presence to portray itself as possessing exaggerated offensive capabilities in cyberspace. In March, the "Islamic State Hacking Division" posted a list of 100 names and personal information that the hackers claimed belonged to U.S. military personnel. The hackers said they obtained the information by compromising government databases, but the list was more likely compiled through open source research. In January, someone claiming affiliation with the Islamic State hijacked the U.S. Central Command's Twitter account. However, social media users — particularly those sharing accounts — often take poor security measures in selecting account credentials; thus, hijacking or "hacking" accounts can often be accomplished with cheap tricks.
The Islamic State intentionally misrepresents its online capabilities in its online propaganda efforts. This feeds into the principal reason for the group's organizational focus on online activities: drawing recruits and funding. However, because the bulk of the Islamic State's social media presence is highly decentralized, with a significant portion spread outside of Iraq and Syria, extensive online communication is required in order to organize its propaganda efforts. The Islamic State's means of communication are diverse — a guard against the effects of any crackdown on social media accounts. As a result, the group has recently begun efforts to at least bolster the security awareness of its broader online audience, such as recommending tools like anonymous communication service "Tor" in hopes of concealing messages.
The Islamic State has made additional efforts to educate its supporters on proper operational security, even circulating a manual on securing communications around more obscure online forums. The manual contains numerous best practices and suggestions, many of which were plagiarized from another manual. Although unlikely to ultimately thwart Western intelligence agencies' targeted surveillance efforts, these practices could pose significant obstacles to law enforcement organizations. However, given the decentralized and dispersed nature of the Islamic State's online presence, it is unlikely that most online supporters will heed all the advice listed in the manual.
Islamic State Hacking
Despite names associated with the Islamic State that imply offensive online capabilities, such as the "Islamic State Hacking Division" or the "Cyber Caliphate," there is no indication that the Islamic State has any organized branch capable of carrying out cyberattacks that could inflict physical harm on individuals or cause significant financial or physical damage.
Thus far, possible Islamic State members and supporters have demonstrated little sophistication in their online offensive abilities. Website defacements are common; the wide array of websites that have been targeted over the past year, along with the use of well-known security exploits, suggests that these efforts have been simply seized opportunities rather than targeted attacks. In other words, these attacks could be carried out by a low-skilled hacker working with simple software that automatically scans a selection of targets for known vulnerabilities and relies on documented exploits to compromise vulnerable targets.
In some cases, online attacks carried out in the Islamic State's name were not in fact carried out by the group's supporters. In April, the French television network TV5Monde suffered several cyberattacks targeting its social media accounts, website and station. The culprits claimed to be associated with the Islamic State, but by June, French authorities believed the attackers were in fact Russian hackers posing as Islamic State militants. In a domain where attributing activity to particular actors can challenge even the most resourceful intelligence agencies, names are trivial.
The Islamic State probably is not capable of carrying out spectacular acts of cyberterrorism, such as targeting critical infrastructure. The group would welcome such capabilities, but so far its use of cyberspace principally has been psychological operations and communications. The low sophistication of its offensive online capabilities has been effective in this regard.
However, the group has clearly put emphasis on publicizing its activities in cyberspace and on recruiting somewhat skilled individuals. In October, Malaysian authorities arrested Ardit Ferizi, a hacker from Kosovo, who U.S. authorities accused of stealing personal information after compromising the network of a U.S. company. Ferizi then allegedly handed the information over to an Islamic State member, Junaid Hussain, who reportedly was killed in a U.S. drone strike on Aug. 25 in Raqqa, Syria. Ferizi had been a known hacker operating under the pseudonym of a group of Kosovar hacktivists. Hussain, likewise, was a known hacker and British national previously associated with a different hacktivist group.
There is nothing to suggest the prevalence of Islamic State supporters with backgrounds similar to Hussain's or Ferizi's, nor are there any indicators that Ferizi and Hussain had highly technical abilities. But their association with the Islamic State shows the group at least has the intent to recruit individuals capable of carrying out cyberattacks, and the group is likely to be able to do so again eventually.
The Islamic State's Next Steps
As it has been for other jihadist groups, the Internet has been a powerful tool for the Islamic State. Given the Islamic State's efforts to recruit hackers to carry out low-level cyberattacks, it seems likely the group will continue to pursue greater capabilities that will help it organize its online communications and its attempts to portray itself as a technically capable threat, though not to the point of committing catastrophic cyberattacks.
Capabilities to carry out cyberterrorism do not necessarily have to come from within the Islamic State. A thriving underground market exists where tools designed to commit cybercrimes for financial gain, such as stealing banking credentials or installing malware that holds critical information on a victim's device hostage for ransom, can be purchased or even rented. Offensive skills for hire and exploits in popular software not publically known (referred to as "zero day" exploits) are also available, and often the buyers and sellers do not have to know each other's identities.
Cybercrime can be a considerably profitable endeavor, potentially earning millions of dollars for the culprits. The existence of such markets means that jihadist groups like the Islamic State could gain offensive capabilities without actually recruiting a person with the necessary skills into the organization. By intersecting with existing global cybercrime networks, the Islamic State could bolster the potential funds earned through its efforts online while potentially increasing the effect of its online attacks and thus boosting its overall propaganda efforts.
Regardless of how far the Islamic State can continue to develop its online capabilities, no improvements in this area will shape its fighting abilities in and around its core territories in Iraq and Syria. Its efforts as an insurgent force largely are independent of its cyberspace activities, and this will likely be reflected in the geography of counter-Islamic State efforts. The large, decentralized pool of supporters being organized over online media and the ability to contract additional capabilities from cybercriminals means that efforts to counter the Islamic State's online activities likely will occur in areas outside of Iraq and Syria, as was the case with Ferizi.
Lead Analyst: Tristan Reed