The Islamic State is trying to hack U.S. power companies, U.S. officials told a gathering of American energy firms Oct. 15, CNNMoney reported. The story quoted John Riggi, a section chief at the FBI's cyber division, as saying the Islamic State has, "Strong intent. Thankfully, low capability … But the concern is that they'll buy that capability."
The same day the CNNMoney report was published, the U.S. Department of Justice announced the arrest of Ardit Ferizi — a citizen of Kosovo and known hacker, apprehended in Malaysia — on a U.S. provisional arrest warrant. The Justice Department charged Ferizi with providing material support to the Islamic State, computer hacking and identity theft, all in conjunction with the theft and release of personally identifiable information belonging to 1,351 U.S. service members and civilian government employees stolen from the servers of an unnamed U.S. retail chain.
According to the Justice Department, Ferizi provided the stolen personal information to the Islamic State's Junaid Hussain (aka Abu al-Britani) who was subsequently killed in an airstrike in the Islamic State's self-proclaimed capital of Raqqa, Syria.
On Aug. 11, Hussain tweeted in the name of the Islamic State Hacking Division a link to a 30-page document that contained the information allegedly stolen by Ferizi. The document threatened "we are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!"
The two incidents are examples of real hacking in contrast to previous actions by jihadist hackers in which they've done things labeled "hacking," such as guessing or resetting the passwords for social media accounts. The incidents clearly show the strong intent to develop a robust cyberwarfare capability. Because of this, they have me thinking about cyberterrorism. It's important to recognize that the Islamic State is not the only non-state actor that wants to develop such a cyberterrorism capability: A wide range of radical groups from anarchist hacktivists to neo-Nazis are also pursuing such programs. This universe of malefactors almost ensures that by skill or by chance, one of them eventually will manage to cross the Rubicon and conduct a hack that actually kills people, causes damage and produces panic and terror, ushering in the age of cyberterrorism.
Having your personal information or email published can be threatening and serve as an incredibly intimate invasion of privacy — trust me. Thanks to WikiLeaks, the entire world can now read years of my emails, documenting for example that I am still very much in love with my wife of 29 years. But while such hacks are bothersome, they are not immediately deadly. "Doxing," slang for publishing personal information about individuals on the Internet, is also intimidating, but not directly deadly; victims can move (albeit with great inconvenience) or take increased security measures to protect themselves from physical harm after being doxed.
But the Holy Grail for cyber terrorists is the ability to conduct attacks that result in death or significant destruction — attacks that provoke terror — with just the stroke of a keyboard. To date, the very few seriously destructive hacks we have seen have been conducted by state sponsors such as the authors of the Stuxnet malware. Indeed, most private hackers seek money, thrills or merely "lulz" (i.e., laughs), and so they have not really focused on cyberwarfare — or more accurately, asymmetrical cyberterrorism — as much as they have cyber theft and cyber vandalism.
Cyberwarfare has largely been the province of nation states, and it is generally believed by cyber security experts that wide-scale cyberwarfare can be conducted only by national actors. Perhaps this is true, but what about cyberterrorism? Can an enemy employ asymmetrical warfare in the cyber realm? As noted by John Riggi, a terrorist group doesn't need to develop the malware for a hack itself. It can buy malware from a commercial hacking crew and then repurpose it for a more malicious purpose than simply stealing. State sponsorship is also a potential way for terrorist actors to gain access to malware tools for asymmetrical cyberterrorist attacks.
While I am not a cyber security expert by any means, I see many parallels between the physical world and the cyber world when it comes to terrorism and cyberattacks becoming deadly.
First, as in the physical world, it is simply not possible to safeguard everything in the cyber world to the highest degree. Security resources are costly and limited, and therefore priority must be given to protecting the most important targets and those where an attack would cause the most damage.
For example, I think everyone would agree that nuclear power plants should receive first-rate protection from physical attack. By contrast, it is simply not possible to provide that same level of security for every electrical substation — much less every transmission tower and power pole — on the lines between the nuclear plant and the consumers who receive the electricity. By necessity, there is an array of "soft targets" somewhere in the electrical system, and indeed, our society is filled with vulnerable targets. These soft targets are often chosen simply because of their vulnerability to terrorist attacks, especially by terrorist operatives who lack sophisticated tradecraft.
I believe that there are similar soft, vulnerable targets in the cyber realm and that some of them can and will be attacked in a manner that could result in death and destruction, though on a much smaller scale than a cyberwarfare attack by a nation state. In many ways, this would be similar to attempts by terrorists to obtain and use chemical or biological weapons and the difficulty they have faced in making these programs as effective as a nation state's chemical or biological weapons program.
But despite the difficulty asymmetrical actors face in attaining nation state capabilities, cyberterrorists doesn't need to destroy a nuclear power plant or take down the North American electrical grid to cause panic. All they need is the cyber equivalent of a primitive chemical weapon or a pressure cooker bomb. As we progressively automate and interconnect our lives, there are an increasing number of items attached to the Internet that a creative person could use to cause simple mayhem.
For the past several years, jihadist groups have struggled to get trained terrorist cadres into the United States and Europe. In light of the difficulty of accomplishing this, they have advocated the leaderless resistance model of operations for jihadists living in the West. They have also sought to extend their reach through remote attacks using underwear and printer bombs. In these attacks, the bombs were designed and built by trained terrorists and then transported using a grassroots terrorist suicide bomber or sent via airfreight.
For the most part, the Internet does not stop at national borders, and it is quite common for hacks to be conducted from another country and for hackers like Ferizi to skip across the globe using compromised systems in several different countries to hide their trail. This means that cyberterrorists can also hack transnationally without having to travel to the country their target is located in.
Another consideration is the possibility of an insider threat. As we've seen in cases like those involving Chelsea Manning and Edward Snowden, an insider can compromise a great deal of information. Beyond stealing data, an insider could also be used to provide an external hacker a detailed understanding of a targeted system, or even to inject malware into the system itself.
Another way that cyberterrorist attacks will mirror attacks in the physical world is that the perpetrators will need to follow an attack cycle, known in hacker parlance as a "kill chain." This means that there will be places along that cycle where their efforts are vulnerable to detection — especially if they are probing systems with high levels of security that are on-guard for such probes. In fact, the aforementioned FBI warning that the Islamic State is attempting to hack power companies is the result of such preventive surveillance activities.
While I do believe that we will see a cyberterrorist attack that succeeds in killing people in the next few years — and that such an attack will create widespread panic — I do not see a scenario whereby these asymmetrical actors can develop nation state-type capabilities, and I expect that deadly cyberterrorism attacks will remain few and far between. I also anticipate that the attacks will cause fewer deaths than simple firearms attacks.
Because of the novelty of cyberterrorism, however, any attack will generate an incredible amount of hype from terror magnifiers. Cyberattacks will also victimize a lot of people vicariously and create widespread panic far out of proportion to the real impact of the action, just as grassroots terrorist attacks have done. Because of this, it will be very important for people to keep these attacks in the proper perspective — everyday citizens can rob terrorists of their power by doing just that. Terrorism is not going away, and those practicing it will continue to develop and employ new weapons. Yet, it is possible to separate terror from terrorism.