Could IS Turn Next to Cyber War?
Sharon Behn, Voice of America
The power is out. Gas stations are out of gas. Factories are going haywire.
It sounds like an action movie, but some analysts tell VOA that U.S. industries need to significantly ramp up their cyber security or risk having the Islamic State (IS) hack, attack and create mayhem inside their systems.
"This is definitely a threat to the U.S. government and other western governments, but also to our industrial control systems — the ones that run our manufacturing plants, moving energy across the country, that have vulnerabilities," said Bob Gourley, the former chief technology officer of the Defense Intelligence Agency.
Unlike cyberattacks by Russia and China, Gourley said, groups like IS are less interested in just extracting information and more interested in disrupting essential systems.
"They are going to want to cause mischief and grab attention, so destroying equipment or changing information that makes us question our own systems," said Gourley, who heads the firm Cognitio and is publisher of ThreatBrief.com.
As yet, he added, IS militants are not as capable as some criminal networks or rival nations, "but IS has more capabilities than any other terrorist organization that I know of. And they can gain more."
Protecting Government Systems
So far, IS has established itself as a leader in using Internet-based communications and social media to both send encrypted information and recruit thousands of people from more than 80 countries around the world.
"We are in a new age of this threat," Gourley said, "and the most important thing is we need to defend our systems better than they are currently being defended."
Clifton Triplett, recently named the Office of Personnel Management's senior cyber and information technology adviser, said he is already working to limit any kind of IS breach into the government department.
"I think what I have to do is … assume that, at some point in time, they may be successful," Triplett said at a conference organized by Bloomberg Government. "So how do I minimize the impact of their success? Right now, that really comes into access control."
OPM suffered a major hack earlier in 2015, resulting in the disclosure of private information of some 21.5 million people, including those who applied for security clearances.
Anticipating IS
But Al Berman, president and CEO of Disaster Recovery Institute International, which covers IT disasters, said it would be dangerous to assume that IS would stop at communication and marketing.
"This is not an unsophisticated organization. And if we look at it that way, we are vastly underestimating their capabilities," Berman told VOA.
One path of attack that IS could take, Berman said, would be to siphon money from institutions — perhaps in the U.S., perhaps in the Middle East — in order to increase their funding as the extremist group's oil and tax money streams start drying up.
"Money is incredibly important, and they will find other means if we shut down their traditional means," Berman said.
And IS does not have to do the hacking itself, it just needs to buy the information from hacking-obtained information auctions on the dark web.
Berman said IS could start to further refine their "social engineering" or "emotional marketing" techniques, basically by using the Internet in more sophisticated ways to track down and entice potential young recruits.
Vulnerable Universities
For that, IS could hack into universities or buy information on the dark web from universities that have already been hacked.
According to Privacy Rights Clearinghouse, a California-based nonprofit that focuses on privacy protection, in the last five years hackers have accessed more than 2.5 million records from colleges and universities in the United States alone.
John Matherly, founder of Shodan, a search engine for Internet-connected devices, said exploiting student information would be far more likely than an IS attack on a facility such as a water treatment plant.
"Universities and educational institutions tend to have the worst security by far because they have these giant IP ranges. So students use a public IP address that anyone can see, and everything is exposed," Matherly said.
'Low-Hanging Fruit' for Hackers
Conversely, complex Internet-connected control systems — such as those in water treatment plants, office buildings, factories, traffic lights, and solar power farms — are not always difficult to access, but they are difficult to compromise.
"There are devices that have no authentication. You don't need to provide a user name or a password. You can just access it; you can connect to it and talk. But there is a difference between connecting to a device and knowing what to do with it when you do," Matherly told VOA.
"It is important to separate the ability to access a control system from the ability to damage that system," he said. "The more likely scenario is that someone logs in and runs different commands and by accident causes it to fail."
But hackers such as IS do not have to be sophisticated to be damaging, Matherly said. Unpatched webservers, unprotected utility software accounts, individuals not keeping up with security updates, and even Instagram accounts could be easily attacked.
"Control systems are expensive and a long-term effort," Matherly said. "I am sure they are already looking into it, but if you are only looking for attention, it is much more effective to go after low-hanging fruit, and there is plenty out there."
Comments
<blockquote>...we already have words for these phenomena, and Dr. Rid very adeptly identifies him in his book: espionage, sabotage, and subversion.</blockquote>
That preserves a rich subject for debate, then, because those words are rather inadequate, implying confinement to activities largely independent of military operations. Armed conflict to achieve political ends -- war -- it's not. A set of military capabilities grouped by characteristic or domain -- warfare (chemical warfare, land warfare) -- it certainly could be. The big questions are whether cyber is really a domain, like land, air, sea, and space (there is an argument), and whether yes or no, how do cyber operations effectively integrate with operations in the physical domains.
I'm "arguing vocabulary" because words have meanings for a reason, and when I hear the words "cyber war/warfare", it tells me that the speaker doesn't know what they're talking about. New vocabulary is unnecessary, as we already have words for these phenomena, and Dr. Rid very adeptly identifies him in his book: espionage, sabotage, and subversion. The level of ignorance I see of this issue, and the same old irresponsible buzzwordery, has consequences that I'd rather not see repeated in 2023 as we now see in retrospect about RMA/Transformation from 2001, 2003, 2011, and 2014/'15.
Arguing vocabulary misses the point of this and the other "cyberwar" articles you've expressed dismay over. Deploying executable software designed (in some cases, very specifically designed) to directly produce effects beyond the transfer of information isn't "movement" or "fire", but it's more than information security/information assurance. Defining the physical and virtual structure of a computer network as "terrain" and transmission of data through the network as "maneuver" is stretching both terms, but there's no question there's a topology to exploit for both offensive or defensive activities.
Invent new vocabulary if it helps.
Thomas Rid, <A HREF="https://www.amazon.com/Cyber-War-Will-Take-Place-ebook/dp/B00ET38G9G/">… War Will Not Take Place</A>, Kindle Edition, $12.34
I've basically reached the point where I consider any article with the words "cyber war" in the headline to be clickbait. I hold academic credentials in both strategy and "cyber"/digital network security, and "cyber war" is simply not a thing. In five or ten years, we're going to experience another real attack, and everyone will retroactively point the finger at "cyber war" harbingers like they currently do at the late 1990's RMA/Transformation advocates.
I am far less concerned about IS offensive online cyberspace efforts(IT hardware and software) and far more worried about IS offensive online meatspace efforts(human capital incitement and recruitment).
Where's the white paper on "Digital Selous Scouts" or "Pseudo Operations 2.0"?
How hard and how expensive would it be to fund, set up, and operate a cyber support centre in allied Jordan to disrupt recruitment of westerners that has everyone so bloody frightened?
1 facility with fat pipes
1 fusion cell
1 liaison cell
1 command cell
1 targeting cell
10 senior supervisor for recruiting
100 recruiters
And if you want to outsource the arrest, interrogation, and imprisonment you mashup FBI/CIA/JSOC, MI5/MI6/SAS, etc liaised with amenable local national partner forces to facilitate further direct exploitation.
Their mission is to disrupt and interdict IS recruitment from western coalition countries via online/digital pseudo operations both at home and outsourced abroad if deemed politically worthwhile and affordable.
$10-25 million per year for digital pseudo ops plus domestic and in theatre physical F3EAD costs sounds reasonable?
LE has conducted pseudo-ish operations for decades via classified ads in disrupting and interdicting assassin for hire customers, why not disrupt and interdict IS recruitment in the west?
How is this much different in basic concept?
I would like to think it's already being done, but concerned it may not as I would think a few high profile interdictions would have been made public by now.
While I could see good value in keeping online/digital pseudo operations quiet for as long as possible if the threat were existential or if it were used to quietly and conveniently "take out the trash" kneck deep in the paramilitary grey of western black and white LE/judicial systems, I would think there would be considerable political pressure to disclose western IS recruitment interdiction wins for political gain due to recent high profile attacks.
So I'm not convinced it's being done, when I think and hope it should.
Should we really have a high level of fear of IS infrastructure attacks that could be overblown like the millennium bug fix or should we fear social engineering and our inability to disrupt and interdict it?
Kevin Mitnick the famous hacker wasn't a hacker, he was a social engineer.
What do you reckon?