Ask The Cyber Security Expert: Are ISIS about to launch cyber attacks?

15:48 07 October in attack, hack

In a change from our normal schedule, we thought we’d poke The Cyber Security Expert with a pointy stick, get him all riled up, and answer a question on geopolitics and jihadist cyber terrorism. Pointy stick deployed, let’s go!

I read in the FT that ISIS are an unstoppable cyber menace!

You probably mean this article (you may have to sign up for a free account to read it). It’s not the best bit of reporting on cyber security issues that I have ever read. So, first the short answer: No.

And now the long answer. Definitely not.

Let’s look at it objectively – from the tone of that article you’d think it was inevitable that ISIS were about to launch a series of crippling cyber attacks against western infrastructure, following in a well worn path of terrorist groups previously. That is not credible. ISIS are good at social media, and propaganda. Largely I’d expect because they are mostly young and have grown up using the internet. For them youtube, Facebook and Twitter come naturally. However that doesn’t mean they are capable hackers and, even if they were, the kind of attacks that the article hints at remain in the questionably plausible space. It’s worth remembering at this point how many millions the US and UK are currently throwing at ‘offensive cyber’ only for it to be more practical to use old fashion bombs (if you’re an IHS Janes Intelligence Review subscriber you can read  topical thoughts on military cyber defence in this months issue from a certain cyber security expert).

‘Cyber attacks’ are not magic. A technical individual in possession of a laptop cannot drop flights from the sky and shutdown hospitals. If you read an article claiming otherwise, be skeptical, and perhaps check back with our helpful guide explaining hacking.

So jihadist groups won’t do anything?

It’s not impossible that ISIS or groups supporting it will do some sort of hacking, but it is likely to be limited to website defacements, denial of service attacks or some sort of social media hijacking. They may or may not succeed at some or all of these things. A group called the Syrian Electronic Army has had a great deal of success hijacking social media (see our article on why this matters to your Twitter account), embarrassing lots of organisations (including satirical website The Onion). SEA specialise in phishing – sending fake emails purporting to be from Twitter and trying to get you to enter your username and password.

There are lots of other groups who do similar things – we talked about this before, and even included a handy section on terrorists.

I thought the FBI issued a warning about this?

They did. However it says much as is said above. Various groups have made various vague threats, but the reality is, at worst, likely to be denial of service attacks, and website defacements. This kind of thing is a major headache for the authorities. Groups achieving even minor successes can lead to headlines screaming about cyber terrorism, but in practise it’s hard to do much about a loose knit bunch of activists spread across the world, and even harder if those activists are in countries that aren’t going to arrest them for you. Realistically the best they can do is forewarn, and encourage everyone to think about cyber security, which you should be doing anyway.

I thought cyber was asymmetrical? 

Ah yes, the idea that the lone individual, or group of individuals, can cause havoc by hacking. I think in practise cyber is asymmetrical in much the same way as stones are asymmetrical. You can throw them at tanks and soldiers, and they might cause irritation and some harm if you’re lucky, but they probably aren’t going to stop the invasion.

So I shouldn’t worry?

Not about cyber terrorism, no. But you should worry at least a bit about denial of service attacks, phishing, and all the realistic stuff that could happen to you at anytime. These are the tools of the run of the mill cyber criminal. People out there are always trying to phish your bank credentials, or hold companies to ransom through denial of service attacks against your website. So yes, think about those things. But ISIS aren’t taking over the internet any time soon.

Thanks for reading. Any questions please ask – find us on twitter, or use the contact form.

The Cyber Security Expert