Terrorist groups looking to refine chops in cyberspace

One of the problems facing government and military officials regarding the cyber domain is that its very nature tips the balance in favor of less capable actors while simultaneously augmenting the capabilities of powerful nation states such as China and Russia, and, for that matter, the United States. 

“[Y]ou can spend a little bit of money and a little bit of time and exploit some of our weaknesses, and cause us to have to spend a lot of money, a lot of time,” Defense Department CIO Terry Halvorsen said in September about the imbalance of cyberspace.

“[Adversaries] continue to evolve and we’ve seen a number of our threat actors that they realize it’s a low cost, if you will, to get into this space and they’re using that to their advantage,” Col. Robert Cole, director of the Air Forces Cyber Forward, said last week at an event hosted by AFCEA’s northern Virginia chapter.

Even President Obama has warned of the threat non-state groups pose in cyberspace. “[A]s the Internet erases the distance between countries, we see growing efforts by terrorists to poison the minds of people like the Boston Marathon bombers and the San Bernardino killers,” he said in a prime time address from the Oval Office on Dec. 6.

However, the current capabilities of terrorist organizations and non-state actors in cyberspace has proved more of an annoyance rather than a destructive threat. James Lewis, senior fellow and program director at the Center for Strategic and International Studies, contends that cyber attacks by non-state groups do not presently pose a threat as it “takes a large, well-resourced, and time-intensive effort to use cyber tools for major disruption or physical damage,” he wrote in a recent report.  

But although non-state actors such as ISIS, al Qaeda and their sympathizers may be cyber lightweights compared to the likes of China and Russia, they are pouring more time, attention and resources into cyberspace to further their objectives.

“Cyber warfare is a natural arena for al Qaeda. It allows a small number of covert and dispersed individuals to inflict disproportionate damage on a much stronger adversary,” states a recent report published by the American Enterprise Institute’s Critical Threat’s project titled “Al Qaeda Electronic: A Sleeping Dog.” The report did note that, despite this natural operating space, al-Qaeda does not possess an advanced cyber warfare capability, either for attacking high-priority targets in the West or recruiting new members. The only collective claiming any affiliation with the group is the nascent al-Qaeda Electronic, or AQE, which was announced in January 2015. Any actual affiliation with al-Qaeda’s core organization is unclear.   

Al Qaeda’s “impotence in the cyber realm” can likely be attributed to the lack of experience by its leaders who, the report noted, have spent the majority of the past 25 years operating covertly trying to evade detection by Western governments. (Al Qaeda founder Osama bin Laden also was known to be Internet-averse.) While the group has used technology to communicate with recruits and affiliates, they have more of a defensive mindset – relying on password-protected Internet forums and use of encryption – as opposed to its former affiliate and now primary jihadist rival, ISIS.   

ISIS is “changing the landscape of al Qaeda-related cyber activities, however,” the report says. “ISIS is much more offensively oriented, and its declaration of an Islamic State shows its desire to operate in the open rather than the shadows. Its use of information technology follows the same pattern. ISIS relies heavily on social media to communicate among its leaders and to its followers, as well as to attract potential recruits. ISIS is creating competition within the jihadi world in cyberspace as well as in the arts of terrorism and atrocity.” 

The report notes that the types of cyber attacks made by non-state actors and less capable groups include defacement of websites, denial of service and data breaches.

ISIS and its sympathizers have recently engaged in similar activities, such as the defacement of the U.S. Central Command’s Twitter page, the collection and dissemination of personal information of members of the armed services and causing a French television station to go off the air. In fact, the capabilities of a member of ISIS’s “CyberCaliphate” drew such ire that he was targeted and killed in an American strike in Syria.

“As far as the terrorist – the evolving of the terrorist threat – they have gone from using the Internet and cyber as a propaganda tool to, I think, just recently this year we saw them not use it just for a tool but also to obtain information to target U.S. government military personnel,” Sean Newell, deputy chief for Cyber, Counterintelligence and Export Control Section at the Justice Department, said Wednesday at an event hosted by the Atlantic Council. “That’s a significant evolution and you can rest assured they don’t want to stop there and they want to keep moving towards greater destructive attacks or cyber-enabled attacks that cause loss of life.”

“Al Qaeda Electronic’s attacks to date have shown little finesse and the group has almost certainly relied heavily on automated vulnerability scanners to find points of penetration,” the report said. “It is unlikely that its program of defacements is merely a distraction for a more menacing operation, such as the covert formation of a botnet, since there is no indication that AQE’s members have the requisite technical skills and the group has not promised to target specific institutional or other large, high-value targets.”

Despite the group’s lack of ability to move past these pesky cyber hits, “AQE’s members are aware of, and on certain occasions have executed, more advanced tactics, and it remains plausible that AQE could move onto targets of greater importance and deploy more powerful software,” the report contends. “The group has expended a considerable amount of effort on organizational formalities, including creating a leadership hierarchy and establishing a separate media outlet.”

Most of AQE’s cyber attempts have been website defacements against low-value targets with occasional  denial of service attacks. The group has yet to attempt an intrusion or attack against a high-traffic or government system. Other non-state groups, such as the Syrian Electronic Army, which forced an Army website offline earlier this year, are considered more capable cyber actors than AQE.

But the report notes that AQE cannot be written off because, first, there is potential given the history and connections its members have shown to become more capable players in cyberspace and, second, because cyberspace affords a low barrier of entry, enabling “five untrained fighters [to] pose a negligible threat in the physical realm but can legitimately target disproportionately large enemies online.”