When it comes to the cyber operations of the Islamic State group and other militant organizations, they have been aspirational in terms of discussing cyber activities almost from the start.
Most cyber operations by the Islamic State group and other militant organizations have been on a fairly low level and merely aspirational, according to the deputy director of the U.S. National Counterterrorism Center.
John Mulligan was giving a keynote address at the DoDIIS Worldwide Conference in St. Louis, Missouri, on Tuesday.
From a practical standpoint, cyber activity to date has been largely confined to doxing, where groups such as ISIS find available information and generate kill lists related to security or military personnel, then encouraging others to conduct attacks against those individuals, Mulligan said. This is done through some low-level hacking and the exploitation of low-hanging fruit.
The U.S. government has seen some low-level defacement of websites, he added, but nothing particularly substantial.
The gap between the perception that entities able to do the most harm in cyberspace — to include sophisticated nation-states — probably have lesser intent and entities with more nefarious intent — to include terrorists or criminals — have lesser capability is closing, former Director of National Intelligence James Clapper told the Senate Armed Services Committee in May.
Terrorists, criminals and hacktivists are going to exploit technology, “and so that comfort that we may have taken in the past is something we should count on,” he said.
Echoing this sentiment, Mulligan noted that at every other area in which there is relevant commercial applicability, ISIS has consistently shown an ability to evolve capabilities over time. He specifically cited the group’s use of commercial drones, which has evolved from primitive battle assessments as well as intelligence, surveillance and reconnaissance to arming the drones.
“We should not make the same mistake in terms of underestimating their ability to again adapt their own cyber capabilities,” he said. “So we can anticipate that although they have not yet demonstrated the nation-state level competencies in this regard, they will continue to work relentlessly against it.”
From a military perspective, Mulligan said ISIS is a loose connection of broadly independent, functioning entities that lack a degree of predictability and uniformity. When it comes to ISIS’ hacking cohorts, such as the so-called Cyber Caliphate, they are for the most part considered sympathizers rather than members of ISIS.
Mulligan, when asked by C4ISRNET following his presentation about ISIS’ organic cyber operations capability, said there are likely individuals loosely affiliated with the organization who are physically displaced but nevertheless provide some degree of expertise or knowledge.
Others, however, such as Junaid Hussain, who was killed in a drone strike and considered that godfather of ISIS’ hacking cadre, have aspirations and want to change the organization’s behaviors writ large. Those individuals tend to rise up above the horizon and attract attention.
The United States’ concern, he said, is the individuals who are competent in the cyber arena and may be operating below the horizon, making them more difficult to detect.
This can include those undertaking official support tasks, networks of supporters retweeting ISIS propaganda and those that add value to the overall effort but are difficult to detect. These networks, Mulligan said, are believed to be globally dispersed.
Social media and cognitive warfare
“What is really unique about ISIS is the fact that they have a deep understanding of the linkage between the media world, particularly social media, and the operational world,” Mulligan said. “They have very successfully been able to use media to amplify the effects of their operational activities.”
These linkages are something Lt. Gen. Vincent Stewart, director of the Defense Intelligence Agency, a day earlier termed fifth-generation war.
ISIS understands the broad range of commercial technological applicability, and social media allows the group to conduct global operations, Mulligan said. The militant group can conduct financial transactions, facilitate logistical movements, and organize in a dispersed, remote way.
Organizations such as ISIS delegate to individuals degrees of responsibly and accountability, allowing them to display their initiative.
“If I could characterize to you how they initially would operate, it would be that they would be on widely publicly available platforms, and once they made contacts with those individuals they would migrate conversations to more secure messaging platforms,” he said.
ISIS’ internally developed applications pose a challenge to the U.S. government, Mulligan told C4ISRNET following his presentation, particularly when applications are open source, in which individuals from virtually anywhere can make contributions.
Moreover, he said, they are operating in largely unstructured environments and developing unstructured tools with broad degrees of competency and contributions, making it much more difficult for the government to detect and develop countermeasures.
Adm. Michael Rogers, director of the National Security Agency and commander of U.S. Cyber Command, has called ISIS the most adaptive enemy he’s seen in 35 years of being an intelligence professional.
“I would argue they have the greatest rate of change of any target I’ve ever worked in 31 years. You see them constantly changing their applications,” he said at the Aspen Security Forum in July.
Rogers had said that during a meeting at Fort Meade, Maryland, about generating insight in Raqqa, Syria, and Mosul, Iraq, against ISIS, he asked his team: “Do you realize what we’re doing right now is nothing like what we did 10 years ago?”
“Take Mosul as an example,” he continued, “in the same battle space. We’re going against totally different target sets, totally different comms profiles. This opponent has totally changed when for example they were [al-Qaida in Iraq] in a previous iteration.”
Rogers said this is currently the nature of the world, adding that this trend could jump from the nonstate actor to the nation-state because he’s seen countries use some of those exact same commercial capabilities.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.