ISIS intent on expanding online abilities to conduct cyber attacks, says US official

Extremist groups are using social media to “crowdsource” terrorism and are intent on developing the ability to conduct crippling cyber attacks on their enemies, a senior Justice Department official said at the Atlantic Council on Nov. 10.

“[Terrorist groups] have the intent [to conduct cyber attacks], and if they develop the capability they are going to use it… and they are not going to be deterrable,” said John P. Carlin, Assistant Attorney General for National Security at the US Department of Justice.

“If we don’t work to disrupt their ability to have that capability it is going to be a matter of time before they get the capability,” he added.

Carlin suggested a two-pronged deterrence strategy — shoring up cyber defenses and the ability to have a critical sector up and running again after a cyber attack, and an offensive strategy that is aimed at blocking terrorist groups from developing the ability to conduct cyber attacks.

Carlin spoke at an event hosted by the Cyber Statecraft Initiative of the Atlantic Council’s Brent Scowcroft Center on International Security.

Terrorist organizations, most prominently the Islamic State of Iraq and al-Sham (ISIS), have effectively used social media to radicalize youth across the world. There is a shift in focus away from carrying out large-scale, al Qaeda-style attacks that involve long-term planning, said Carlin.

ISIS, in particular, has changed strategies. “They are no longer concerned about their brand the way al Qaeda was and instead, essentially, they are trying to crowdsource terrorism,” said Carlin.

ISIS switched to this model of exploiting US social media platforms over a year ago to spew propaganda with the hope of persuading individuals to carry out terrorist attacks overseas. This switch in strategy — accompanied by a call to attack swiftly — has shortened the “flash to bang” time between the initiation of a plot and its execution, Carlin added.

“When they get someone on the line, they walk them through a process of radicalization,” Carlin said, comparing ISIS propaganda to that of a slick advertiser.

While a few years ago a “person-to-person connection” was necessary for terrorists to be able to recruit and radicalize individuals, this process now takes place entirely online, he said. This trend is reflected in cases currently being prosecuted in all fifty states of the United States.

This past summer, for example, a Northern Virginia teen who ran a pro-ISIS Twitter account and allegedly helped an older boy make his way to Syria ended up in prison.

Alberto Fernandez, a former Coordinator for Strategic Counterterrorism Communications at the State Department, said at the Atlantic Council in July that ISIS has created a “jihadist counterculture” on social media backed by a cohort of supporters against which the United States is no match.

“On our best day we were outnumbered by ISIS by ten to one. Sometimes it is much worse,” Fernandez said.

Carlin acknowledged that the effort against cyber threats is under-resourced. “We are playing catch up … both in terms of developing and resourcing a deterrence model, but also on the defensive side,” he said, while calling for the development of a long-term strategy to counter the terrorist recruitment of young people in the United States.

ISIS poses a cyber threat to the United States in other ways as well. Take the case of Ardit Ferizi. The Malaysia-based hacker was arrested in October and accused of stealing personal information from US servicemembers and giving this to ISIS.

The Ferizi case is the first time an individual has been charged with computer fraud and abuse, as well as with providing material support to a terrorist group, said Carlin.

He said the administration has “gotten successful applying this model of moving quickly, moving across legal authorities, and working together as a community” to counter acts of terrorism.

Following his remarks, Carlin participated in a discussion moderated by Benjamin Wittes, editor-in-chief of  Lawfare.

Defending against cyber attacks

Three prominent cyber attacks took place in the United States in 2014. In February, Iranian hackers attacked the Sands Casino in Las Vegas; in November, Sony Pictures Entertainment became the target of an embarrassing cyber attack; a few months later it was revealed that hackers had breached the Office of Personnel Management (OPM) and accessed the records of more than twenty million current and former federal employees. The intrusion at OPM took place in December of 2014, but was only detected in April. Chinese hackers are suspected in the OPM hack. China, however, denies this.

Amid growing calls for a strong response against such cyber attacks, US President Barack Obama imposed sanctions against officials in North Korea, which was believed to be behind the Sony hack. The hackers ostensibly retaliated against Sony for producing a slapstick comedy that mocked North Korea’s leader.

“When we were responding to [the Sony hack], in terms of strategic approach it was important not just in terms of what the message was to the North Koreans, but to all of the other countries and groups that were watching how the US is going to respond,” said Carlin. “That’s why it was important that we did respond.”

In April, Obama issued a presidential directive on sanctions against countries and foreigners who conduct cyber attacks on the United States and its citizens.

“When you can figure out specifically who did it and you’re working out ways to disrupt it, the use of sanctions can be a very powerful tool,” said Carlin, adding that the private sector has to be part of the solution.

All eyes on China

A tougher response from the Obama administration to cyber attacks resulted in the 2014 indictment of five Chinese military hackers for conducting cyber espionage against US corporations.

The Chinese People’s Liberation Army (PLA) case marked “the first time we were really trying a new approach,” said Carlin. This approach stood out for not just investigating cyber attacks, but also publicly pinning blame on the perpetrators, and putting consequences in place.

Obama and Chinese President Xi Jinping met at the White House in September and agreed to stop cyber theft of intellectual property for commercial gain.

Wittes asked Carlin whether China has followed up its rhetoric at the White House summit with a change in behavior.

“The fastest way to figure it out has to be having companies come in who are the victim of this crime,” said Carlin.

Ashish Kumar Sen is a staff writer at the Atlantic Council.