This article was first published in the May 2016 issue of WIRED magazine. Be the first to read WIRED's articles in print before they're posted online, and get your hands on loads of additional content by subscribing online. For more stories from WIRED's Security issue, click here.
Go back to the 90s and we can read of the fears of a cyber Pearl Harbor, of hostile states and their proxies able to hack into critical infrastructure, causing massive damage and loss of life. With the rise of al-Qaeda, and now IS in Iraq and Syria, we also have predictions of a cyber 9/11 with terrorists exploiting the vulnerabilities of our wired societies.
The terrorists have certainly shown that they can bark loudly on the internet: we face a barrage of sophisticated web-based jihadist recruitment propaganda with high production values worthy of an advertising agency. They spread a message of intimidation, and show themselves capable of ultra-violence through scenes of cruelty that hark back to the 17th century and Europe's Thirty Years' War.
They have also shown they can bark in safety, given their understanding of how security and intelligence authorities conduct digital intelligence, and thus know how to avoid interception and tracing of their communications by using encrypted messaging apps such as Telegram. A typical bark was the claim by the self-styled Caliphate Cyber Army to have set up a new hacking organisation called the Ghost Caliphate. But, so far at least, they have not shown their cyber bite.
Were our early fears of cyber terrorism exaggerated? The worst has not yet happened, but there is proof of concept: states and their proxies have initiated individual destructive incidents, from Stuxnet and the Saudi Aramco takedown, to destruction at a German blast furnace and the Ukrainian power grid. Part of the answer must lie with the terrorists themselves. The motivators are the effect obtained by televisual "spectaculars" with many dead and more watching. A downed aircraft, an exploding suicide belt, machine-gunning crowds - they all provide instant gratification for violent impulses.
Denial-of-service (DoS) attacks that temporarily cut off customers from a web service cause inconvenience, and turning the lights out for a few hours by hacking in to a control system will catch headlines, but the result will be only to reinforce government plans for improving the cybersecurity of critical infrastructure.
It is easier for states (and, in some cases, criminal gangs on their behalf) to have the patience to use spearphishing and computer-network attacks to gather intelligence on potential targets, and to build the specialised exploits necessary to cause real damage. And states have greater resources at their disposal without the distraction that IS fighters have of struggling to hold the territory they seized in Iraq and Syria. Yes, the self-named Fighters of Izz Ad-Din al-Qassam tried to disrupt the New York Stock Exchange and some banks with DoS attacks in response to the controversial Innocence of Muslims movie, but the hand of Iran may well have been behind the attacks.
Should we conclude that in cyberspace the jihadist terrorists' bark will always be worse than their bite? Probably, but not necessarily. Like many other low-probability but high-impact threats, just because they do not represent the most likely course of events over the next year or so does not mean that they will not happen. As the 2008 financial crash showed, even a highly unlikely combination of unexpected circumstances can cause chaos, and more often than our view of probability might suggest.
Trends that the security authorities need to watch out for include the increasing availability of sophisticated cyber exploits from criminal sources on the dark net, and the commoditisation of botnet attack networks for rent, reducing the level of expertise and investment on the part of the terrorist organisation. And contacts between terrorists and criminal gangs will need to be closely monitored, not just to detect the availability of weapons and false documentation, and use of human-trafficking routes, but also for early signs of the cyber threat crystallising. So the backgrounds of individual terrorists with the requisite skills and any research they may conduct into cyberattack methodologies and techniques will have to be monitored as well as the evolution of leadership thinking within terrorist networks.
So, apologies to WIRED readers who disapprove, but digital intelligence techniques remain essential. Added reassurance that these techniques will not be used for mass surveillance and will be subject to strict authorisation and oversight are contained in the draft Investigative Powers Bill now before Parliament. This will set a gold standard for how democracies can look ahead to provide security while safeguarding our privacy rights.
David Omand is a former director of GCHQ and a current visiting professor at King's College, London
This article was originally published by WIRED UK
