Hiring tech talent is hard. Drawing talent to a warzone shadowed by drones is harder.
On Aug. 25, a US airstrike killed Junaid Hussain, a British national considered the Islamic State’s most capable hacker – though that may not have been a high bar to clear.
While The Wall Street Journal reported that jihadists called him their "secret weapon," J.M. Berger, author of "ISIS: The State of Terror," described him as "a Twitter noisemaker and a hack hacker." Many online labeled him a script kiddie – more plagiarist than innovator – and they probably got him right.
By most accounts, the kinds of malicious action you could call "cyberattacks" were a small portion of his portfolio and impact; he was also a recruiter, a propagandist, and apparently an adviser on operations security. In other words, he was best known for effective information sharing. He was that guy in your office who encourages you all to give Slack a try – authoring any kind of "cyber 9/11" was hardly in the cards.
So why was Hussain targeted with a Hellfire missile? Understanding why he made the coalition’s kill list goes a long way toward clarifying the threat posed by terror-affiliated hackers.
Even at the expert level, opinions differ widely about what the spread of digital arms means for international security. As Frank Cilluffo and Joseph Clark put it in a recent essay for Lawfare, "Cyber changes everything, cyber changes nothing." In Hussain’s case, everything he did made the Islamic State's network a bit more effective; almost nothing he did was so novel that it couldn’t have been done otherwise. Recruiting by Twitter is more efficient than recruiting by fax, but propaganda has always been with us. Targeting service members is easier if they’ve been doxxed, but lone wolves are an old threat. Encrypted chat is more secure than unencrypted; Hussain was still located and killed.
But his example is sobering because he was trivial, not exceptional. Anyone can learn to do what Hussain could do. Going forward, given his celebrity, more jihadists likely will.
For would-be hacktivists or cybercriminals, barriers to entry are low today. If you have your heart set on doing some of the work yourself, many streamlined tools are cheap or free and – because they have legitimate applications in security research – available on the open web (Metasploit is as popular with the FBI as it is with Dutch organized crime). The menu of options broadens if you know your way around the Deep Web’s underground markets, especially if you have cash to spare. But why even buy an exploit or a vulnerability – some of which remain very pricey – when you can just commission the data breach you want, or buy up stolen personal data in the aftermath of one?
Just this month, the FBI announced the arrest of a 20-year-old Kosovar hacker who went by the handle Th3Dir3ctorY. According to the criminal complaint, he provided Hussain with stolen personal information on thousands of federal employees. Hussain then shared the data dump with social media followers, along with a call to action: "We are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!"
Th3Dir3ctorY stands charged with providing material support to the Islamic State. Assistant Attorney General John Carlin called the case "a first of its kind," but it’s unlikely to be the last.
The capacity to do modest harm online is well within the Islamic State's reach – low-hanging fruit that the group, for the most part, has yet to pick. Its sympathizers could cost-effectively scale efforts to deface websites for propaganda value, defraud targets for financial benefit, or give kinetic plots a boost with intelligence gathered online. The missing ingredient has been either will or interest – and Hussain’s prominence marked a definite growth in both. Developing talent is harder, but talent is less necessary than ever.
That said, the group’s capacity will almost certainly grow over time. While jihadists are a long way from a Stuxnet-style attack with kinetic impact – that weapon reportedly cost some $100 million to develop – it remains imaginable that the group will attract followers capable of significant economic disruption, something after the fashion of the Sony compromise. While its time, money, and talent are strained by war, that pressure may eventually lapse. If the Islamic State develops stable borders, continues to draw foreign recruits from technical professions, and preserves significant revenue streams like oil and antiquity sales, jihadist "state-sponsorship" of hacktivism will be a growing concern.
Already, law enforcement officials say, sympathizers have probed the American energy grid. FBI Cyber Division Section Chief John Riggi said the attacks showed "strong intent. Thankfully, low capability. But the concern is that they’ll buy that capability."
For now, the challenge is to guard against script kiddies, not the kind of outrageously talented "10x developers" Silicon Valley competes for. Better – and basic – cybersecurity practices would harden Western targets that are gratuitously soft today. And the lesson to take from the life, work, and death of Junaid Hussain is that he was a mediocre hacker – and he was a threat because, as a mediocre hacker, he offered the Islamic State an effective role model.
"I don’t recognize the law or its enforcers," he told an interviewer years ago. "I don’t fear 'prison' – at least I’d be blocked from the mad world outside. I’d also be able to focus on myself and practice my religion more. I don’t fear no one except God."
His example will outlive him. Drone strikes don’t stamp out inspiration.
Meg King is the Director of the Digital Futures Project at the Wilson Center.
Grayson Clary is a Research Associate for the Digital Futures Project. Follow him on Twitter @GraysonClary.