Deborah Kobza voices a concern about the potential cyberthreat posed by the terrorist group Islamic State.
"ISIS has over $500 million and has talked about cyber-attacks," Kobza, executive director of the National Health Information Sharing and Analysis Center, said this week at a government-sponsored symposium on safeguarding healthcare information. "It's more critical than ever to come together ... in a trusted public/private partnership to protect the healthcare sector."
Should Kobza be worried? Does ISIS pose a threat to the critical digital assets of the United States and other nations? When asked, a spokesman for the Department of Homeland Security responded: "No comment."
In some respects, ISIS seems to be an ideal candidate among terrorist groups to launch cyber-attacks. The leaders are tech savvy, having mastered social media in recruiting new members from around the globe and publicizing their nefarious deeds, such as the gruesome execution of Western journalists.
"That's why you have to worry; they've mastered the art of technology," says Michael Kugelman, a researcher who's studies ISIS at the Wilson Center, a think tank. "This is not a Luddite group, so to speak. They're very much into technology. They know how to exploit it and know how to do really bad things with it. Yeah, certainly other militant groups can do these things as well, but I think ISIS is the one you really have to worry about because of their embrace of technology for nefarious purposes."
Focus on Grabbing Territory
Still, Kugelman says he highly doubts ISIS would turn to cyber-attacks despite some of its members' tech-savviness. "They don't have hardcore programmer types; they don't have links to state infrastructure that gives them access to more powerful technologies to allow them to commit these types of attacks," he says. "In terms of them not having a desire for this, at the end of day, the members of ISIS are militants, they're not hackers. They're interested in taking over territory and committing attacks and doing terrible things. Fortunately, at this point, this does not extend to resorting to cyber-terror."
A just-issued report by the think tank Bipartisan Policy Center, titled 2014: Jihadist Terrorism and Other Unconventional Threats, raises two question of whether cyber-attacks are the best way for terrorists to achieve their goals:
- Under which scenarios could a cyber-attack cause the kind of terror among the population that terrorists hope to achieve?
- Is a cyber-attack actually the easiest way for terrorists to achieve that goal, or are traditional methods cheaper and more effective?
If terror is among ISIS's chief goals, it's much cheaper - and probably more effective - to frighten people by posting executions on the Internet than trying to take down part of the Internet.
Cybersecurity expert Bruce Schneier expresses skepticism about cyber-terror claims.
Besides, what would be the terrible cyberthreat ISIS would follow through on? The Syrian Electronic Army, a computer hacking group that backs Syrian President Bashar al-Assad, has struck Western government, media and human rights groups with assaults that have defaced some sites and posted false news reports in the guise of tweets from legitimate news organizations. But that's not the same as using Internet know-how to disrupt or destroy critical infrastructure, such as the power grid, that could threaten human life. The ability of ISIS, or, for that matter, any other terrorist group, to do just that is highly doubtful.
"The people who claim it's a threat have to tell us why it's a threat," says cybersecurity expert and author Bruce Schneier, who has studied the human side of security. "Why do we believe it's a threat other than it's a scary word? Do we believe, somehow, that people at ISIS are better than everybody else? They have great research institutions? What is the actual threat?"
No doubt, governments and businesses must defend against disruptive cyber-attacks. But when it comes to ISIS, at least in the short-run, the terrorist threat the group poses is more physical than virtual.
Executive Editor Marianne Kolbasuk McGee contributed to this blog