Islamic State: hacking, rhetoric and responses
28 Aug 2015|

A fortnight ago, a group purporting to be the Islamic State Hacking Division released the names, email addresses, passwords and telephone numbers of almost 1,500 individuals, the majority of whom are reportedly US Defence personnel. The group’s ‘hit list’, which included the personal details of eight Australians, was posted online and accompanied by threats that the information would be used to ‘strike at your necks in your own land’.

Contrary to the common perceptions of the hacking incident, Islamic State (ISIS) hasn’t pulled off a show-stopping display of cyber-strength, and we shouldn’t be reaching for a response. Indeed, a misinformed response to the recent display could inadvertently serve to increase the potency of ISIS’s propaganda.

It’s important to view the hack in the context of ISIS cyber ‘events’ in 2015. This isn’t the first time ISIS has gone after the US Department of Defense—a group of ISIS sympathisers named ‘Cyber Caliphate’ briefly hacked Central Command’s Twitter and YouTube accounts back in January. A previous data dump by the Islamic State Hacking Division also occurred in March when ISIS hackers released the home addresses and photos of 100 US military personnel. Two months later, ‘Cyber Caliphate’ released a video of a hooded figure threatening ‘electronic war’ on the US and Europe.

Such events are granted a reasonably high profile and receive significant attention in media and policy circles. For example, when ASIO Director General Duncan Lewis raised his concerns over ISIS’s use of cyberspace in February, The Daily Telegraph ran the headline ‘Australia Declares Cyber War on Islamic State’s Social Media Propagandists’. Channel Nine also discussed the ‘Cyber Jihad’ and foreshadowed that Australia was set to announce a cyberwar on ISIS. American media exhibited a similar reaction in May in the wake of Cyber Caliphate’s video, with Beltway outlet The Hill running the story ‘ISIS Preps for Cyber War’.

Unsurprisingly, the same pattern is evident in the response to ISIS’s cyber activity the other week. Media outlets have given a lot of oxygen to the issue, with feverish talk focusing on the ‘Australian ‘hit list’’ and Islamic State’s cyber capabilities. The incident was so over-hyped that Australia’s senior ISIS militant, Neil Prakash, boasted on Twitter that ‘cyber war got ‘em shook’. Political leaders have weighed in on the issue, with Prime Minister Tony Abbott deeming the incident proof that ISIS’s cyber capabilities pose a ‘very sophisticated and deadly threat’ to Australia. Dan Tehan, Chair of the Parliamentary Joint Committee on Intelligence and Security, has emphasised the strategic imperative of Australia winning this ‘online war’.

However, it’s important that we develop a realistic understanding of what actually happened in order to avoid overblown rhetoric. This attack was of a low level of sophistication and may have actually involved no hacking at all—inconsistent data structures and presence of duplicates in the ‘hit list’ suggest that the database had been pieced together from different sources. It also seems that the list is comprised mostly of data already available online, simply repackaged and paired with a threatening narrative. Some of the information was already leaked in 2013, while other data had been intentionally made available online by the relevant agencies.

Much of the remaining information was expired or simply falsified. Emails listed don’t match the official military configuration currently in use, and instead resemble an out of date format that hasn’t been used for several years. A Pentagon spokesperson pointed out that the passwords provided would not fulfil the military’s strength requirements—some were only three characters long. (In fact, they wouldn’t even satisfy the security standards of popular webmail services.) In light of these factors, US Army General Ray Odierno affirmed that neither this, nor previous data breaches with similar traits, were authentic.

It appears that ISIS weren’t actually successful in gaining access to sensitive data, so what was the purpose of this dramatic stunt? Possibly to generate fear and project the impression of power and capabilities far beyond what the group actually possesses. In that sense, the Islamic State Hacking Division would probably count their efforts as a job well done. What they lack in cyber capabilities they more than make up for in social manipulation and fear-mongering.

So we should consider the power of rhetoric. Mischaracterisation of an event can contribute to a public narrative that puts pressure on governments to respond in a certain way. Unlike more traditional arenas of conflict, cyberspace isn’t yet governed by entrenched norms of legality and proportionality. The absence of such a toolkit may leave room for the public narrative to guide responses to these new threats in a formative way. As a result, our political leaders and media should be cautious in making statements and cases which lean too heavily on the perceived cyber proficiencies of ISIS and their terrorist brethren.

Overly dramatic labelling has the potential to inflate public perceptions of ISIS’s power and influence, so exacerbating fears and potentially serving as a boost for the organisation. Creating an elevated threat by way of political or media-driven rhetoric serves ISIS’s strategy nicely by lending unwarranted credibility which can be harnessed for recruitment.

In a time of diverse and legitimate cyber threats, it is prudent for all players in the debate to tread carefully when it comes to both public rhetoric and public policy.