On August 28, the United States admitted to carrying out an airstrike, widely reported to have come from a drone, which killed an ISIS hacker by the name of Junaid Hussain. He was killed in Syria four days earlier on August 24. This strike represents the latest escalation in the United States’ evolving response to cyber attacks.
Hussain was primarily engaged in online recruitment and propaganda. He is also alleged to have participated in the hack of the CENTCOM website and Twitter account, as well as posting personal information online about U.S. military personnel and making threats against them.
Though CENTCOM has described Hussain as “very dangerous” and as having “significant technical skills,” other officials have said that was not the case. These officials note that information Hussain posted online about U.S. military personnel was not the result of hacking, but instead, of aggregating openly available information from the Internet. That is, Hussain engaged in what is called “doxing” in the hacker world.
I agree with those officials casting doubt on Hussain’s status as a skilled hacker. Online propaganda, recruiting, and aggregating otherwise freely available information are not hacking. Breaking into a social media account that seems to have been poorly protected hardly qualifies one for elite hacker status.
In short, this hyped victory over an ISIS “hacker” could well be another data point to add to what we are learning about potential bias in CENTCOM intelligence assessments, which critics claim are being altered to paint a more optimistic picture of U.S. effectiveness in the fight against ISIS.
But the strike is also important because it represents a foreseeable escalation in cyber conflict when we allow hyperbolic rhetoric and threat inflation to go unchecked. The conflation of very different types of cyber conflict, from online activism, to crime, to critical infrastructure attacks under the terms “cyber attack,” “cyber terrorism,” or “cyber war,” invites conflict escalation. If we describe such threats in the same terms, then it is more tempting to respond to them in the same ways, even though not all of them may warrant the same level of response.
In general, U.S. rhetoric and responses to cyber attacks has been heating up over the last year. In May 2014, the United States indicted Chinese military officers on charges related to hacking. Over the summer, there was buzz about the OPM hack, which has been blamed on China, being a “cyber 9/11” or “cyber Pearl Harbor.” Even though Director of National Intelligence, General James Clapper, told Congress that this breach was not a “cyberattack,” the Administration has openly contemplated “retaliation” against the Chinese for ongoing hacking of U.S. public and private networks.
But China is not the only nation to have provoked a heightened response from the United States recently. In February, NSA Director, Admiral Michael Rogers, called the 2014 hack of Sony a “cyber Pearl Harbor.” So far, the only response from the United States that we know about has been imposing sanctions on a handful of North Korean officials. But if we were really to take ADM Roger’s rhetoric seriously, it would seem to justify much more severe responses. After all, the real Pearl Harbor pulled the United States into Wold War II.
Some have even called for physical, lethal strikes in response to hacking in the past. In 2011, a U.S. official said that the U.S. response to a serious enough hacking attack could come in the form of a “missile down one of your smokestacks.” Similarly, retired Air Force Lt. Gen. Harry Raduege suggested that if a cyber attack were serious enough, “America’s response could come in the form of a hellfire missile.” In the case of Junaid Hussain, it did.
So, in addition to ongoing questions about the legality and efficacy of such strikes, this case should also spark a debate about appropriate responses to the full range of malicious online activities in which U.S. adversaries might engage. Among the issues that need much more discussion is when a cyber attack warrants a lethal strike in response. Were Hussain’s online activities alone enough to warrant such a response, even if he had not been part of ISIS and located in Syria? At minimum, we need more clarity on what U.S. policy is on this question and a robust debate about what it should be.
- China tells U.S. to stop ‘groundless’ hacking accusations (sundiatapost.com)
- U.S. told to tighten cyber-security against Chinese hackers (itproportal.com)
- Director of Intelligence: ISIS Is Hiding Among The ‘Refugees’ (truthandaction.org)
- U.S. Spy Chief: Get Ready for Everything to be Hacked All the Time (foreignpolicy.com)
- China, U.S. can cooperate on cyber security: Chinese official (thanhniennews.com)
- Here are 4 biggest threats to US cybersecurity (fedcyber.com)
- Ex-NSA director: China has hacked ‘every major corporation’ in U.S. (fedcyber.com)