ISIS Has the Capacity to Strike U.S. Critical Infrastructure

The Islamic State in Iraq and Syria (ISIS) has the organizational capacity to execute a cyber attack that physically disrupts, damages or destroys its opponents’ critical infrastructure assets. Only a well-coordinated and sophisticated cyber attack can evade the United States’ expansive yet vulnerable industrial cyber defenses, but ISIS’s centralized organizational structure, advanced recruitment strategy, and multiple revenue streams render the terrorist network capable of executing such an attack. To defeat the cyber threat posed by ISIS, the United States and its allies must accelerate their advances in Iraq and Syria, recapture ISIS-held territory, and destroy the organization’s centralized hierarchy. Additionally, the coalition must improve coordination with the private sector to strengthen critical infrastructure cyber defenses.U.S. critical infrastructure assets are vulnerable to cyber attacks. The proliferation of low-cost cyber weapons and the frequency at which they target U.S. entities makes it nearly impossible for the United States to repel all cyber threats. Many observers believe the United States is increasingly at risk of cyber intrusions, which could gain access to computer systems that control, for example, power plants or public water systems.The difficulties associated with protecting these assets are exacerbated by critical infrastructure owners and operators. The vast majority of owners and operators are private sector actors, and often they do not follow industry best practices for cyber security. For instance, lax reporting requirements deter owners and operators from reporting breaches, and industrial control systems use mostly commercial-off-the-shelf defenses that many experts find inadequate.1 Furthermore, a December 2015 cyber attack against a Ukrainian power grid that caused a power outage has intensified concerns in the United States about vulnerabilities within its own industrial control systems. Does ISIS have the capacity to exploit these vulnerabilities and physically impact a critical infrastructure asset?ISIS has formed a highly centralized and hierarchical command structure within its occupied territory. ISIS’s centralized framework functions similarly to a nation-state, avoiding coordination pitfalls that decentralized terrorist networks experience. First, ISIS’s forces can conduct face-to-face interactions within their headquarters. This mitigates communication and coordination errors that plague most decentralized networks, and limits the chance that sensitive communiqués will be intercepted. Second, ISIS can use its centralized headquarters to train and evaluate a greater number of skilled operatives. Third, ISIS’s clear hierarchy can streamline decision-making and assuage internal conflict endemic in decentralized networks.2 These attributes give ISIS a state-like organizational capacity to coordinate and execute a complex and sophisticated cyber attack operation.ISIS seems to have taken advantage of its centralized hierarchy to form a cyber attack force. In August 2015, its “Islamic State Hacking Division”3 hacked into the social media accounts of hundreds of U.S. military members. Later in 2015, the group hacked over 54,000 Twitter accounts. Though hacking sites is not nearly as complex as penetrating and manipulating industrial controls, these incidents illustrate ISIS’s capacity to create an organized and capable cyber division within its hierarchy.ISIS also utilizes its centralized hierarchy and online acumen to create high-quality recruiting material. Propaganda is a top priority for ISIS, which has highly capable teams of both al Qaeda media veterans and young recruits well-versed in social media to bait potential fighters into joining the organization. ISIS media groups like the Al-Hayat Media Center have also produced professional-grade videos and advertisements that are often translated into several languages.4 The combination of a professional media team and a structured propagation operation has yielded a high output of propaganda: hundreds of videos in six different languages, daily radio broadcasts, and 2 million Twitter mentions per month. As of December 2015, ISIS had recruited at least 27,000 soldiers to supplement the military that it has drawn from native populations.5 These figures showcase ISIS’s success in using online communications to attract global recruits to fight for a transnational cause.ISIS’s expansive online recruiting strategy has translated to high-skill cyber recruits. Many terrorist experts believe that ISIS’s recruitment has specifically targeted cyber warriors. For example, Junaid Hussain departed Britain in 2013 to become the top cyber expert in the Islamic State Hacking Division. He sharpened the terror group's defenses against Western surveillance, built hacking tools to penetrate computer systems, and even expressed interest in obtaining zero-day exploits (malware) to target previously unknown software vulnerabilities. U.S. and allied defense officials perceived Hussain as such a threat that they killed him in an August 2015 air strike, and have recently targeted other cyber operatives. That Hussain was not just a member, but a leader of the Islamic State Hacking Division suggests he worked with several other skilled recruits to conduct cyber operations. In addition, a Palestinian hacker organization recently pledged allegiance to ISIS’s leader, and ISIS created an online forum to provide followers tools to wage cyber terror campaigns. ISIS, therefore, already has several skilled cyber operatives—though their specific skill sets and capabilities are unclear.ISIS uses territorial control to diversify its revenues stream, and higher levels of funding support sophisticated tactics like cyber attacks. Oil exports are ISIS’s largest revenue source,6 and the organization has raised additional tens of millions of dollars in antiquities trades. Natural gas exports, if at full capacity, could generate some $979M per year.7 Taxes, extortion and asset seizure from a citizenry of 10 million people generate up to $360M per year.8 Other revenue-generating ventures include agriculture; criminal activities (including ransoms); phosphate, cement, and sulfur sales; and (relatively modest) external support. ISIS reported a $2 billion budget for 2015. Though ISIS devotes significant funds to operate its state-like apparatus, it still anticipated a $250 million surplus for war-fighting. At the time of this writing, ISIL has not reported a 2016 budget, but we can assume air strikes against its economic infrastructure (e.g. oil) have significantly diminished its financial capacity. ISIL’s war-fighting surplus has probably subsequently decreased, yet it most likely remains in the hundreds of million of dollars. ISIS needs only to devote a fraction of these funds to purchase increasingly inexpensive cyber weapons.ISIS must maintain its territorial occupation to sustain these diversified revenue streams and adequately fund a year-long cyber attack campaign. However, U.S. strikes against ISIS infrastructure, especially oil and gas facilities, have damaged ISIS’s revenue potential. The Pentagon estimated in January 2016 that air strikes had helped reduce ISIS barrel output per day from 45,000 to 34,000, dropping daily revenues below $1M per day. Further, as of February 2016, U.S.-backed forces have taken 40% of ISIS-controlled territory in Iraq and 20% in Syria, reclaiming economic sources from which ISIS had generated revenue. ISIS’s capacity to fund cyber operations will decrease with further territorial loss.Therefore, the United States must intensify efforts to end ISIS’s territorial occupation in Iraq and Syria, while increasing engagement with private sector actors to bolster industrial control defenses. The less territory ISIS possesses and the less centralized its organization, the less capacity it has to execute a cyber attack against a U.S. critical infrastructure asset. However, the longer the caliphate exists, the larger and more advanced its cyber threat will grow.

1. Clay Wilson, “Botnets, Cybercrime, Cyberterrorims: Vulnerabilities and Policy Issues for Congress,” Congressional Research Service, January 29, 2008, 22.2. Mette Eilstrup-Sangiovanni and Calvert Jones, “Assessing the Dangers of Illicit Networks,” International Security, 33 (2008).3. Also called the “Cyber Caliphate.”4. Jared Cohen, “Digital Counterinsurgency,” Foreign Affairs, 94 (2015): 53; Christina Schori Liang, “Cyber Jihad: Understanding and Countering Islamic State Propaganda,” Geneva Centre for Security Policy (February 2015): 5-6.5. “Foreign Fighters: An Updated Assessment of the Flow of Foreign Fighters into Syria and Iraq,” The Soufan Group (December 2015): 4.6. Jean-Charles Brisard and Damien Martinez, “Islamic State: The Economy-Based Terrorist Funding,” Thomas Reuter (October 2014): 7.7. Ibid., 8.8. Carla A. Humud, “Islamic State Financing and U.S. Policy Approaches,” Congressional Research Service (April 10, 2015): 6-7